China: Personal Information Protection Law
The Chinese data protection regime is set for a massive upheaval with the coming introduction of the Personal Information Protection Law ('PIPL'). Dr. Michael Tan, Julian Sun, and Chao Xuan, Partner and Associates respectively at Taylor Wessing, discuss the PIPL and its key provisions, as well as how it compares with the data protection laws of other jurisdictions.
Irrespective of various legislative development in recent years, the data protection regime in the People's Republic of China ('PRC') has long been difficult to navigate due to absence of a unified legal framework. This is soon to end. On 21 October 2020, the top Chinese legislator presented to the public its draft PIPL, open for public comments until 19 November 2020. The official launch of the PIPL is intended to be imminent, driven as it is by anxiety in Chinese society to strengthen privacy protection in response to rampant misuse of personal data. Compared with earlier legislation on data protection topics, the PIPL will have a much more significant impact on international operations. Below are some important highlights.
Enhanced enforcement powers
Awareness of and respect to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') has been in large part a result of the high penalties stipulated in its provisions and imposed by various supervisory authorities in Europe. For quite a long period, absence of such real teeth has been a serious issue when one talks about enforcement under Chinese data protection law. With the introduction of the PIPL, this is now changing. Article 62 of the PIPL now introduces much more severe administrative penalties. Entities violating the PIPL could now potentially face:
- being ordered to correct data, confiscation of illegal gains, and a warning;
- a fine of up to RMB 1 million (approx. €128,170) and a fine of from RMB 10,000 (approx. €1,280) to RMB 100,000 (approx. €12,800) for concerned individuals;
- in serious cases, a fine of up to RMB 50 million (approx. €6.4 million) or 5% turnover of last year, plus a suspension or even shutdown of business, and a fine of from RMB 100,000 (approx. €12,800) to RMB 1 million (approx. €128,170) for the concerned individuals.
On top of that, criminal and civil liabilities may also be triggered separately while class action possibility is also explicitly addressed which may be initiated by People's Procuratorates, relevant governmental bodies or government-endorsed organisations. Compared with corporate-level legal consequences under existing laws (e.g. up to RMB 1million (approx. €128,170) under the Cybersecurity Law ('CSL') and up to RMB 500,000 (approx. €64,080) under the Consumer Protection Law), the above legal consequences including the possibility for class action lawsuits make for quite strong deterrents and are altogether more effective in curbing abuse of personal information. The penalty equivalent to 5% of annual turnover is even higher than that of 4% under the GDPR, which substantially increases the need for compliance efforts for data rich business. Besides legal penalties, the PIPL links one's compliance record with the corporate social credit system under construction where any negative record could potentially jeopardise a company's business. The PIPL also lays down the general principle for civil claims in a data breach case, i.e. the respective compensation shall be calculated based on losses suffered by the data subject or the profit/benefit gained by the one violating the law.
A legislative trend worth noting in recent years is that the PRC - following the USA – is also trying to implement a 'long arm' approach under its laws, particularly when cybersecurity or data protection matters are concerned. A recent example is the draft Data Security Law ('DSL') which stipulates that data processing activities outside of the PRC which jeopardise the national security of the PRC or the public interest or legitimate interests of Chinese citizens/organisations shall also be pursued under the DSL. The PIPL reiterates the same 'long arm' principle under the DSL by stipulating in Article 42 that restrictive or even prohibitive measures may be taken by regulators against organisations and individuals outside China who engage in activities that harm the rights and interests of Chinese data subjects. At the same time, the PIPL also lays down an even more general principle - similar to the GDPR - by extending its application to all personal information processing activities conducted outside the PRC as far as:
- they are for the purpose of providing goods or services to natural persons within the PRC;
- they are to analyse or assess behaviour of natural persons within the PRC; or
- they fall into other circumstances as stipulated by laws and regulations.
