If data controllers illegally process personal data in China or of Chinese residents elsewhere in the world, they may have to cough up CN¥50 million (~₹ 55 crore) or 5% of annual revenue in fines, according to China’s draft Personal Information Protection Law. Also, if other countries take punitive actions against China in the field of personal data protection, China will retaliate in kind.
This Bill is currently being deliberated upon by the National People’s Congress (the Chinese parliament) and will regulate how the personal data of more than 900 million internet users in China is processed and stored. The draft was released on October 21. We have used DigiChina’s translation to summarise the Bill which has 8 chapters and 70 articles.
The Bill covers only data related to natural persons; it does not cover anonymised data. It makes informed consent mandatory for data processing, imposes obligations on data controllers, and proposes restrictions on sending data processed in China outside the country.
This Bill has been long awaited and is the latest in a litany of legislation related to cyberspace. The others are the controversial Cybersecurity Law (enacted in June 2017) and the draft Data Security Law. China had also amended its criminal law in 2015 and criminalised illegal sale of personal data to a third party.
What kind of processing does the Bill apply to?
It applies to all individuals and organisations who process personal data within the borders of China.
The language of this article is ambiguous. It is not clear whether it includes all the personal data processing that happens within China, even if it means processing the personal data of non-Chinese, non-resident foreigners. Thus, if an email from an Indian in India to an American in USA is routed through servers located in China, it is not clear if the proposed law will apply to processing done by the Chinese server.
Extra-territorial jurisdiction: The Bill also applies if personal data related to people resident in China is processed outside China; this could include providing products and services from abroad to Chinese residents or analysing their online behaviour.
Processing by the government for statistical or archival management is exempted from the Bill.
- Personal information handler: Organisations and individuals that “autonomously” determine the purposes, methods and other such aspects of data handling. This is similar to how “data fiduciary” is defined in the Indian PDP Bill or how the GDPR defines “data controller”. From the Bill, it is clear that a personal information handler/data controller must be a private company or individual, unlike the GDPR or Indian PDP Bill where government bodies are also considered data controllers and data fiduciaries, respectively.
- Personal information handling: It includes personal data collection, storage, use, processing, transmission, provision, publishing, and other such activities. It is what is understood as “data processing” under the GDPR and the Indian PDP Bill.
- Personal information: It includes all data recorded by electronic or other means that is related to “identified or identifiable natural persons”. It does not include anonymised data. It is what is commonly understood as “personal data” under the GDPR.
- Sensitive personal information: It is personal data that, if leaked or illegally used, can cause discrimination against the individual or grave harm to the person’s or their property’s security. This includes information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, etc.
- Automated decision making: Activities that use personal data to “automatically” analyse, assess and decide, via computer programs, individual behaviours and habits, interests and hobbies, or situations related to finance, health, or credit status.
Despite its repeated emphasis on specific consent, the Bill does not define it.
When can personal information handlers process personal data?
Data controllers can process (including collect) personal data only if they fulfil one of the following conditions:
- Have the individual’s consent
- Personal data is necessary to fulfil a contract in which the individual is an interested party
- Processing personal data is necessary to fulfil statutory duties or obligations
- Processing personal data is necessary to respond to emergencies or public health incidents, or to protect people’s lives and property
- Personal data is used in public interest such as journalism, “public opinion supervision”, etc.
If purpose changes, get consent again
Consent must be taken before data is processed by a data controller. It has to be informed, explicit, voluntary, and individuals have the right to rescind their consent. Data controllers must seek fresh consent from users if purpose or methods of processing change. Unless processing personal data is necessary to provide products/services, data controllers cannot refuse to provide services if users refuse to consent to share personal data.
If data controllers “know or should know” that they are handling personal data of children under the age of 14 years, they should get their guardian’s consent.
- MediaNama’s comment: This means that any services like YouTube or Netflix, where the service providers already know that kids access them, would have to take the guardian’s consent. However, the Bill doesn’t provide an age verification mechanism.
Notify users before processing personal data
Data controllers must “explicitly” notify users before processing. If there is a change in these details, users have to be notified of the change.
- If secrecy needs to be maintained by law, the data controller need not notify the users.
- If users cannot be notified in a timely manner because of emergencies, data controllers must notify them after the emergency has been concluded.
- In case of mergers and acquisitions, the data controller must notify users about the “receiving party’s” identity and contact method.
More than one data controller; data processors
In case two or more data controllers “jointly” decide on the purpose and method of processing, they must contractually decide their rights and obligations. However, the user can still exercise their rights from any of the data controllers. If they “jointly” harm the rights and interests of the user, they will bear joint liability.
“Entrusted parties” in the Chinese Bill are basically what the GDPR and the Indian PDP Bill call “data processors”. Data controllers must enter a contract with the data processor (or entrusted party). The data processors must:
- Not go beyond the purposes or methods of data processing stated in the contract.
- Not contract sub-processors without the data controller’s consent.
