User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
▪ China’s Market Regulator Reined in Internet Commercial Ads
▪ Stricter than the GDPR, China’s Privacy Law Provides Prohibitive and Control Oblig
▪ China kicked off the 1st national security review on DiDi
▪ Non-prosecution for compliance under ISO 37301 - Dentons lawyers take the world’s
▪ China’s Data Security Law is anything but frightening
▪ Alibaba fined USD 2.68 billion for abusing dominant market position in China
▪ China’s new “Blocking Statute” and the concerns it raised
▪ Survey result: how is bribery risk managed in China?
▪ China’s Administrative Punishment Law Awards Meaningful Credits for Compliance Eff
▪ Salon | How Would the Sanction on Pompeo and Blocking Measures Impact Foreign Comp
▪ Fees to speakers: academic exchange or commercial bribery
▪ China’s Personal Information Protection Law (2)
▪ China’s Personal Information Protection Law (1)
▪ Reading Into China’s Export Control Law
▪ English Translation of Export Control Law of China
▪ China Issued Its List of Unreliable Entities
▪ Demystify Corporate Social Credit System in China
▪ China is deploying “Operation Skynet” to further “Fox Hunt”
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million personal info
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Classified Protection Under China's Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
Home > Personal Information
China’s Personal Information Protection Law (2)
By Henry Chen | 2020/10/28 23:47:54

Continued from China’s Personal Information Protection Law (1), hereinafter are some other salient features of the draft law:

Clear demarcation of processors’ responsibilities

The draft elected to categorize the way a processor handles personal information rendering the text more succinct and clearer than GDPR.

Where two or more processors are jointly to decide the processing purposes and methods, they should properly allocate their respective rights and obligations by an agreement.  Such agreement does not have any adverse effect on any individual data subject’s right to seek to redress wrongs done to him from either one of the processors.  In other words, the processors could be jointly and severally liable for infringing on individual data subjects’ rights (Article 21).

For the situation of processing personal information by delegation, for example, where Processor A delegates its processing responsibilities to Processor B, both parties (e.g., Party A and Party B) need to enter into an agreement in relation to the purposes of processing, methods of processing, types of personal information, protective measures and their respective rights and obligations.  Party A also needs to exercise oversight over Party B’s processing.  Party B shall not diverge from what is agreed in the agreement, and shall return or delete the processed personal information after the agreement is performed.  Party B shall not delegate the task of processing to any other third party without Party A’s prior consent (Article 22).

Notably informed and separate consent is required if a processor is to provide personal information to any third party.  The third party that received the personal information shall not act beyond the purpose why the information is transferred.  Especially, the receiving party shall not use any technology to re-identify the personal information that was already anonymized (Article 24).  

Automatic decision-making


In response to the automatic decision-making in use of personal information, the new law requires that a processer should make sure of being transparent in making a decision and fair in reaching a result.  As such, an individual may seek the explanations from a processor (on the automatic decision-making) and refuse the result that is made from nothing but the automatic decision-making (Article 25).  For the commercial marketing and promotions that are made from the automatic decision-making, a processor shall provide the concerned individuals with the option not to have their personal features targeted (Article 25).

Publicizing of personal information

In terms of publicizing of personal information, unless processors have separate consent or laws and regulations stipulated otherwise, personal information must not be made public (Article 26).  

As for personal information already in the public realm, the draft law lays out conditions for utilizing the information.  Information should be processed according to the purposes for which the information was originally made public.  If the personal information is processed outside the reasonable scope for utilization, the processor shall so notify the concerned individual and obtain his consent.  When such purposes for utilization are not clear, personal information needs to be processed with care and reasonable mindset.  If a piece of public personal information is utilized in activities that significantly impact the individual data subjects concerned, the individuals shall be so notified with their consent obtained (Article 28).

Restrictions on public bodies

The new law has specific section dealing with the issue of public bodies processing personal information in hope of addressing some public concerns.

As a starting point, processing personal information by public bodies is regulated by the law (Article 33).  Specifically public bodies must abide by relevant legal limits and procedure and must not act outside their legally prescribed scope for performing their legal duties (Article 34).  Public bodies should obtain individuals’ informed consent when processing their personal information unless confidentiality demands contrary action or doing so would hinder the performance of their legal duty (Article 35).  Unless consent is in place or laws or regulations stipulate otherwise, public bodies must not make personal information public or disclose it to other parties (Article 36).

Additionally, public bodies also need to store personal information locally in China or go through relevant risk evaluations before providing personal information to the persons outside China (Article 37).

International transfer of personal information

The law aims to provide basic principles for international transfer of personal information.

Firstly, the draft law provides for the obligation to the operators of key information infrastructures to locally store the personal information that is collected and generated within China, which is also the obligation for a processor whose quantity of processed personal information meets certain threshold as will be separately prescribed by the State Network and Information Department.  Where it is necessary to transfer personal information overseas, a security evaluation must be carried out by the State Network and Information Department.  Security evaluations can be omitted if laws, regulations and State Network and Information Department allows the omission (Article 40). 

Secondly, when it comes to the conditions for cross-border transfer of personal information, the draft law envisions four legal grounds: 

-- Security evaluation organized by the State Network and Information Department; 

-- Personal information protection certification by professional organizations; 

-- Conclusion of agreements with overseas parties;

-- Other conditions stipulated by administrative regulations and the State Network and Information Department (Article 38). 

