Summary: China passes GDPR-like data privacy law, except that many restrictions do not apply to the government

The new law which includes definitions, rules, rights, protections, and consequences around personal data comes at a time when China is cracking down on tech companies in the country.  

China on Friday passed the Personal Information Protection Law (PIPL), putting in place one of the world’s strictest data privacy laws, Wall Street Journal reported.

The law, which closely resembles Europe’s robust General Data Protection Regulation (GDPR), is set to go into effect on November 1, the report stated. But unlike its European counterpart, which restricts data collection by governments, PIPL gives the Chinese government broad access to data, the report added.

What does the Personal Information Protection Law say?

MediaNama has done a complete summary of the first draft of the PIPL released in October 2020. The second draft, released on April 2021, does not deviate much from the first. The full text of the final version wasn’t released upon passage. Here is a compilation of some of the most important provisions of the new law:

Definition of personal information handler: Organisations and individuals that “autonomously” determine the purposes, methods, and other such aspects of data handling. This is similar to how “data fiduciary” is defined in the Indian PDP Bill or how the GDPR defines “data controller”. From the Bill, it is clear that a personal information handler/data controller must be a private company or individual, unlike the GDPR or Indian PDP Bill where government bodies are also considered data controllers and data fiduciaries, respectively.

Advertisement. Scroll to continue reading.

When can personal information handlers collect and process personal data? Personal information handlers can process (including collect) personal data only if they fulfill one of the following conditions:

1. Have the individual’s consent
2. Personal data is necessary to fulfill a contract in which the individual is an interested party
3. Processing personal data is necessary to fulfill statutory duties or obligations
4. Processing personal data is necessary to respond to emergencies or public health incidents, or to protect people’s lives and property
5. Personal data is used in the public interest such as journalism, “public opinion supervision”, etc.
6. Personal data that is in the public domain on a reasonable basis

Rules around consent:

• Must be taken before: Consent must be taken before data is processed by a data controller. It has to be informed, explicit, voluntary, and individuals have the right to rescind their consent.
• Fresh consent for a new purpose: Data controllers must seek fresh consent from users if the purpose or methods of processing change.
• Cannot refuse to provide service: Unless processing personal data is necessary to provide products/services, data controllers cannot refuse to provide services if users refuse to consent to share personal data.
• Guardian consent for children: If data controllers “know or should know” that they are handling personal data of children under the age of 14 years, they should get their guardian’s consent.
• Third-party sharing consent: To share personal data with third parties, data controllers must obtain specific consent from the user. They also have to notify users about the identity of the third party, how to contact it, the purpose and method of processing, the data categories involved.
• Consent for sending data outside China: To send personal data abroad, data controllers must get users’ consent and notify them about the identity and contact details of the foreign partner; purpose and method of processing; personal data categories; ways to exercise their rights; etc.

Data processing by the state and its agencies: 

• Only to scope or extent necessary: Government bodies must process personal data only to the scope or extent necessary to fulfill their statutory duties and responsibilities.
• Consent not always required: To process personal data to carry out statutory duties and responsibilities, they must notify individuals and get their consent. Notification and consent are not required if secrecy is legally required or if they would impede the government’s ability to do its job.
• Cannot publish or share without consent: State organs cannot publish personal data or share it with other people without individual’s consent or laws and regulations that provide otherwise.
• Storage within China: All personal data processed by the state must be stored within China. To transfer any personal data processed by the Chinese government outside the country, a risk assessment must be conducted.

Rights of users: Users can exercise the following rights except when laws or regulations state otherwise:

• Right to know
• Right to decide
• Right to limit/refuse personal data processing by others
• Right to request to delete personal data
• Right to withdraw consent
• Right to access and copy personal data from data controllers in a “timely manner” until and unless secrecy needs to be maintained for legal reasons
• Right to request to correct or complete their personal data
• Right to request an explanation from data controllers about their processing rules and automated decision-making process if the latter is deployed
• Right to refuse data controllers from making decisions solely on the basis of automated decision making

Duties of personal information handlers (data controllers): 

• Ultimately responsible for data they process: Data controllers are ultimately responsible for the personal data they process. Data controllers must ensure purpose limitation, conduct regular audits and appoint a data protection officer(s) (for processing personal data beyond a certain quantity threshold).
• Personal data can’t be published without the specific consent of the user. If they process already published personal data, they must conform to the original purpose defined when it was published. To exceed that purpose, they must notify the users and get their consent.
• Adopt measures to prevent unauthorised access, and information leaks, theft, distortion, and deletion. They must have data security incident response plans; use relevant technical security measures such as encryption, de-identification, “etc.”; and educate employees among other things.
• Foreign companies must have local representation: Foreign companies that process the personal data of Chinese residents must have a local entity or representative within China. This entity or person’s name and contact details will be reported to the relevant authorities.
• Risk assessments: Data controllers must carry out risk assessments before processing sensitive personal data; conducting automated decision making; sending personal data abroad; etc. Risk assessment reports and handling status records must be preserved for at least three years.
• On discovering a personal data breach, a data controller must immediately adopt remedial measures and notify the relevant authorities.

