China has published for public comments a draft of its inaugural data protection law. The bill is intended to incorporate, and in some cases replace, pieces of regulation that are currently scattered throughout other Chinese laws.
The bill lays out common data protection principles, including transparency, fairness, purposefulness, data minimization, and accuracy. The territorial scope of the bill includes any individual or entity that processes personal information within China or outside of China, provided that the purpose of the processing is to provide products or services to or conduct analysis or assessment of natural persons in China. The territorial scope also references other circumstances provided by other domestic laws or regulations. Where the data controller is not established in China, it is required to appoint a local representative.
The bill’s definitions of ‘personal information’ and ‘processing’ are similar to these terms’ definitions under the GDPR. It would require to provide data subjects with a notice of the processing activities. The notice would include, among others, the identity and contact information of the data controller, the categories of personal data collected and the purpose and methods of the processing activities, the retention period, and details on how data subjects may exercise their rights with regards to their personal data. These data subject rights include the right to access, rectify, and in certain circumstances object to processing or request the deletion of personal information.
The bill would permit processing personal information only subject to one of the enumerated legal bases: the individual’s informed, voluntary and explicit consent; where necessary to conclude or perform a contract in which the individual is an interested party; where necessary to comply with statutory duties; to respond to sudden public health incidents or in the event of emergency circumstances where the processing is required protect natural persons’ lives and health, or the security of their property; or if reasonably required for news reporting, public opinion supervision, and other activities in the public interest.
The bill also addresses the cross-border transfer of personal information out of China and would require controllers to inform the data subjects of such transfers and obtain their consent. The bill also governs data breach notifications, processing of sensitive personal information, and processing personal information by state agencies.
CLICK HERE to read the draft Chinese Data Protection Bill (unofficial English translation).