China’s first personal information protection law in the home stretch

On 29 April, China’s National People’s Congress released the second consultation draft of the Personal Information Protection Law (New PIPL Draft). Public comments were open through 28 May 2021. The first draft of the Personal Information Protection Law (First PIPL Draft) was published on 21 October 2020. The New PIPL Draft is largely unchanged in terms of overall structure and policy. But we note some important refinements made to reinforce supervision and clarify certain points in the First PIPL Draft.

Legal basis for processing of personal information

China’s information privacy legislation has generally maintained a “consent-concentric” approach, with consent together with a closed set of exceptions being the lawful bases for processing personal information.  In line with most other jurisdictions in the Asia-Pacific region, the move to adopt aspects of the EU General Data Protection Regulation (GDPR) has not generally extended to “legitimate interests” processing: i.e., a right for businesses to generally process personal information without consent if they undertake an appropriate balancing of their business interests with the privacy interests of data subjects and ensure that the processing is fair.  This narrower approach has carried through in the First PIPL Draft, which provided for four circumstances and one catch-all provision under which consent would not be required. The New PIPL Draft includes an additional legal basis for personal information processors (PI Processors, similar to "data controllers" under GDPR) that allows for "legitimate interests" processing in relation to publicly available information "within a reasonable scope."

There is as yet no guidance on the meaning of "reasonable scope," other than the stipulation that processing of publicly available personal information should not substantially deviate from the primary purpose of publication of the information.

Chinese Standard Contractual Clauses for International Transfers of Personal Information

The June 2019 draft Measures on Security Assessment of Cross-Border Transfers of Personal Information (Draft Data Export Measures) included a list of requirements for standard contractual clauses for international transfers of personal information (SCC). These measures were never finalized.  SCC are again referred to in the New PIPL Draft, raising expectations further that the Cyberspace Administration of China (CAC) will publish a standard set of contract clauses as part of its implementation of the PIPL, as one of the pathways to transfer personal information to outside China.

It is unknown at this stage what provisions will be included in the SCC, but it is clear that some of the terms proposed in the Draft Data Export Measures, if included in the SCCs, will be challenging for parties to agree, including rights of compensation for data subjects, and a requirement to terminate the contract where the contract becomes difficult to perform due to changes in laws in the transferee’s jurisdiction.

Reinforced gatekeeper’s obligations for platform operators

The New PIPL Draft introduces a new set of enhanced obligations for PI Processors that operate “basic” internet platform services to serve “massive” number of users (without providing a threshold number) and have complex business types. Such obligations include: (i) establishing a steering committee independent of the PI Processor to oversee personal information processing activities; (ii) suspending services to product/service providers operating within the PI Processor’s platform if they are in serious violation of data protection laws; and (iii) issuing regular social responsibility reports concerning the processing of personal information.

There are a number of complications with these gatekeeper’s obligations, including:

  • The criteria for determining what constitutes a large basic internet platform services operator are not clear. Specifically, what is a “basic” internet platform; what is the threshold that qualifies as a “massive” number of users; and what are “complex” business types?
  • The provision is silent as to whether the gatekeeper’s obligation to suspend services to serious violators is subject to any official decision of competent judicial or law enforcement agencies. If not, it would be such gatekeepers’ obligation to exercise their own judgement about the application of the PIPL, which might be costly and risky to execute in practice.
  • The topics to be covered in a social responsibility report concerning personal information protection are left unspecified.

The rights of the deceased persons

The New PIPL Draft specifies that relatives of deceased persons may exercise rights in personal information on their behalf. The rights of deceased persons to their personal information were not addressed in the previous draft or in other Chinese data protection legislation.

The scope of “close relatives” are not defined in the New PIPL Draft, but referring to the PRC Civil Code, we believe it will include the deceased person’s children, parents, grandchildren, grandparents, spouses, and siblings.

PI Processors would have to establish a separate mechanism to respond to requests from the deceased persons’ close relatives. In particular, to authenticate the identity of individuals concerned, the PI Processors would need to review additional information to substantiate that the information subject is indeed deceased and the person making request is indeed a close relative of the deceased.

Presumption of fault

The First PIPL Draft provided for the possibility of substantial civil liability for PI Processors. The risk for PI Processors is increased under the New PIPL Draft, which explicitly places the burden of proving a lack of fault on PI Processors.  Given the difficulty of proving a negative proposition (i.e., the absence of fault), it will be more difficult for PI Processors to avoid liability under the PIPL than it is under current Chinese data protection laws.

Next Steps

It is very likely that the final version of the PIPL will be introduced within this calendar year. We envisage that a grace period may be provided before the law takes effect, so as to allow necessary time for PI Processors in China to adapt to the new rules. For example, the previous Cybersecurity Law gave an approximate 7-months grace period from its promulgation to taking effect. Given the general wording of the published consultation drafts, it is also likely that implementing measures will be needed to supplement the PIPL. Please stay tuned to our blogs to keep up with new developments of China’s first law-level legislation concerning personal information protection.

Authored by Mark Parsons, Sherry Gong, Jessie Xie, and Lan Xu.

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.