The article is written by Nikhil Thakur, a student of Manav Rachna University. In this article, the author has attempted to provide a glimpse of the future of China’s personal data protection laws.

Introduction

In 2020, the Chinese government proposed a draft People’s Republic of China Personal Information Protection Law which is under consultation for its approval. It is believed that once the draft is approved and given assent it would be the first-ever overarching data protection legislation in the People’s Republic of China. The new draft, if enacted, shall ensure binding compliance obligations and suggest practices and require the organisations and institutions to comply with the new provision.

The said draft is not the first of its kind; rather many legislative efforts have been taken and enacted for establishing stronger data protection in the People’s Republic of China. The Chinese step to draft new legislation concerning the data protection law is a response to its erstwhile ineffective, ambiguous and uncertain legislation. Moreover, there was no legislation that had the capability of covering relevant national, local and sector-specific regulations within its ambit.

Definitions

Personal data

In the People’s Republic of China, not a single pervasive or extensive definition of personal data has been defined or stipulated. The Chinese focus tilting towards data protection has allowed the concept of personal data to get a place in numerous of the legislation, regulations, etc that has provided a blueprint of the entire data protection in China.

In the People’s Republic of China, the phrase personal data is called personal information and defined in Article 4 of the draft People’s Republic of China Personal Information Protection Law, 2020 (PIPL, 2020), which refers to all the categories of information including confidential information gathered or collected via electronic means or devices that aids in identifying the personal information of the person. The handling of personal information includes collecting, storing, using, processing, publishing, etc.

Sensitive personal data

Similar to personal information, there is not a common overarching, certain and pervasive definition of sensitive personal data in the People’s Republic of China.

The Personal Information Security Specification (PIS Specification) is a pervasive and highly accepted standard in the People’s Republic of China. The said standard provides a demarcation between personal information and sensitive personal information. 

The Personal Information Security Specification (PIS Specification) defines sensitive personal information as information if revealed or manipulated shall have an adverse effect on the person whose data was gathered or collected. According to Personal Information Security Specification (PIS Specification), sensitive personal data shall include personal identification number, mobile number, biometric scan and related information, bank account number, immovable or movable property information, credit card information, location tracking, personal health information and many more.

A similar definition is framed in the draft Personal Information Protection Law, 2020 (PIPL, 2020) under Article 29, which defines sensitive personal information as information that if disclosed or utilised illegally and unreasonably may cause discrimination against the person whose data was collected. Not only this, such an act would lead to gross harm to his/her individual status, security, race, ethnicity, religion, biometrics and so on.

National Data Protection Authority

In the People’s Republic of China, there is no national data protection authority that deals with data protection and privacy-related matters. Though there is no single national data protection authority in the People’s Republic of China, the Cyberspace Administration of China (CAC) considers itself as the national data protection authority. Besides this, various other authorities claim themselves as national authorities:

1. National People’s Congress Standing Committee,
2. Ministry of Public Security of China,
3. Ministry of Industry and Information Technology of China,
4. State Administration for Market Regulation of China,
5. Ministry of Science and Technology of China .

There are a few sector-specific regulators that monitor and execute the data protection conundrum within their institutional ambits like the People’s Bank of China (PBoC) and the Insurance Regulatory Commission of the People’s Republic of China (CBIRC).

The draft Personal Information Protection Law (PIPL), 2020 aims at establishing a fresh data protection authority in the People’s Republic of China by joining hands with the Cyberspace Administration of China (CAC) along with other important institutions and local people’s government.

Registration

In the People’s Republic of China, there are no legal conditions or provisions that allow the data users to register themselves with the data protection authority. But there are a few instances where the registration is necessary, in cases of cross-border data transfer, sharing human genetic resources data, etc.

If the draft Personal Information Protection Law (PIPL), 2020 is implemented, it will establish a registration requirement for the organisation or institution that:

1. Are outside the territorial jurisdiction of the People’s Republic of China and
2. Have achieved the data processing volume threshold or limit.

Data protection officer

In the People’s Republic of China, there are no legislations or provisions that require any organisation or an institution to appoint a data protection officer.

Besides this, the Personal Information Security Specification (PIS Specification) has laid down a few provisions where the organisation or an institution needs to appoint a data protection officer along with the data protection department:

1. If the organisation is in the business of data processing and has employed more than 200 employees.
2. If the organisation has processed or is estimated to have processed the personal information of more than 1 lakh people.
3. If the organisation has processed sensitive personal data of more than 1 lakh people.

Gathering and processing

Consent

Collecting, gathering, processing, transferring and using the data or information of the subject shall not be executed without his/her due permission. In cases of gathering and processing sensitive personal data and cross-border data transfer, the explicit consent of the subject shall be taken or is necessary. 

The draft Personal Information Protection Law (PIPL), 2020, has provided for a limitation where the personal information of a person can be accessed without his/her condition:

1. When the person has entered into a contract or an agreement,
2. For fulfilling a legal obligation,
3. In the interest of public health and safety,
4. In the interest of maintaining peace and tranquillity,
5. When required by the law.

