User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
▪ China’s Market Regulator Reined in Internet Commercial Ads
▪ Stricter than the GDPR, China’s Privacy Law Provides Prohibitive and Control Oblig
▪ China kicked off the 1st national security review on DiDi
▪ Non-prosecution for compliance under ISO 37301 - Dentons lawyers take the world’s
▪ China’s Data Security Law is anything but frightening
▪ Alibaba fined USD 2.68 billion for abusing dominant market position in China
▪ China’s new “Blocking Statute” and the concerns it raised
▪ Survey result: how is bribery risk managed in China?
▪ China’s Administrative Punishment Law Awards Meaningful Credits for Compliance Eff
▪ Salon | How Would the Sanction on Pompeo and Blocking Measures Impact Foreign Comp
▪ Fees to speakers: academic exchange or commercial bribery
▪ China’s Personal Information Protection Law (2)
▪ China’s Personal Information Protection Law (1)
▪ Reading Into China’s Export Control Law
▪ English Translation of Export Control Law of China
▪ China Issued Its List of Unreliable Entities
▪ Demystify Corporate Social Credit System in China
▪ China is deploying “Operation Skynet” to further “Fox Hunt”
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million personal info
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Classified Protection Under China's Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
Home > Personal Information
China’s Personal Information Protection Law (1)
By Henry Chen | 2020/10/27 6:44:35

Since October 21, 2020, China’s legislature has officially begun its public consultation process on the draft of Personal Information Protection Law.  With its passage in near future, it will function jointly with Cyber Security Law and Data Security Law (with its draft under legislative review) to regulate China’s online spheres in relation to cybersecurity and data governance and deal with the thorny issues present in personal data protection and uncertainties brought by new information technology and applications.  Hereinafter are some salient features of the draft law:


Extraterritorial jurisdiction


The draft law stipulated the application of extraterritorial jurisdiction (Article 3) which indicates, as hailed by some commenters, that China begins to use long-arm jurisdiction to regulate the concerned entities across the border.  There are three situations that will trigger the application of extraterritorial jurisdiction in relation to the processing of personal data outside China’s realm: 

-- The processing is done with the aim of providing goods and services to the natural persons within the realm of China; 

-- The process  is to analyze or evaluate the behaviors of the natural persons within the realm of China; 

-- Some other situations as prescribed for by other laws and regulation.


For the situation above where “the process is to analyze or evaluate the behaviors of the natural persons within the realm of China”, similar to Article 27 of GDPR, the draft law requires the concerned non-Chinese processor to establish a representative office in China or appoint a representative from within China to handle the concerned affairs on the protection of personal information (Article 52).


For your reference, Article 27 of GDPR provides that “the controllers or processors not established in the Union shall designate in writing a representative in the Union.”


Seven principles to process personal information


These principles have the function of guiding the processing of personal information. They are:

-- Lawfulness (Article 5)

-- Clear objective (Article 6)

-- Minimum necessity (Article 6)

-- Openness and transparency (Article 7)

-- Accuracy (Article 8)

-- Accountability (Article 9)

-- Security of data (Article 9)


These principles are also cornerstones of other related legislations such as Cyber Security Law and Data Security Law (draft).


Multiple lawful basis for processing personal information


As per the draft law, “consent” will no longer be the sole basis for processing personal information.  With “consent” included, there are six legal bases for the processing of personal information:

-- With the consent of the person;

-- The necessity for entering into and performance of a contract where the person is a party;

-- The necessity of performing of a legal duty or legal obligation;

-- The necessity of protecting the life and health & property safety of a natural person to dispose of a sudden public sanitary affair or under an urgent circumstance;

-- A reasonable disposal of personal information for the benefit of the public interests to make a public news report or public opinion monitoring;

-- Other situations as provided by laws and administrative regulations (Article 13).


Effective consent

An effective consent needs to be informed, voluntary and made with clear expression (Article 14).  

If a processor knows or should have known that it is processing the personal information of an underaged person (younger than 14 years old), custodians’ consent is required (Article 15).  

An individual has the right to withdraw his consent (Article 16).  Unless indispensable for offering a product or service, such withdrawal does not constitute the basis for refusing the provision of the service or product (Article 17).

More profoundly, “stand-alone consent” or “written consent” is required for some information-sensitive situations.

Situations where a stand-alone consent is required are, if: 

-- A processor provides personal information to a third party (Article 24); 

-- A processor publicizes personal information (Article 26); 

-- The personal images or personal identifiable characteristics that are collected from the equipment installed publicly are publicized or provided to any third party (Article 27); 

-- Personal sensitive information is processed even consent is obtained from the person (Article 30); 

-- A processor provides personal information cross-border (Article 39).

“Written consent” is needed if there is a law or administrative regulation provides for the requirement for “written consent” (Article 30).

If there is a law or administrative regulation warranting the requirement for confidentiality or exception for consent, there is no need to advise who, why and how the personal information is collected as per Article 18 (Article 19).

If there is an emergency and no time (due to the protection of a natural person’s life & health and/or property safety) to advise who, why and how the personal information is collected as per Article 18, a processor shall so advise right after the emergency event is over (Article 19).  

(To be continued at China’s Personal Information Protection Law (2))


The author, Henry Chen, licensed to practice law in China and New York, is a senior partner at the Dentons office in Shanghai. Before joining Dentons, Henry was AP Compliance Director of Ford.  Henry Chen is a drafter of China national standard (draft) Information security technology-Cyber-data process security specification  (信息安全技术 网络数据处理安全规范)

Henry's practice areas include cyber security and data governance, FCPA, anti-bribery and fraud investigations, economic sanctions and trade controls, compliance management systems, corporate matters and dispute resolution. You can reach Henry by sending an email to Henry is the author of the book Risk Management on Commercial Bribery in China and the book Compliance Risks of Enterprises in Globalization: Outbreak and Control.

Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Email:    (optional)
URL:    (optional)
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8