In July 2020, the first draft of the Data Security Law (“DSL”) of the People’s Republic of China (“PRC”) was issued for public comment followed in October 2020 by the Personal Information Protection Law (“PIPL”).
These two pieces of legislation, together with the Cybersecurity Law 2016, the Civil Code of the PRC (which became effective in January 2021) represented the establishment of a comprehensive system of personal data protection within the PRC for the first time. That is not to say that, prior to this legislation, data and its use has been unregulated; rather that the regulation has come from piecemeal pieces of legislation. An element of the piecemeal nature of regulation in this area however will still persist thanks to specific laws and regulations that will still govern specific industries (such as telecommunications, healthcare, e-commerce).
The move to establish a more comprehensive framework has been driven largely by the PRC’s desire to tighten the rules around personal information processing and transfer in order to attempt to rein in the power being exerted by technology giants who have used such data to great effect to train algorithms and create new products. In addition, China is responding to a global drive for protection of personal data such as the 2018 EU General Data Protection Regulation (“GDPR”)(which appears to have influenced greatly the drafting of the PIPL).
On 10 June 2021, the DSL was passed and it took effect on 1 September 2021; the PIPL was passed on 20 August 2021 and will take effect on 1 November 2021.
The PIPL applies to personal information and specifically how it can be processed (including by third party processors), transferred cross border, the rights of the data subject (which includes the right to restrict or refuse the processing, rights of access to their personal data and the right to have personal information corrected/deleted), obligations of Personal Information Processors (“PIP”)(which mirrors the concept of “data controller” under the GDPR), the supervisory body in charge of personal data and legal liability including fines.
Where a processor is a so called “foundational internet platform”, has a large (undefined) number of users or a complex operational model (again undefined) it is required to establish an independent body comprising external personnel to oversee the processing of personal information – such oversight body is responsible for supervising the processing of personal information and adopting protective measures. In addition, a public social responsibility report will need to be published setting out the actions companies are taking to protect a data subject’s privacy; this report is to be overseen by the oversight body. The oversight body is liable to fines of RMB 10,000 to 100,000 (approximately USD 1,500 to 15,000) rising to RMB 100,00 to 1 million (approximately USD 15,000 to 150,000) for serious breaches.
With regards cross border transfers of personal information, this may only take place in certain circumstances including via a security assessment by the National Cyberspace Administration (“NCA”) or (like the standard contractual clauses under the GDPR) the PIP enters into a transfer agreement using a standard contract (still to be) published by the NCA. For business efficacy, it can only be hoped that any NCA devised standard contract harmonises with, rather than deviates from, already established cross border transfer provisions. This is the current expectation since, at the time of writing, the standard contract(s) are still to be published.
The PIPL also places restrictions on the so-called “long arm jurisdiction” of foreign institutions as prior approval is required to provide personal information to overseas judicial bodies or law enforcement agencies for any purpose even attempting to restrict the application of international treaties where they conflict with the PIPL. The expectation remains that there will be an exemption for transfers of data prescribed by foreign listing rules and other routine foreign disclosures so that the only point of contention will be for data transfers involving foreign investigation and/or enforcement actions.
Overseas organisations must comply with the PIPL if their processing of personal data is in connection with providing products or services to individuals in the PRC or to analyse or assess the activities of individuals in the PRC. Consequently, such processors must establish a dedicated entity or appoint a representative in the PRC to be the on the ground representative.
Like the GDPR, breach by companies of the PIPL can result in fines of RMB 50 million (approximately USD 7.5million) or 5% of the company’s total annual turnover in the preceding year (although whether that is domestic or worldwide turnover is still not clear).
The DSL is a parallel system of protection to the PIPL which is designed to protect “important data” and covers the recording of information through electronic or non-electronic means and “data activities” (for example, collection, storage, processing, use, transmission and public disclosure of data). Regulation is carried out by the Cyberspace Administration of China. Unhelpfully, “important data” still remains to be defined.
The final DSL introduced a “national core data” category for data that impacts “national security, the lifelines of the national economy, are important to people’s livelihood, and important to the public interest” – the scope appears to be intentionally both broad and vague to permit a flexible interpretational approach. National core data is subject under the DSL to enhanced processing restrictions as well as fines.
The final DSL includes the ability to fine companies for sharing data with overseas police, courts and investigators without government permission. The DSL has long-arm jurisdiction provisions similar to the PIPL.
Breaching the DSL can result not only in fines for entities of up to RMB 10 million (approximately USD 1.5 million) but also criminal sanctions; the authorities may also impose criminal sanctions on individuals as well as fines of up to RMB 1 million (approximately USD 150,000).
Whilst many called for a 2-year grace period between passing the two laws and them becoming effective (akin to the implementation period for the GDPR), this has clearly been ignored. With the DSL already in force and the PIPL following in less than 2 months, businesses with a digital presence in China need to act immediately to ensure compliance with the new laws. As many of the provisions of the PIPL are based on the GDPR, international businesses which are already GDPR compliant are likely to be in a much better position than businesses which are not subject to the GDPR. However, much of the implementation rules which will set out how the DSL will work in practice remain unpublished.