Since October 21, 2020, China’s legislature has officially begun its public consultation process on the draft of Personal Information Protection Law. With its passage in near future, it will function jointly with Cyber Security Law and Data Security Law (with its draft under legislative review) to regulate China’s online spheres in relation to cybersecurity and data governance and deal with the thorny issues present in personal data protection and uncertainties brought by new information technology and applications. Hereinafter are some salient features of the draft law:
Extraterritorial jurisdiction
The draft law stipulated the application of extraterritorial jurisdiction (Article 3) which indicates, as hailed by some commenters, that China begins to use long-arm jurisdiction to regulate the concerned entities across the border. There are three situations that will trigger the application of extraterritorial jurisdiction in relation to the processing of personal data outside China’s realm:
-- The processing is done with the aim of providing goods and services to the natural persons within the realm of China;
-- The process is to analyze or evaluate the behaviors of the natural persons within the realm of China;
-- Some other situations as prescribed for by other laws and regulation.
For the situation above where “the process is to analyze or evaluate the behaviors of the natural persons within the realm of China”, similar to Article 27 of GDPR, the draft law requires the concerned non-Chinese processor to establish a representative office in China or appoint a representative from within China to handle the concerned affairs on the protection of personal information (Article 52).
For your reference, Article 27 of GDPR provides that “the controllers or processors not established in the Union shall designate in writing a representative in the Union.”
Seven principles to process personal information
These principles have the function of guiding the processing of personal information. They are:
-- Lawfulness (Article 5)
-- Clear objective (Article 6)
-- Minimum necessity (Article 6)
-- Openness and transparency (Article 7)
-- Accuracy (Article 8)
-- Accountability (Article 9)
-- Security of data (Article 9)
These principles are also cornerstones of other related legislations such as Cyber Security Law and Data Security Law (draft).
Multiple lawful basis for processing personal information
As per the draft law, “consent” will no longer be the sole basis for processing personal information. With “consent” included, there are six legal bases for the processing of personal information:
-- With the consent of the person;
-- The necessity for entering into and performance of a contract where the person is a party;
-- The necessity of performing of a legal duty or legal obligation;
-- The necessity of protecting the life and health & property safety of a natural person to dispose of a sudden public sanitary affair or under an urgent circumstance;
-- A reasonable disposal of personal information for the benefit of the public interests to make a public news report or public opinion monitoring;
-- Other situations as provided by laws and administrative regulations (Article 13).
Effective consent
An effective consent needs to be informed, voluntary and made with clear expression (Article 14).
If a processor knows or should have known that it is processing the personal information of an underaged person (younger than 14 years old), custodians’ consent is required (Article 15).
An individual has the right to withdraw his consent (Article 16). Unless indispensable for offering a product or service, such withdrawal does not constitute the basis for refusing the provision of the service or product (Article 17).
More profoundly, “stand-alone consent” or “written consent” is required for some information-sensitive situations.
Situations where a stand-alone consent is required are, if:
-- A processor provides personal information to a third party (Article 24);
-- A processor publicizes personal information (Article 26);
-- The personal images or personal identifiable characteristics that are collected from the equipment installed publicly are publicized or provided to any third party (Article 27);
-- Personal sensitive information is processed even consent is obtained from the person (Article 30);
-- A processor provides personal information cross-border (Article 39).
“Written consent” is needed if there is a law or administrative regulation provides for the requirement for “written consent” (Article 30).
If there is a law or administrative regulation warranting the requirement for confidentiality or exception for consent, there is no need to advise who, why and how the personal information is collected as per Article 18 (Article 19).
If there is an emergency and no time (due to the protection of a natural person’s life & health and/or property safety) to advise who, why and how the personal information is collected as per Article 18, a processor shall so advise right after the emergency event is over (Article 19).
(To be continued at China’s Personal Information Protection Law (2))
_________
The author, Henry Chen, licensed to practice law in China and New York, is a senior partner at the Dentons office in Shanghai. Before joining Dentons, Henry was AP Compliance Director of Ford. Henry Chen is a drafter of China national standard (draft) Information security technology-Cyber-data process security specification (信息安全技术 网络数据处理安全规范)
Henry's practice areas include cyber security and data governance, FCPA, anti-bribery and fraud investigations, economic sanctions and trade controls, compliance management systems, corporate matters and dispute resolution. You can reach Henry by sending an email to henry.chen@dentons.cn. Henry is the author of the book Risk Management on Commercial Bribery in China and the book Compliance Risks of Enterprises in Globalization: Outbreak and Control.