The said draft has further included the formalities that need to be fulfilled while taking consent of the person, the draft has introduced a provision of separate consent that shall be taken by the subject, in case, the information is sensitive personal information, biometric information, cross-border information transfer, etc.

Notice

Besides taking the consent of the subject, the in-charge or the data controller while gathering the information shall make the subject aware of the privacy policy and the method that would be adopted for collecting, gathering, revealing his/her personal information. The information that shall be disclosed by the data controller to the subject shall include:

1. The data controller shall reveal his/her registered name, address, principal office or headquarter, contact number and email address.
2. The data controller shall reveal all the personal information gathered. If the information collected is sensitive personal information, the controller shall mark or record the consent mandatorily.
3. The data controller shall disclose the information concerning the retention period and the process utilised for collecting such personal information.
4. The data controller shall clearly tell the subject about how and where the data collected would be used.
5. The data controller shall reveal all the information concerning the data transfer to a third party and the type of data transferred.
6. The controller shall aware the subject of the repercussion of providing and not providing personal information and many more.
7. An explicit consent shall be taken from the legal guardian if the data controller intends to collect the personal information of the subject who is below the age of 14 years.

Transfer

If a data controller intended to disclose or transfer the personal information of the subject to a third party, shall follow the following provisions or steps accordingly:

1. The data controller shall be aware of the subject of the purpose of such sharing of the personal information to a third party. Further, the controller before transferring or sharing the information shall take the consent of the subject.
2. The data controller shall implement a personal information impact assessment and protect the information from leaking.
3. The data controller shall keep a record of the data or information shared with a third party.
4. The data controller before transferring the information to a third party shall make sure that such information is not barred by any legislation from being transferred.

Cross-border transfer

In case the information or data is disclosed or transferred to a third party that is outside the territorial jurisdiction of the People’s Republic of China, additional rules shall be implemented. A new trend in the People’s Republic of China has emerged that encourages data localisation and hence a few measles have been adopted to prohibit the transferring of information outside the territorial jurisdiction of the People’s Republic of China.

There is not a complete ban or prohibition on transferring information outside the People’s Republic of China, rather there are a few limitations or conditions that must be fulfilled before transferring the personal information or data cross-border:

1. The data controller shall inform the subject about the data being transferred cross-border and before such transferring the controller shall take the consent of the subject.
2. As a rule, the data controller must keep a copy of information transferred within the People’s Republic of China.
3. Lastly, the controller shall perform a security assessment procedure.

The new draft Personal Information Protection Law (PIPL), 2020, has introduced new obligations that shall be fulfilled concerning cross-border information transfer:

1. The consent of the subject is essential before transferring the information,
2. The personal information impact assessment shall be conducted effectively,
3. To conduct security impact assessment as approved by the Cyberspace Administration of China.

The said draft has further enumerated the organisations that are eligible to transfer the information or data cross-border:

1. The organisation that has been designated as CIIOs (Critical information infrastructure operators)
2. National authorities and 
3. Data controllers that have achieved the threshold volume limit.

Enforcement

The enforcement and the type of penalty to be imposed depends upon the type of data protection breached.  In the People’s Republic of China, the civil, criminal and administrative sanctions incorporate warning, rectification orders, fines, seizure of illicit income, compensation, licences cancellation, imprisonment and many others.

The draft Personal Information Protection Law (PIPL), 2020, has been proposed to augment the administrative power of enforcement. Further, it has augmented the fine for data protection breach that is almost 5% of the organisation’s previous year turnover. For instance, if an organisation has breached the data protection law, and its previous year turnover was 1 Crore then 5% of that 1 Crore which is 5 lakhs shall be imposed as a fine.

Conclusion

The People’s Republic of China has been looking to safeguard and protect its citizen’s data from being manipulated and hence it has adopted a plethora of steps to tighten the rules and regulations concerning data protection law. A stronger data framework would determine how the country’s next-generation would look like. Hence, if the People’s Republic of China successfully surpasses this hurdle, it may enter into a direct geopolitical conflict with the United States of America.

In 2020, the People’s Republic of China published a draft of the Personal Information Protection Law which is an overarching law concerning data protection. The issue with the new draft and the erstwhile data protection law is whether these would be applied against the nation’s biggest data processor, the government itself. 

References

• https://www.tandfonline.com/doi/abs/10.1080/10192557.2019.1646015?journalCode=rplr20
• https://www.researchgate.net/publication/334995413_The_future_of_China’s_personal_data_protection_law_challenges_and_prospects
• https://www.cnbc.com/2021/04/12/china-data-protection-laws-aim-to-help-rein-in-countrys-tech-giants.html
• https://www.cov.com/-/media/files/corporate/publications/2020/10/china_releases_first_draft_of_personal_information_protection_law.pdf
• https://elibrary.law.psu.edu/cgi/viewcontent.cgi?article=1244&context=jlia
• https://academic.oup.com/grurint/article/69/12/1191/5909207
• https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=CN
• https://assets.kpmg/content/dam/kpmg/cn/pdf/en/2020/11/overview-of-draft-personal-information-protection-law-in-china.pdf
• https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/
• https://npcobserver.files.wordpress.com/2020/10/personal-information-protection-law-draft.pdf

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: