It has been an interesting quarter for data protection developments in China. Shortly after the National People’s Congress issued a draft of a proposed data protection law in October 2020, the country’s cyberspace regulator has initiated steps to limit the scope of information sought by operators of mobile applications.
The Cyberspace Administrator of China (or the “CAC”) noted that app operators commonly sought information from users that was unnecessary for the actual functioning of the app. Users were, in turn, denied services if they refused. To implement “legal, legitimate, and necessary” principles of data collection and protect individuals’ interests, the CAC has accordingly sought comments from the public with regard to its list of essential information that different mobile applications – including apps for ride sharing, browsers, sports and fitness, education, tourism, and social media – may seek from end users. The deadline for providing feedback is December 16, 2020.
As for the new data protection law: if enacted, the proposed personal information protection law (or the “PIPL”) will usher in significant changes to the country’s data protection and privacy framework. In this update, we examine some of the key features of the draft law.
The PIPL applies to organisations and individuals based outside China who process personal data of individuals within China (a) in connection with the provision of products or services to such individuals, (b) in connection with monitoring or assessing such individuals’ behaviour, or (c) where laws specifically authorise the application of the law.
Actors and Categories of Data
The PIPL imposes obligations on organisations and individuals that determine the purposes and means of processing of individuals’ personal information. This definition is similar to that of a “controller” under Europe’s General Data Protection Regulation (the “GDPR”). Unlike the GDPR, however, the PIPL does not expressly recognise “processors”, which are businesses that process data on instructions of a controller. However, the PIPL requires controllers that entrust processing activities to other parties to enter into agreements with these parties and supervise their processing activities. These parties can only process data in accordance with the respective controllers’ instructions, and cannot delegate processing activities without the controllers’ consent.
With respect to data categories: “sensitive personal information” is a subset of personal information, and its scope is based on a harm-based approach with regard to misuse. It includes information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, and individual location tracking.
Grounds for Processing Personal Information
In addition to consent, the PIPL provides for other grounds to process personal information, including fulfilment of a contract in which the data subject is an interested party, fulfilment of statutory duties and obligations, in cases of public health crises, and for journalistic purposes or other activities of public interest. Other laws may provide for additional grounds of processing as well.
The PIPL also sets out the scope of consent. For it to be valid, consent should be preceded by full knowledge of the individual, voluntary, and be an explicit statement of wishes. It should be capable of being withdrawn. Controllers cannot deny the provision of products or services in cases where data subjects do not consent to the processing of data that is not necessary for the provision in question. Consent should also be re-sought if there are changes to the processing activity, the purpose of processing, or the categories of personal data being processed.
Separately, processing personal information of individuals below the age of 14 years requires guardians’ consent.
Processing Sensitive Personal Information
Sensitive personal information may be processed only where necessary, and for specific purposes. Under the PIPL, specific regulations may be imposed on the processing of such information. If the processing in question is based on consent, controllers should obtain the individual’s specific consent. Further, and in addition to general transparency obligations, controllers are required to inform individuals of the necessity of the processing of sensitive personal information and the potential impact it may have on the individual.
Obligations on Businesses
Controllers are required to inform individuals about upcoming collection and processing of personal data, in order to comply with transparency obligations. Particularly, prior to the collection of personal information, controllers are required to inform individuals of their identity and contact details, the purposes and methods of processing, categories of personal information that are to be processed, retention periods, and methods available to individuals for the exercise of their rights under the PIPL. The only exemptions to this obligation occur where other laws require secrecy of processing to be preserved, or hold that such notification is unnecessary, or where it is impossible to notify individuals.
General obligations on controllers include the requirements to adopt adequate security measures and regularly conduct audits of their processing activities. In certain cases, controllers will be required to conduct risk assessments: this obligation arises in cases of processing sensitive personal information, using personal information for automated decision making, publishing personal information, transferring personal information abroad, or while handling personal information that may have a significant impact on individuals.
Controllers based outside China must establish a dedicated entity or appoint a representative within China.
Controllers are also mandatorily required to inform the regulator of the occurrence of a breach of personal information. This obligation does not apply to controllers if they adopt measures that are effective in mitigating harm that may be caused by such breach.
Cross Border Transfers
Individuals are required to specifically consent to cross border transfers of their personal information. In addition to ensuring compliance with the consent requirement, controllers may transfer personal information outside China on one of the following grounds, only:
- Passing a security assessment by the governmental cybersecurity and information department.
- Undertaking a certification mechanism by a governmental body.
- On the basis of an agreement with the recipient, provided that the controller in question supervises the recipient’s compliance with the PIPL.
- If a law or regulation specifically permits it, and on the basis of conditions imposed by the law.
Operators of critical information infrastructure cannot transfer personal information outside China unless they have passed a security assessment organised by the governmental cybersecurity and information department or unless they are specifically permitted to do so under law. This obligation also applies to controllers that process quantities of personal information that exceed amounts prescribed the government.
Automated Decision Making
Businesses that use personal information to make automated decisions should ensure transparency, fairness, and reasonableness in handling results of such decision making. Individuals have the right to seek explanations if automated decisions affect their rights, and the right to refuse decisions made solely on the basis of automated decision-making methods. Further, if the automated decision making is used for commercial sales or information delivery, individuals should have the option to opt out of targeting in this regard.
Use of Facial Recognition Technology
The PIPL notably only permits the use of facial recognition technology for public security. Personal information that is collected through the use of this technology cannot be published or disclosed to third parties without individuals’ specific consent, or unless such publication or disclosure is permitted by law.
Rights of Individuals
Under the PIPL, individuals have rights to (a) receive information on and have a say in the processing of their personal information, and refuse the processing activity, (b) correct their personal information, (c) seek deletion of their personal information in certain cases, (d) request controllers to explain their processing activities, and (e) restrict controllers from making decisions solely through automated decision processing activities.
The PIPL imposes significant penalties for non-compliance. Apart from the ability to investigate offences, and provisions that permit individuals to seek damages for harm that may be caused due to processing activities, monetary penalties for certain offences range between the higher of 50 million yuan or 5% of the organisation’s annual revenue. Fines may also be imposed on officers in default; these amounts may range between 100,000 and 1 million yuan.