The first and second points above are almost identical to Article 3 of the GDPR. Similar to the requirements under the GDPR, Article 52 of the PIPL requires an offshore data processor which is caught by this law to appoint a special onshore agency or an onshore representative to satisfy PIPL compliance requirements. Names and contact details of the onshore agency or representative shall be filed with the competent PRC authorities. On top of this and again similar to the GDPR, a data protection officer could also be required according to Article 51 of the PIPL, depending on the quantity of personal information to be processed (exact threshold to be determined by the respective data protection regulator which could potentially refer to existing industrial standards). Irrespective of the above similarity in the 'long arm' approach, the explicit application carve-out under the GDPR (e.g. exception of data collection by law enforcement agencies) is not seen under the PIPL. Instead, it pushes in another direction which could potentially cause a dilemma for international companies. For example, besides the routine data export control requirement (see below), Article 41 of the PIPL explicitly stipulates that any request by a foreign law enforcement agency to retrieve data stored within the PRC shall be subject to prior clearance with the competent Chinese authorities. A retaliation clause (Article 42) also allows China to take counter measures against those countries/regions which treat China in a discriminatory way with regard to data protection topics. This could be interpreted as a kind of 'push back' by China against the long-arm of other jurisdictions. As a result, international companies will need to stay even more cautious in categorising and managing their cross-border data flows.
Data export control
The topic of data onshore storage requirements and data export control has been controversial since the promulgation of the CSL in 2016. Attempts of the newly formed regulator (i.e. the Cyberspace Administration of China ('CAC')) to generalise and extend export control requirements under Article 37 of the CSL aroused strong reaction from the business community. Several draft rules as formulated by the CAC address this topic by introducing the concept of security assessment plus administrative clearance with different coverage (e.g. certain draft rules stipulate that all personal data exports shall require administrative clearance while some other draft rules only apply clearance to data exports hitting a certain threshold). The PIPL – as the higher ranking law ahead of administrative rules - now sheds a more positive light on personal data export control by stating that personal information exports shall have good legal ground if:
- it has passed a security assessment as organised by regulators;
- it has secured protection certification from special agencies as recognised by the regulators;
- enters into good contractual arrangements with the foreign data recipients to ensure protection is up to the standards of the PIPL; or
- other circumstances allowed by laws, regulations, or the regulators.
Point three above is similar to the standard sample clause approach under the GDPR to achieve protection sufficiency requirement under the GDPR. Though points one and two reflect a strong administrative driven approach in the Chinese environment, they are generally positive developments providing more alternatives for international companies to manage their cross-border data transfers in a legally compliant way (to some extent similar to the thoughts behind binding corporate rules under the GDPR). It should be noted that Article 39 of the PIPL escalates the legal obligation of the data export with regard to awareness and consent requirements. A data exporter shall inform the data subject about details of the export (e.g. identity of the recipient, contact details, processing purpose and methods, category of personal information, and how to exercise data subject rights under the PIPL). Separate consent from the data subject shall further be sought to enable such export.
There is much more to be learnt under the draft PIPL. The good news is that whoever is familiar with GDPR will find it not so difficult to follow the concepts under the PIPL. For example, the PIPL (as well as other Chinese laws) use the term of 'personal information' which is slightly different from the term 'personal data' as used under the GDPR, but which nevertheless has a similar definition and very broad coverage as of that under the GDPR. There is a special chapter in the PIPL regulating the concept of 'sensitive personal information' which - similar to the GDPR - is only allowed to be processed for very limited and specific purposes while still subject to sufficient necessity to process as well as a separate/written consent from the data subject. The general processing principles under the PIPL could also find their equivalents in the GDPR (such as legitimacy, purpose limitation, data minimisation, transparency).
On the other hand, the PIPL includes some idiosyncratic features which require a somewhat different approach when dealing with data protection matters in China. For example, unlike the GDPR, which strictly limits the exception that may be claimed by public authorities to process personal data, the PIPL leaves more room in this aspect and provides for a general exception for governmental agencies to process personal information in their public functions by strictly following (other) laws and regulations. Though controversial, the fact that a more administration driven system could result in higher efficiency (as seen in the current pandemic situation) seemingly made such an exception more easily acceptable in Chinese society than in the West. This does also raise higher public expectations for better protection and management by governmental agencies of personal information in their hands. This topic has already become an agenda item for legislative discussion. In general, the PIPL will represent a big step forward for the Chinese data protection regime. There are complicated implications for companies to consider, including those sitting outside but serving the Chinese market.