On October 21, 2020, the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China (“PRC”) unveiled its draft of the Personal Data Protection Law (“Draft PDPL”) for public consultation until November 19, 2020. The Draft PDPL has many similarities to the European General Data Protection Regulation (“GDPR”).
Prior to the Draft PDPL, the Standing Committee of the NPC had adopted the PRC Cybersecurity Law (implemented on June 1, 2017) (the “CSL”). The CSL requires network operators to store select data within China and focuses on the cross-border transmission of personal data by “Operators of Critical Information Infrastructure” (“CIIO”). The Draft PDPL further expands regulation of “personal data” and expands the individual’s rights in personal data processing activities, including (i) the right to know, (ii) the right to make decisions, (iii) the right to review and copy, (iv) the right to correct and supplement, and (v) the right to delete.
Currently, there is no expected schedule for the adoption of the Draft PDPL. However, when adopted, the Draft PDPL, containing 69 articles, will be China’s first comprehensive law on the protection of personal data. Given the prevalence of data usage in general commerce and the scope of the Draft PDPL, it will significantly impact companies with operations in China as well as companies that do not have operations in China but are targeting the China market.
A few key points of the Draft PDPL:
1. Extraterritorial application of the law
The Draft PDPL applies to the processing of individuals’ personal data that takes place in China regardless of the nationality of such individuals. Unlike the CSL, which provides limited extraterritorial application, the Draft PDPL also applies to activities outside of the PRC when such activities touch on Chinese personal data under any of the following circumstances: (i) where the purpose is to provide products or services to Chinese people; (ii) where the purpose is to analyze and evaluate the activities of Chinese people.
2. More expansive data localization requirements and clearer rules on cross-border transfer of personal data
Compared with the CSL, which only governs the behavior of CIIOs in their handling of personal data in China, the Draft PDPL covers both CIIO and other personal data processors (“PDP”) such as governments, companies, institutions and individuals. The current draft of the Draft PDPL does not provide a definition of PDP.
The Draft PDPL provides for three mechanisms for cross-border transfer of personal data. Where a PDP or a CIIO provides personal data outside the PRC, it must meet at least one of the following mechanisms:
(i) Obtain certification issued by the organization as authorized by the Cyberspace Administration of China (“CAC”).
(ii) Obtain certification issued by a specialized agency (the third party) assigned such certification power by the CAC.
(iii) Enter into a contract with the overseas recipient, specifying the rights and obligations of both parties meeting the standards of the Draft PDPL and certifying that the PDP or CIIO has reviewed and is supervising the overseas recipient’s processing of personal data to ensure that it meets the standards of the Draft PDPL.
In addition, cross-border transfer of personal data to foreign authorities requires Chinese regulators’ prior approval under the Draft PDPL. This is consistent with the Draft Data Security Law (published by the Standing Committee of the NPC on July 3, 2020) and the recently amended China Securities Law (amendment effective March 1, 2020), which, to a certain extent, sheds light on Chinese regulators’ view in this regard.
3. Enhanced legal liability for violation of Draft PDPL and privacy litigation
Serious violations of the Draft PDPL, such as illegal processing of personal data or failure to adopt necessary measures to protect personal data, can result in a fine of up to RMB 50 million ($7.4 million) or up to five percent of the violator’s preceding year’s revenue per incident.
When calculating the fine, the Draft PDPL is silent on whether different approaches will be taken when the violator is a specific legal entity versus a group of affiliated legal entities globally or in China that are involved in data processing. It is also unclear as to whether the revenue of the preceding year will be calculated based on the violator’s global market revenue or just the revenue from the China market. It is worth watching the space to see if the legislator considers using a similar concept of “undertaking” under the GDPR when calculating the fine.1
In terms of personal liability in the context of a violation of the Draft PDPL, the personnel who are directly responsible for the personal data processing that resulted in the violation may be fined up to RMB 1 million ($0.15 million). No detailed standard on this personal liability is yet published. In practice, we expect that personal liability under the Draft PDPL may potentially attach to legal representatives, senior management personnel and project principals.
Although the Draft PDPL is still a draft, multinational companies and Chinese companies that invest overseas should plan ahead. Any personal data processing mechanism and cross-border data transmission procedures should be mapped and understood internally, if they are not already. We would expect to see internal control and compliance infrastructure put in place and the initiation of staff training on personal data protection, as well as coordination with local CAC in preparation for further detailed implementation regulations. Once adopted, the Draft PDPL will have a significant and far-reaching impact on personal data protection compliance requirements for any players in the China market.