China’s Draft Personal Information Protection Law in 13 Key Points

Gabriela Zanfir-Fortuna
The Startup
Published in
4 min readNov 3, 2020
Image by Silentpilot from Pixabay

The Chinese government published a draft Personal Information Protection Law two weeks ago. It is modeled after EU’s GDPR, but with some twists. A full translation in English is available courtesy of New America. The draft is currently under public consultation. Below are 13 Key Points it encompasses — very brief, for the busy privacy professional.

The Draft Law:

1) applies to very broadly defined “personal information” (PI) — which includes the “identifiable” element from the GDPR [Art. 4];

2) includes lawful grounds for processing after the GDPR model, but with “legitimate interests” notably missing [Art. 13];

3) applies to “handling” of PI which includes “collection” of PI, meaning that a lawful ground is needed even before touching the data [Art. 4];

4) has rules for “handlers”, joint handling, and “entrusted parties” with handling PI on behalf of the handlers (controllers, joint controllers, processors), including agreements to be put in place similarly to Art. 26 and Art. 28 agreements in the GDPR [Art. 21, Art. 22];

5) applies in the public sector, as well as in the private sector; for the public sector, specifically it applies to the activity of “state organs” [Section 3];

6) has extra-territorial effect, since it applies to entities based outside of China that provide products and services to people inside the borders of China, or analyze their activities [Art. 3];

7) has special rules for “sensitive information”, which is an open concept, as opposed to the GDPR and its closed list of special categories of personal data; under the Chinese draft law, sensitive information is all PI that once leaked or illegally used may cause discrimination or harm to individuals or to personal security and property; it may only be processed if it meets a “sufficiently necessary” for “specific purposes” threshold [Art. 29, Art. 30].

8) provides for rights of the data subject: the right to know and decide about the handling of their PI; the right to refuse and limit the handling of their PI unless differently provided by law and regulations; the right to access and copy their PI in a timely manner; the right to correct or complete inaccurate PI; the right to deletion of PI; the right to obtain explanation from handlers on handling rules [Art. 44 to 49];

9) mandates risk assessments (similar to a GDPR Data Protection Impact Assessment) for specific processing, such as automated decision-making and generally for handling that could have “a major influence on individuals” [Art. 54];

10) includes an obligation to appoint DPOs (“persons responsible for PI protection”) in specific situations, depending on the volume of PI processed and mandates regular trainings [Art. 51];

11) includes rules on cross-border data transfers, which are primarily allowed on the basis of assessments by the State Cybersecurity Department, on the basis of certification or on the basis of contracts — in addition it seems that consent from the individual must also be obtained on top of those [Art. 38, Art. 39];

12) has limited data localization requirements with regard to PI processed by state organs; by critical infrastructure operators; and by other handlers reaching a specific volume of PI processed, to be determined by the regulator (China’s Cybersecurity Agency); transfers outside China are still possible in these scenarios, with a Risk Assessment or a Security Assessment by the regulator [Art. 40];

13) has a complex system of enforcement, including fines (that can go up to 5% of a company’s turnover) and administrative action (including orders to stop processing, or confiscation of unlawfully obtained profit), individual rights to obtain compensation, and a version of class actions through a public prosecutor. Of note: The draft law does not create an independent authority dedicated to data protection enforcement. The Cyberspace Administration of China (CAC) is the primary body responsible for data protection enforcement, but there are several other regulators that may also administer the law.

Also take this point home: China also updated its Civil Code to include several provisions inspired by GDPR-like data protection rights, to enter into force in January. China seems to be very serious about its data protection intentions. Food for thought: Can a data protection law modeled after legislation centered on fundamental rights and rule of law succeed in China?

Follow the Future of Privacy Forum’s work on Global Privacy Law and other issues HERE, subscribe to our mailing list and follow us on LinkedIn and Twitter. You can also check out my account on Twitter to keep up to date with everything Global Privacy.

--

--

Gabriela Zanfir-Fortuna
The Startup

Gabriela is Senior Counsel for the Future of Privacy Forum and former legal officer for the European Data Protection Supervisor. PhD in data protection law.