Personal data is getting increased attention globally. China has enacted a new law to regulate the collection, storage, and use of personal data. It comes as China has turned its attention to technology, Internet and other areas of business where personal data is collected. China is not alone in this: there is increased attention being paid to personal data in many jurisdictions, including, most recently, the US where reports indicate that the FTC is considering strengthening privacy rules. (Alternative link)
Internet related business has probably made greater strides in China than just about anywhere. On-line purchases are the first choice for the aspiring middle class and young people. Almost anything can be delivered to your door. Any city is alive with delivery vehicles of one sort or another. This activity has brought with it many different forms of payment, primarily by phone Apps.
Concurrently, of course, this unification of personal, commercial, and financial data has fuelled a huge trade in and based on personal data collected by whatever available means.
This is the context for the new law. China has decided that this trade based on personal data, Internet based or not, must be regulated.
The Personal Data Protection Law
The Standing Committee of China’s National People’s Congress adopted the Personal Information Protection Law (“Law”) on August 20, 2021, with effect from November 1, 2021. It is a substantial piece of legislation with 74 Articles set out in 8 Chapters. Previously there were only guidelines and regulations governing collected personal data. The Law formalises and unifies the approach to these issues. The Law lacks detail in some of its provisions and the implementing regulations are expected to be put in place to provide this.
Application of the Law
The Law applies to:
- any activities in China processing the personal data of an individual; and
- any activities outside China processing the personal data of an individual in China where the activities are for:
- providing products or services to an individual;
- analysis or evaluation of the behaviour of an individual; or
- meeting other circumstances provided by law.
“Processing” includes activities to collect, store, use, process, transmit, provide, disclose, or delete personal data.
Personal data as defined in the Law only refers to data that can be used to identify a person. Anonymized personal data is expressly excluded from the scope of the Law.
Personal data must be processed:
- lawfully and in good faith, securely to prevent any unauthorized access to, leakage of, or tampering with, or loss;
- for a specific and reasonable purpose and only to the necessary extent;
- according to publicized rules in an open and transparent way; and
- properly to ensure that the personal data is accurate and complete for the purpose.
Except for specific circumstances provided by law – necessary for the conclusion or performance of contract where the individual is a party; fulfilling a statutory responsibility; responding to a public health emergency; etc; personal consent is required for processing an individual’s personal data.
Consent should be voluntary, explicit, and on a fully informed basis. The individual may withdraw consent at any time, but only with prospective effect.
Consent from parents or legal guardian is necessary for individuals under the age of 14 for any of their personal data.
Major Obligations of the Data Processor (“Processor”)
Except as provided by law, or in an emergency, the Processor is required to inform an individual, truthfully, accurately and completely using clear and easily understandable language of the:
- name and contact details of the Processor;
- purpose and methods of processing personal data, type of personal data to be processed and how long the data will be kept;
- rights of the individual whose data is collected and how to exercise them; and
- other matters to be informed as required by law.
Personal Data Protection Officer
The Processor must designate a personal data protection officer (“Protection Officer”) once the personal data it collects has reached a threshold amount. This is not defined by the Law and is likely to be clarified by the implementing regulations or by the National Cyberspace Authority (“NCA”).
The Protection Officer is responsible for supervising the processing of personal data and the actions taken by the Processor to safely protect it.
If a Processor is located outside China, it should either establish a specific body in China or designate a representative there. It is required to submit the name of the body or the name of the representative and their contact details to the NCA.
The Law is silent on appointing an individual to this role. Directly employing a Chinese individual from offshore can be risky for the offshore employer.
Evaluate the Impact on Personal Data Protection
Before proceeding with the following activities, the Processor is required to evaluate their impact on personal data protection:
- processing sensitive personal data such as biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other data of an individual;
- use of personal data in automated decision making;
- engaging a third party to process the personal data on its behalf or providing personal data to other Processors, or disclosing personal data;
- transmitting personal data to offshore; or
- other activities provided by law.