This provision allows multiple alternative legal grounds for transferring personal information overseas and greatly assists businesses to act in a compliant way.  However, to transfer personal information overseas, a stand-alone consent is required from the concerned individual (Article 39).

There are also legal conditions to be met when conducting international judicial and administrative assistance that involve cross-border data transfer (Article 41).  Specific penalties as well as counter-measures are also in place to deal with the acts by overseas organizations and individuals endangering national security, and discriminatory obstacles by other countries and regions (Article 42 and 43).

Data subjects’ rights

For the purposes of safeguarding data subjects’ personal information, the law affords them nine legal rights.  As a result, individuals can actively protect their personal information with legally defined “tools”.  These legally prescribed “tools” include the following: 

-- The right to know, decide, limit and refuse (Article 44); 

-- The right to consult and copy (Article 45); 

-- The right to rectify (Article 46); 

-- The right to delete (Article 47); 

-- The right to receive explanations as to how processors handle personal information (Article 48); and 

-- The requirements for processors to have mechanisms in place to exercise these rights (Article 49).

With the benefit of GDPR’s prior legislative experience, the law is able to make a few improvements on its text.  These improvements allow data subjects to be more in control of their personal information.  Specifically, processors need to explain the way they handle personal information upon a right-to-know request from the relevant data subjects.  If the retention period of personal information stipulated by laws and regulations has not expired or cannot be deleted due to technological difficulties, the personal information processor shall stop processing the personal information (Article 47). 

Legal duties on processors

The new law clearly recognizes that it needs to strike a balance between protecting individuals’ rights and processors’ compliance cost.  Therefore, the main goal of personal information processors’ legal duties is to minimize the risk of data breach.  First of all, the law lays out that the processors are obliged to construct a robust compliance management system and make sure of the security of personal information.  Specifically, they need to formulate internal management rules and operating procedures and adopt corresponding safety technical measures (Article 50).  This compliance system also requires specific persons to exercise oversight over processing activities (Article 51); regular compliance audit of these activities (Article 53); risk evaluations when dealing with sensitive personal information, transferring data abroad and other high-risk tasks (Article 54); the performance of obligations to notify personal information breaches and to take appropriate remedial measures (Article 55).

Penalties and public interests litigation

The penalties include a fine of not more than RMB 1 million yuan on the organization information processor and a fine of not less than RMB 10,000 yuan but not more than RMB 100,000 yuan on the directly responsible person-in-charge and other directly responsible persons. 

In serious cases, a fine can go up to RMB 50 million yuan or 5 percent of the previous year's turnover.  In addition, the authorities can order a processor to suspend its operations, suspend businesses for rectification, and notify the relevant competent department of revoking the relevant business license or operation license.  For directly responsible persons and person-in-charge, fines can also go up to 100,000 yuan but not exceeding 1 million yuan (Article 62). 

Relevant illegal activities of organizations and individuals will also be blacklisted with the blacklisting publicized (Article 63). 

Additionally, the so called “public interests” litigation made an appearance in the law.  Where a processor deals with personal information in violation of the provisions of this law and infringes upon the rights and interests of numerous individual data subjects, the People's Prosecution Institute, the department responsible for the protection of personal information and the organization designated by the State Network and Information Department may bring a lawsuit to the people's court for and on behalf of the pubic interests (Article 66).


This law’s text made good use of foreign legislative experience and best practices for risk management.  Not only did the law specify the obligations on the information processors but also spelled out the rights of those affected individuals.  In addition, the draft law addressed some issues where MNCs are badly waiting for solutions such as cross-border transfer of personal information.  

Certainly, some compliance obligations that are provided in the draft law could be costly in time and money, such as security evaluation process for overseas transfer of personal information.  Governmental evaluation of overseas transfer of personal information could be burdensome for both businesses and governmental authorities.  It remains to be seen if the measures would be made less burdensome in the final text.  

No surprisingly, but still frightening, the law provides for administrative and criminal liabilities for not only entities, but also individual executives.  It should be alerting enough to both businesses and c-suite officers. Non-compliance with the law could cause serious compliance risks.

The process to seek public comments is still on-going as far as November 19, 2020. In order to discuss the draft law and seek public comments, we are going to have a workshop (as well as webinar) with DAMA China in Dentons Beijing Office on November 16.  If you have any comments, please do not hesitate to let us know.  You are welcome to raise your concerns or send your comments directly to the concerned governmental authority or via us by an email to


The author, Henry Chen, licensed to practice law in China and New York, is a senior partner at the Dentons office in Shanghai. Before joining Dentons, Henry was AP Compliance Director of Ford.  Henry Chen is a drafter of China national standard (draft) Information security technology-Cyber-data process security specification  (信息安全技术 网络数据处理安全规范)

Henry's practice areas include cyber security and data governance, FCPA, anti-bribery and fraud investigations, economic sanctions and trade controls, compliance management systems, corporate matters and dispute resolution. You can reach Henry by sending an email to Henry is the author of the book Risk Management on Commercial Bribery in China and the book Compliance Risks of Enterprises in Globalization: Outbreak and Control.

Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Email:    (optional)
URL:    (optional)
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8