More protection for sensitive personal data:

• Process only when sufficiently necessary: Data controllers can process sensitive personal data only for specific purposes and when “sufficiently necessary”. To do that, they must get specific consent (or written if required), notify users about the necessity to process such data and its impact on the user, and get administrative licenses or follow stricter restrictions if legally required.
• Definition of sensitive personal data: It is data that, if leaked or illegally used, can cause discrimination against the individual or grave harm to the person’s or their property’s security. This includes information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, etc.

Use of CCTV and Facial Recognition Technology: The draft bill talks about “installation of image collection or personal identity recognition equipment in public venues”, an obvious reference to the use of CCTV and facial recognition technology in China. As per the bill, such equipment must only be installed to “safeguard public security” and must observe relevant state regulations. Clear indicating signs must be installed.

Rules for automated decision making: If a data controller uses “automated decision making” to process personal data, the data controller has to guarantee the transparency, fairness, and reasonability of the decision-making process and its result. Automated decision-making potentially refers to algorithmic deduction using AI/ML. Data controllers who use automated decision-making to target users with advertisements on the basis of their characteristics must provide users with the option to opt out.

Cross-border data transfer:

• Conditions to fulfill: To send personal data outside China for “business or other such purposes”, data controllers must fulfill certain conditions like passing a security assessment organised by the Central Cyberspace Affairs Commission (CCAC) or undergo a “personal information protection certification” conducted by a specialised body set up by the CCAC. However, international treaties or agreements, signed by China, that have provisions for cross-border data flows outside China, will supersede data localisation clauses of the Bill.
• Critical infrastructure operators and large data processors: For two categories — critical information infrastructure operators and data controllers who process data beyond a quantity threshold set by the CCAC — all personal data will be collected and “produced” “domestically” within China. To send it abroad, they must pass a security assessment organised by the CCAC.

Legal liability and fines: 

• Consequences of illegal data processing: If the personal data processing is illegal or was done without adequate security measures in place, the relevant departments can order correction, confiscate illegal income, and issue a warning. If the data controller doesn’t correct it, they may be fined an additional CN¥1 million (~₹1.1 crore) while the person directly in charge and other responsible personnel can be fined between CN¥10,000 (~₹1.1 lakh) to CN¥100,000 (~₹11 lakh).
• Consequences for grave acts: If the illegal acts are “grave”, the relevant departments can order correction, confiscate unlawful income, and impose a fine of up to CN¥50 million (~₹ 55 crores) or 5% of annual revenue. They may also suspend related business activities, report them to relevant authorities to get their business permits or professional licenses cancelled. The person directly in charge and other responsible personnel can be fined between CN¥100,000 (~₹ 11 lakh) to CN¥1 million (~₹1.1 crores).
• Consequences to government bodies: If government agencies don’t fulfill their obligation, their superior organs/departments will order correction, and people directly responsible will be disciplined as per law.
• Consequences for illegally processing Chinese data abroad: If data controllers illegally process personal data in China or of Chinese residents elsewhere in the world, they may have to cough up CN¥50 million (~₹ 55 crores) or 5% of annual revenue in fines, according to China’s draft Personal Information Protection Law. Also, if other countries take punitive actions against China in the field of personal data protection, China will retaliate in kind.
• Compensation to users: If a data controller’s processing activities violate a user’s rights and interests, it is liable for compensating the loss users suffer or the benefit that it received.

China’s crackdown on tech companies

China has been cracking down on tech companies for several months now, launching investigations into and reprimanding large companies like Alibaba, Tencent, Didi, ByteDance, and others. The PIPL is part of this tightening regulatory regime and along with the controversial Cybersecurity Law 2017 that mandates localisation of data collected within China and the Data Security Law (set to be implemented on September 1) that provides a framework for companies to classify data based on its economic value and relevance to China’s national security, it gives Chinese authorities unprecedented control over tech companies operating in the country.

China’s crackdown not only has repercussions within the country but throughout the world. Its approach to regulating the tech industry will shape how other countries approach the same. But the reasons behind this are varied and complex.

To help you understand the issue better, MediaNama has prepared a reading list: Why Is China Cracking Down On Tech Companies?

Also read:

Advertisement. Scroll to continue reading.

• China Expands Control Over Data Collected By Tech Companies With New Laws: Report
• Details: US, UK, EU And Allies Accuse China Of Carrying Out Malicious Cyber Activity
• What Apple’s Compromises On Privacy In China Mean For India
• Amidst Crackdown On Tech Companies, Chinese Govt Appoints Director To Board Of ByteDance Beijing: Report

Have something to add? Post your comment and gift someone a MediaNama subscription.