- Return personal data to the data controller or delete it after completing or dissolving the contract.
Sharing personal data with third parties
To share personal data with third parties, data controllers must obtain specific consent from the user. They also have to notify users about the identity of the third party, how to contact it, the purpose and method of processing, the data categories involved.
Third parties that receive personal data from data controllers must:
- Adhere to the processing purpose, method, data categories, “etc.” defined in the notice to the users.
- Notify users and get their consent if they (third parties) change the purpose of method of data processing.
- Not use any technical or other methods to re-identify individuals when data controllers give them anonymised data.
Transparency, fairness must for automated decision making
If a data controller uses “automated decision making” to process personal data, the data controller has to guarantee the transparency, fairness and reasonability of the decision making process and its result. Automated decision making potentially refers to algorithmic deductions, which, in snazzier terms, are commonly referred to as AI/ML. Data controllers who use automated decision making to target users with advertisements on the basis of their characteristics must provide users with the option to opt out.
Duties of data controllers
Data controllers are ultimately responsible for the personal data they process. Data controllers must ensure purpose limitation, conduct regular audits and appoint data protection officer(s) (for processing personal data beyond a certain quantity threshold).
Personal data can’t be published without specific consent of the user. If they process already published personal data, they must conform to the original purpose defined when it was published. To exceed that purpose, they must notify the users and get their consent. If the original purpose is not clear, they must process such data “in a reasonable and cautious manner”, notify the users and get their consent.
Adopt measures to prevent unauthorised access, and information leaks, theft, distortion and deletion. They must have data security incident response plans; use relevant technical security measures such as encryption, de-identification, “etc.”; and educate employees among other things.
Foreign companies that process personal data of Chinese residents must have a local entity or representative within China. This entity or person’s name and contact details will be reported to the relevant authorities.
Data controllers must carry out risk assessments before processing sensitive personal data; conducting automated decision making; sending personal data abroad; etc. Risk assessment reports and handling status records must be preserved for at least three years.
On discovering a personal data breach, a data controller must immediately adopt remedial measures and notify the relevant authorities. The notification must include:
- Cause of breach
- Categories of personal data leaked and potential harm that may cause
- Adopted remedial measures
- Measures users may take to mitigate harm
- Contact details of the data controller
If data controllers are able to “effectively avoid” harms caused by the breach, they need not notify users, but government authorities may direct them otherwise.
Rights of users
To enable users to exercise their rights, data controllers must establish mechanisms to accept and handle users’ requests. In case they reject the users’ request, they must give a reason. The following rights can be exercised except when laws or regulations state otherwise:
- Right to know
- Right to decide
- Right to limit/refuse personal data processing by others
Users have the right to access and copy personal data from data controllers in a “timely manner” until and unless secrecy needs to be maintained for legal reasons. Users also have the right to request to correct or complete their personal data. In such cases, data controllers must verify the personal information, and correct/complete it in a “timely manner”.
Users have the right to request to delete personal data. Data controllers must fulfil the request if one of the following happens:
- Expiration of retention period, or purpose of processing is fulfilled,
- Data controllers have stopped provided the product or service,
- User has rescinded consent,
- Data controllers illegally processed personal data, etc.
In case the retention period has not expired or deleting personal data is “technically hard to realize”, data controllers will stop processing the personal data.
Users have the right to request explanation from data controllers about their processing rules. Users have two additional rights related to automated decision making:
- Right to an explanation: Users can ask controllers to explain the automated decision making process if they think it has a major impact on their rights and interests.
- Right to refuse: Users have “right to refuse” data controllers from making decisions solely on the basis of automated decision making.
Higher degree of protection accorded to sensitive personal data
Data controllers can process sensitive personal data only for specific purposes and when “sufficiently necessary”. To do that, they must get specific consent (or written if required), notify users about the necessity to process such data and it impact on the user, and get administrative licences or follow stricter restrictions if legally required.
CCTV and Facial Recognition Technology
The Bill talks about “installation of image collection or personal identity recognition equipment in public venues”, an obvious reference to use of CCTV and facial recognition technology in China. As per the Bill, such equipment must only be installed to “safeguard public security” and must observe relevant state regulations. Clear indicating signs must be installed.
Data collected this way can only be used for safeguarding public security. It cannot be published or shared with other people without the individuals’ specific consent or laws/regulations stating otherwise.
If this is violated, punishment will be imposed according to the law (it is not clear which law this is). If it constitutes a crime, criminal liability will be investigated.
Data processing by the state, its agencies
Government bodies must process personal data only to the scope or extent necessary to fulfil their statutory duties and responsibilities. To process personal data to carry out statutory duties and responsibilities, they must notify individuals and get their consent. Notification and consent are not required if secrecy is legally required or if they would impede the government’s ability to do its job. State organs cannot publish personal data or share it with other people without individual’s consent or laws and regulations that provide otherwise.
