2021.05.14 DONG, Xiao (Marissa)、inghe Guo
On October 21, 2020, after deliberation at the 22nd meeting of the Standing Committee of the 13th National People's Congress (“NPC”), the full text of the Personal Information Protection Law of the People's Republic of China (Draft) (“First Draft”) was officially published on the NPC’s website for public comment. On April 29, 2021, the Personal Information Protection Law of the People's Republic of China (Draft for Second Review) (“Second Draft”) was released to the public again for soliciting feedback until May 28, 2021 after deliberation at the 28th meeting of the Standing Committee of the 13th NPC.
The legislation of the Personal Information Protection Law has entered the final stages. This means that the first unified law on personal information protection in China will soon be finalized and formally issued. There will soon be a more complete, comprehensive, and systematic legal protection scheme for personal information.
The framework and layout of the Second Draft remains basically the same as those of the First Draft. There are eight chapters under the Second Draft, and the chapter names remain unchanged. It does, however, have three more articles than the First Draft, amounting to 73 articles in total. The Second Draft revises and improves several provisions of the First Draft from the aspect of language expression, and has also added provisions such as the personal information protection of the deceased and the personal information protection obligations of very large-scale online platforms. The major amendments to the Second Draft as compared to the First Draft are summarized as follows:
Basic Rules for Processing Personal Information
The Second Draft adds one legal provision for the processing of personal information on the basis of the First Draft, i.e. “Processing disclosed personal information within a reasonable scope in accordance with the provisions of this law”, and specifies that in principle, an individual’s consent should be obtained for personal information processing, but there is no need to obtain consent under six different circumstances, other than “obtaining personal consent” under Article 13. (Article 13 of the Second Draft)
In addition to retaining the provisions of the First Draft on the entrusted processing of personal information, the Second Draft is also linked to the Civil Code, with newly added provisions: If the entrustment contract does not take effect, or is void, revoked, or terminated, the personal information shall be returned to the personal information processor or deleted, and shall not be retained by the entrusted party. (Article 22 Paragraph 2 of the Second Draft)
Rules for the Cross-border Transfer of Personal Information
Regarding the rules for the cross-border provision of personal information, the Second Draft for the first time clarifies that personal information processors should enter into contracts with overseas recipients “in accordance with the standard contract formulated by the national cyberspace administration” (Article 38 of the Second Draft), while no revisions have been made to the rest of the relevant provisions in this regard.
In terms of providing domestic personal information to overseas judicial or law enforcement agencies, the Second Draft has more stringent and specific regulations in terms of the scope of the application and the approval requirements than the First Draft. Article 41 of the Second Draft stipulates that if an overseas judicial or law enforcement agency requires the provision of personal information stored in China, no information can be provided without the approval of the competent authorities of the People’s Republic of China.
Adding Requirements on the Protection of the Personal Information of the Deceased
Article 49 of the Second Draft adds requirements for the protection of the personal information of the deceased in terms of the rights of personal information subjects, stipulating that if a natural person has died, the individual’s rights in personal information processing activities shall be exercised by his/her close relatives. This provision is in line with the requirements of Article 994 of the Civil Code on the protection of the deceased’s personality rights and interests, and clearly grants relevant parties the right to exercise the deceased’s personal information rights from the legal level.
Obligations of Personal Information Processors
The Second Draft does not substantially revise the obligations of a personal information processor under the First Draft, but it adds a provision and clarifies that the entrusted party in the case of entrusted processing should perform the relevant obligations of a personal information processor: “The entrusted party who is entrusted to process personal information shall perform the relevant obligations stipulated in this chapter and take necessary measures to ensure the safety of the personal information processed”. (Article 58).
Personal Information Protection Obligations of large-scale online Platforms
As a new provision, Article 57 of the Second Draft specifies the personal information protection obligations of “personal information processors who provide basic Internet platform services with a huge number of users and involves complex business types”, including: (a) establishing an independent organization mainly composed of external members to supervise personal information processing activities; (b) halting services to product or service providers on platforms that process personal information that are in serious violation of laws and administrative regulations; (c) regularly publishing social responsibility reports on personal information protection and accept social supervision.
The above-mentioned provisions reflect the recent trend of regulatory authorities to strengthen the supervision of large-scale Internet platforms and tightens the regulation of security incidents such as data breaches. However, topics such as determining the criteria for “basic Internet platform services” and other terms such as “external members”, as well as how to implement the requirements for the preparation method and content, release frequency and the scope of “social responsibility reports on personal information protection”, are subject to follow-up implementation rules and/or explanations by regulatory authorities.
Refine the Duties of the National Cyberspace Administration
The Second Draft further refines and specifies the duties of the national cyberspace administration. It provides that it shall coordinate the relevant departments to promote the work of personal information protection in accordance with this law and the new provisions are as follows: (a) formulate specific rules and standards for personal information protection; (b) formulate special personal information protection rules and standards for sensitive personal information and new technologies and applications such as face recognition and artificial intelligence; (c) support the research and development of safe and convenient electronic identity authentication technology. (Article 61)
In terms of civil liability, the Second Draft adjusts the provisions of the First Draft and links with the relevant provisions of the Civil Code, clarifying that the principle of “presumption of fault” should be applied to the infringement of personal information rights. Specifically, the Second Draft stipulates that if personal information rights and interests are infringed due to personal information processing activities, and the personal information processor cannot prove that it is not at fault, it shall be liable for damages and other torts. The liability for damages is determined in accordance with the individual’s consequent loss or the personal information processor’s benefit; if it is difficult to determine the individual’s consequent loss and the personal information processor’s benefit, the amount of compensation should be determined based on the specific situation. (Article 68)
Processing of Personal Information by State Agencies
The Second Draft adds a new stipulation that the provisions on the processing of personal information by state agencies shall apply to the personal information processing by organizations authorized by the laws and regulations with the function of managing public affairs, and with the purpose of performing statutory duties. (Article 33 to 37 of the Second Draft)
The Personal Information Protection Law, as the first special law on the protection of personal information in China, will become an important legal basis for the establishment of the personal information protection legal regime of China.
From a content perspective, the Second Draft, on the basis of retaining the basic framework and most of the provisions of the First Draft, and in response to current outstanding problems in the field of personal information protection and the trends in supervision and law enforcement, revises the First Draft, improves the rules of legal basis for personal information processing and cross-border transfer of personal information, and adds new requirements for personal information protection of the deceased and personal information protection obligations of large-scale Internet platforms.
Basically, the Second Draft maintains a certain degree of consistency with the current laws, regulations or drafts that provide for personal information protection and is further linked to the Civil Code, but also provides many new requirements and regulations at the same time. How the specific provisions of the draft of Personal Information Protection Law will be connected with the existing laws and regulations and how the scope of application will be divided remains to be clarified. In addition, there are a number of issues that have yet to be clarified in the First Draft, such as the definition of "separate consent", the security assessment of the cross-border transfer of personal information, and how the protection certification is to be carried out, which are still not clarified and improved in this Second Draft. The clarification of these contents may require subsequent legislative improvement or the further introduction of related implementation rules and interpretations.
We recommend that companies fully understand the relevant content of the Second Draft and prepare to summarize and rectify incompliance in the current corporate compliance work before the promulgation of the Personal Information Protection Law as soon as possible. We will also continue to pay close attention to the follow-up legislative process of the Personal Information Protection Law and share the latest updates with our clients.