On 20 August 2021, the Standing Committee of the National People's Congress passed the PRC Personal Data Protection Law, which is China’s first designated personal data protection law. The highlights of this law, which will take effect on 1 November 2021, include:
Extra-territorial effect
The Chinese data protection law applies to all processing within the territory of China, regardless of the nationality of the controller, the processor, or the data subjects.
The law will also apply for processing outside of the territory if the purpose is to supply products or services to an individual located in the territory, or the individual’s activities are being analysed or assessed. A foreign company conducting such processing must either establish an entity or appoint a representative in China to handle data protection-related matters.
Lawful bases
Consent remains the defaulting lawful basis although processing without consent is allowed under certain circumstances as exceptions to the law's consent requirement.
Among others, processing without consent is allowed if the processing is necessary for:
- the conclusion or performance of contracts to which the data subject concerned is a party; or
- the implementation of human resources management in accordance with labour rules and procedures, and collective labour contracts formulated as required by law.
There is no further elaboration in the law on how to interpret a “necessity”.
Processing without consent is also allowed for the processing of personal data that have been disclosed to the public by the data subjects themselves or via other legally permitted ways. Processing such personal data must be done within a reasonable scope (e.g. consistent with the purpose for which the data were published).
Other exceptions include legal obligations, vital interests, and public tasks. However, “legitimate interests” as defined by the EU's GDPR is still not a lawful basis under the law.
Even where the processing is not based on consent, the relevant data subjects must be informed fully on how their personal data should be processed, unless the processing is required to be kept confidential by any laws or administrative regulations. Depending upon where the processing is during an emergency, if it is impossible to inform data subjects in advance the data subjects must still be informed in a timely fashion afterwards.
Specific consent
The law specifies the following five circumstances under which processing requires the specific consent of data subjects:
- where the data controller provides personal data to others, although the law does not specify whether this covers only the controller-to-controller provision or also the controller-to-processor provision;
- where a controller discloses personal data to the public;
- where personal images or other personal data collected by cameras or other devices installed in public areas are used for purposes other than maintaining public security;
- where sensitive personal data (including personal data of minors) are processed; and
- where personal data will be transferred to a foreign country.
The law does not define “specific consent”. Based on our interpretation of the regulatory approach, it at least requires that consent be given in particular for specific processing and not as part of any packaged or bundled consent covering a series of processing actions.
Where processing is based on lawful bases other than consent (e.g. necessity for contract performance), the law is silent on whether processing is also exempt from any specific consent requirement (e.g. whether specific consent is again required before transferring the data outside of China, even if the original collection of data is based on the necessity of contract performance).
Data localisation and cross-border transfer
In addition to critical information infrastructure operators (CII Operators), companies who process personal data up to a specific amount specified by the regulator (Large-scale Operators) must store in China all personal data collected or generated in China. The law, however, remains silent on what this specific amount is. If any data needs to be transferred to a foreign jurisdiction, security assessments organised by the regulator must be passed in advance.
A company that is neither a CII Operator nor a Large-scale Operator must satisfy one of the following requirements before it can transfer personal data outside of China:
- pass security assessments organised by the regulator;
- obtain certificates issued by designated professional institutions; or
- sign standard contracts with foreign recipients formulated by the regulator.
While there are a few draft standards and guides suggesting how a security assessment should be conducted, no details are provided on how the certificates must be issued or what specific standard contract clauses must be included.
In addition, a data controller is required to take necessary measures to ensure that the foreign recipient satisfies the Chinese data protection standards under the law. This seems to require an adequate level of protection in the relevant foreign country. However, absent of a state-approved “white-list” such as under the GDPR, it remains unclear how commercial companies should implement this requirement in practice.
The law emphasises that China will reflect any concluded international treaties or agreements regarding data transfers. In the context of cross-border judicial or enforcement assistance, no one can transfer personal data stored within China to a foreign judicial or enforcement authority without prior approval of Chinese authorities.
Data protection impact assessments
A data protection impact assessment must be conducted before any of the following processing activities can be carried out:
- processing sensitive personal data;
- using personal data to make automated decisions;
- entrusting others to process personal data, or sharing or publishing personal data;
- transferring personal data outside of China, and
- other processing activities that may significantly affect an individual's interests.
The technical standard Guidance for Personal Information Security Impact Assessment (GB/T 39335-2020) provides general rules and procedures on how an impact assessment should be conducted.
When conducting an impact assessment for proposed automated decision-making, the data controller must ensure that each data subject have the option of requesting that he not be subject to a decision based solely on automated processing if the decision could significantly affect his legal interests. Data subjects must not be subject to varied prices or other unfair treatment based on automated decision-making.
Liability
The law significantly increases the penalties for data violations or infringement. An infringing company can be subject to an administrative fine up to RMB 50 million or 5% of the previous year’s revenue, confiscation of illegal income, suspension of business, or revocation of business licences.
A person who is in charge of data protection matters and is directly responsible for a violation (e.g. the data protection officer of a Large-Scale Operator) and other responsible persons may be subject to an administrative fine of between RMB 100,000 and RMB 1 million. These persons could also be disqualified from acting as the directors, supervisors, senior managers, or personal data protection officers in any companies for a certain period of time.
Also according to the law, the People’s Procuratorate and qualified consumer protection organisations or other organisations appointed by the Cyberspace Administration of China can bring public interest litigation against processing activities in violation of law or for harming the interests of individuals. Immediately following the issuance of the law, the Supreme People’s Procuratorate published a circular confirming that public interest litigation of this type may become a focus of its future work.
Please click here for the full text (Chinese only) of the law.
For more information on this law and data protection regulations in China, contact your CMS client partner or local CMS experts:
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.