All personal data processed by the state must be stored within China. To transfer any personal data processed by the Chinese government outside the country, a risk assessment must be conducted. CCAC, the State Council and others may be required to provide support and assistance for risk assessments.
Conditions to send personal data outside China
To send personal data outside China for “business or other such purposes”, data controllers must fulfil at least one of the following conditions:
- Pass a security assessment organised by the Central Cyberspace Affairs Commission (CCAC).
- Undergo a “personal information protection certification” conducted by a specialised body set up by the CCAC.
- Sign a contract with a foreign receiving party defining both sides’ rights and obligations. The Chinese data controller must also supervise the foreign partner’s processing activities and its adherence to this Bill.
- Any other conditions in laws or regulations or those laid down by the CCAC.
To send personal data abroad, data controllers must get users’ consent and notify them about the identity and contact details of the foreign partner; purpose and method of processing; personal data categories; ways to exercise their rights; etc.
However, international treaties or agreements, signed by China, that have provisions for cross-border data flows outside China, will supersede data localisation clauses of the Bill.
For two categories — critical information infrastructure operators and data controllers who process data beyond a quantity threshold set by the CCAC — all personal data will be collected and “produced” “domestically” within China. To send it abroad, they must pass a security assessment organised by the CCAC.
To send personal data abroad for judicial or law enforcement purposes, an application must be filed with the relevant competent department for approval. It is not clear who will file this application — the data controller who needs to send the data or the foreign entity that requires this data for judicial or law enforcement purposes.
Retaliatory measures against countries, data controllers possible:
- If a country or a region adopts “discriminatory prohibitions, limitations or other similar measures” related to personal data protection against China, the Chinese government can retaliate. This basically means that if a country or a region (read: USA, EU) doesn’t grant China adequacy status and thus refuses to sign a data sharing treaty with China, the Chinese government may retaliate in kind.
- Foreign organisations or individuals who process personal data in ways that “harm” the rights and interests of Chinese people or the national security/public interest of China may be put on a CCAC list that limits or prohibits data sharing with them. The CCAC could also issue them a warning among other undefined measures.
Duties and powers of relevant govt data protection authorities
The Central Cyberspace Affairs Commission (CCAC), central ministries and the other relevant departments will jointly fulfill personal information protection duties and responsibilities. CCAC, established in 2014, also known as the Central Commission for Cybersecurity and Informatization is the department responsible for planning and coordinating personal data protection work and related supervision and management.
“Relevant” State Council departments, that is the union ministries, are responsible for data protection, supervision and management within their portfolios as per extant laws and regulations. At county level (similar to an Indian district) and higher, relevant departments will be responsible according to extant regulations.
Extra duties of the CCAC and State Council departments: The CCAC and the relevant central ministries (State Council departments) will formulate personal data protection-related rules and standards, support relevant organs in conduction of personal data protection assessments and certifications, and “advance the construction of a socialized service system for personal information protection”.
Duties of the departments: These departments (CCAC, State Council departments and county-level departments) fulfilling personal information protection duties and responsibilities must supervise data controllers’ personal data protection work; process related complaints and reports; investigate illegal personal data processing activities; and spread awareness about data protection.
To carry out their duties, these departments may interview concerned parties; investigate suspected illegal operations; get access to a concerned party’s contracts, records, receipts and other relevant material; seal/confiscate illegal data processing equipment and goods if there is evidence; etc.
Anybody can complain to these departments about illegal data processing. Departments that receive such complaints or reports must process them promptly and notify the person who complained/reported about the outcome.
Legal liability and fines
If the personal data processing is illegal or was done without adequate security measures in place, the relevant departments can order correction, confiscate illegal income and issue a warning. If data controller doesn’t correct, they may be fined an additional CN¥1 million (~₹1.1 crore) while person directly in charge and other responsible personnel can be fined between CN¥10,000 (~₹1.1 lakh) to CN¥100,000 (~₹11 lakh).
If the illegal acts are “grave”, the relevant departments can order correction, confiscate unlawful income and impose a fine of up to CN¥50 million (~₹ 55 crore) or 5% of annual revenue. They may also suspend related business activities, report them to relevant authorities to get their business permits or professional licences cancelled. The person directly in charge and other responsible personnel can be fined between CN¥100,000 (~₹ 11 lakh) to CN¥1 million (~₹1.1 crore).
Illegal acts will be included in the credit files (credit reports) and published.
If a data controller’s processing activities violate a user’s rights and interests, it is liable for compensating the loss users suffer or the benefit that it received. The amount of compensation will be determined by court when it is difficult to determine the loss suffered by the user or the controller’s benefits. If a data controller can prove that it was not at fault, it can be exempted from liability.
If the rights of many users are violated, China’s public prosecutor (People’s Procuratorates), the CCAC, and government departments responsible for personal data protection duties and responsibilities can file a lawsuit against the data controller in court.
If government agencies don’t fulfill their obligation, their superior organs/departments will order correction and people directly responsible will be disciplined as per law.