China’s Personal Information Protection Law is on the Way

Is your organisation ready?

On 29th April 2021, China’s National People’s Congress released the second consultation draft of the Personal Information Protection Law(PIPL), with public comments closing on 28th May 2021. Drawing extensively from the European Union’s (EU’s) General Data Protection Regulation (GDPR), the PIPL will represent a huge leap forward for data protection in China, being the country’s first comprehensive personal data protection law. For multinationals, the PIPL will significantly affect personal data processing activities in China, and impact all businesses that either offer goods and services in China or monitor data subjects in China from offshore. This article by Mark Parsons and Sherry Gong of Hogan Lovells presents a list of ‘must-do’ items for multinationals to deal with the new requirements if the final PIPL is promulgated ‘as is’ in the latest draft.

Data mapping and review of the lawful basis for processing

For multinationals that process personal information within the scope of the PIPL, it is time to conduct a ‘data mapping’ exercise, a task that may be familiar from GDPR implementation planning. Data mapping involves surveying the organisation’s personal data holdings to understand what personal information it collects and how the data is used, stored, processed, transferred and disclosed. Analysis to determine which regulatory requirements apply is then carried out. One critical part of this exercise is to review the legal basis for personal-data processing activities. 

The draft PIPL takes consent as the principal basis for processing personal data, but with specific limited exemptions for:

  • the conclusion or performance of contracts with data subjects;
  • compliance with applicable laws;
  • public health and public-interest processing;
  • use of publicly-available information “within a reasonable scope”;[1]
  • conducting news reports, public opinion supervision and other acts in the public interest within a reasonable scope; and
  • other circumstances stipulated by laws and regulations.

Practicalities of obtaining consent

The PIPL defines consent in very general terms as being fully informed and voluntary.  Clarification through more detailed language in the PIPL and/or implementing measures would greatly assist in understanding specific requirements. As discussed in more detail below, a number of provisions in the PIPL call for a separate (“unbundled”) consent for specific types of processing, making the mechanics of obtaining consent especially critical.

Disclosure and informed consent

Personal information processors (‘PI processors’, roughly equivalent to ‘data controllers’ under EU law) are required to inform people of contemplated data processing activities in full and comprehensive terms before collecting their personal data. This is normally done by publishing a privacy policy on official platforms, such as official websites and mobile applications. The PIPL stipulates that privacy policies should be written in plain language and presented in an easily-accessible and reader-friendly manner, which strongly implies that simplified Chinese should be used. As reference, regulations applicable to mobile applications in China require a simplified Chinese version of the privacy policies.

Form of consent

As noted, further clarification on the standard of consent is needed. The non-binding national standard Information Security Technology – Personal Information Security Specification (National Standard GB/T 35273-2020), for instance, provides examples of “explicit consent” that could also be applied to the PIPL. In addition, the PIPL requires “separate consent” for the processing of sensitive personal data. Due to the broad scope of sensitive personal data under the PIPL, there is a risk that a proliferation of separate, ‘unbundled’ consents may be required. Significantly, existing Chinese mobile apps regulations require prior explicit consent irrespective of whether sensitive personal data is processed.

Drawing from National Standard GB/T 35273-2020, a valid explicit consent would be considered to have been obtained if data subjects explicitly authorise it by clicking an empty box to indicate affirmation of a statement such as “I agree”, “register”, “continue” or “send”, or submitting information by online form.

The draft PIPL requires separate/unbundled consent in the following situations:

  • transfer of personal data by data controllers to third parties (Article 24);
  • publication of personal data (Article 26);
  • publication or provision of personal data collected by equipment installed in the public places for security purposes, such as personal images (Article 27);
  • processing of sensitive personal data (Article 30); or
  • cross-border transfers of personal data (Article 39).

Under the draft PIPL, consent would apparently be revocable. In addition, PI processors would not be permitted to refuse to provide products or services if the data subject withholds or withdraws his or her consent to non-essential processing. This will pose significant challenges to China’s internet economy, which—as is the case in the rest of the world—thrives on the monetisation of personal data through targeted advertising networks, data analytics and data-sharing arrangements.

Cross-border transfer review process

The draft PIPL regulates international transfers of personal data on the basis that those which are either: (i) made by an CIIO; or (ii) involve a volume of data that meets or exceeds materiality thresholds yet to be set by the CAC, would require an official security assessment. Transfers that do not meet these thresholds could either obtain certification by an accredited third-party institution or enter into standard contractual clauses (SCCs) to be formulated by the CAC. If a PI processor needs to transfer personal data outside of China, it should:

  • evaluate if it is a CIIO. If yes, it should follow the security assessment requirements yet to be promulgated; and
  • evaluate if its data processing activities involve a volume of data that meets or exceeds the CAC’s materiality thresholds. If yes, it should follow the security assessment requirements.

If neither apply, the PI processor should consider certification or the use of SCCs.

Review data breach reporting policy and practice

The draft PIPL would require organisations to notify relevant authorities and impacted individuals of data leakage incidents. Organisations would not be required to notify of breaches for which remedial measures may be taken without harm to individuals. However, the thresholds that will trigger reporting obligations and the report requirements are still not clear.

Extraterritorial application

Existing Chinese data protection and cybersecurity legislation has typically applied on a territorial basis, applying only to business operations within Mainland China. The draft PIPL would track the GDPR’s extraterritorial application in cases where offshore data collection and processing activities are for the purpose of: (i) providing services or products to individuals resident in China; or (ii) analysing or evaluating the behaviour of individuals resident in China. It also allows for further extensions of extra-territoriality, where laws or administrative regulations stipulate that this is the case.

Multinationals conducting the aforementioned offshore data processing activities must establish an agency or appoint a representative in Mainland China responsible for administering the applicable requirements under the law.

Enhanced requirements applicable to “basic internet platform operators”

The PIPL proposes to introduce a set of enhanced obligations for PI processors that operate “basic internet platform services” that have “complex business models” serving “massive” numbers of users. No materiality threshold or criteria as to “complexity” have been set in the draft law. The obligations on these platform operators include: (i) establishing an independent steering committee to oversee personal information processing activities; (ii) suspending services to product/service providers in serious violation of data protection laws; and (iii) issuing regular social responsibility reports on the processing of personal information.

Accountability under the PIPL

The draft PIPL would introduce a number of accountability measures similar to those introduced under the GDPR. PI processors would be required to:

  • adopt necessary security measures in accordance with internal policies and procedures to safeguard the personal data they process;
  • designate a data protection officer to take charge of personal data processing activities if the volume of data being processed reaches a certain threshold;
  •  conduct regular audits on data processing activities; and
  •  carry out risk assessments before conducting high risk data processing activities, such as the processing of sensitive personal data and cross-border transfer of personal data.

What should organisations do now?

Multinationals are recommended to engage closely with their industry regulators, as well as with the CAC and other relevant regulators, to ensure that they are on top of requirements. Organisations should also commence data-mapping exercises immediately if they have not done so already. Whatever the specific requirements of the PIPL, the clear general direction is towards introducing data accountability as an organisational practice in China. In many respects, then, the journey has only just begun. 

Being one of the largest foreign law firms on the ground in China, Hogan Lovells understands the country’s complex and evolving cultural and regulatory environment. From Shanghai to Beijing and beyond, their market-leading corporate; intellectual property; regulatory; and litigation, arbitration, and employment teams are ready to assist.

[1] There is as yet no guidance on the meaning of “reasonable scope”, other than the stipulation that processing of publicly-available personal information should not substantially deviate from the primary purpose of publication of the information.