Additional Obligations for Major Processors
Processors that provide important Internet platform services, have a huge user base or operate a complex type of business (none defined yet), have the following obligations to:
- establish a sound personal data protection and compliance system;
- formulate and set out the policies to be followed;
- set up an independent body composed mainly of external members to supervise their protection of personal data;
- develop platform rules in accordance with the principles of transparency, fairness and impartiality;
- these rules should specify the standards for processing personal data and the obligations to protect personal data to be met by the product or service providers operating on their platform;
- stop providing service to product or service providers operating on their platforms which seriously breach the laws or regulations for the processing of personal data; and
- publish social responsibility reports on protection of personal data regularly and accept public scrutiny.
Processors’ Shared Responsibility
If two or more Processors share the processing of personal data, they are jointly and severally liable to the individual. Using a subcontract Processor does not relieve the primary contractor of liability.
The Processor is required to regularly audit its operations to ensure compliance with its legal obligations.
Sensitive Personal Data
If the personal data to be processed includes sensitive data such as biometrics, religion, specific identity, medical and health, financial accounts, personal location tracking and the like, the Processor will be subject to stricter rules. Specific consent is required, and very strict protective measures should be in place to protect this data.
Transfer of Personal Data Offshore
A Processor may only transmit personal data offshore as required and necessary, with specific and informed consent from the relevant individual. Data to be provided when obtaining consent includes the name and contacts of the offshore recipient; the purpose and method of processing; the type of data to be processed and transferred; and how an individual can exercise their rights against the offshore recipient, including the procedure for this.
Offshore transfer requires that the Processor meets one or more of the following:
- pass the cyber security evaluation organised by the NCA;
- be certified by a professional institution designated by the NCA;
- have a contract with the offshore recipient to specify their rights and obligations using the standard contract provided by the NCA; and
- meet other requirements set out by law.
The China Processor sending personal data offshore is responsible for the offshore Processor complying with China’s legal requirements. These include the Chinese security assessments set out in the Law. If these are not met, the personal data must remain on servers located in China.
As detailed in the Law and subject to its limitations, an individual has a right to:
- know about and control the use and processing of of their personal data;
- access and take copies of personal data held;
- transfer data held to another Processor;
- correct and complete personal data; and
- have their personal data deleted once the purpose for which it was provided has been completed.
Consequences of Breach
The Processor may face both administrative penalties and civil liabilities for breach of their obligations. Administrative penalties could be up to RMB 1 million (Approx USD 155,000); or for serious cases, RMB 50 million (USD 7,752,000) or 5% of the total revenue of the previous year. Further, the individuals whose rights and interests were damaged can seek remedies against the Processor.
The Protection Officer or any other individual directly liable for the breach could face personal liability. Personal liabilities include penalties between RMB 10,000 (Approx USD 1,550) to RMB 100,000 (Approx USD 15,500). Penalties in serious cases go up to RMB 1 million (Approx USD 155,000) or being banned from taking the position as director, supervisor or other senior management or Protection Officer for a period.
Who can take action?
A wide range of aggrieved persons and entities are empowered to take action for misuse of personal data and other breaches of the Law.
This article attempts to summarize the key provisions of a substantial piece of legislation. As such it cannot be a substitute for reading and understanding the Law in its complete form.
The Law, as is common with many Chinese laws, is short on the detail required to actually comply with it. Implementing regulations usually provide the essential details and guide administrative bodies on applying the law. In the absence of this supplementary guidance it is difficult for any business to know exactly what they must do to comply with it.
For example, personal data necessary for the conclusion or performance of a contract is an exception for consent, but personal financial data is sensitive personal data, requiring special handling. Which applies to credit card details supplied for a purchase? Is the test necessity?
The Law requires substantial changes in how personal data is collected and processed, imposing obligations that did not really exist before. Businesses will have to develop wholly new methods to comply. Many of the requirements will need software changes, or new software to be effectively implemented. Software takes time to be written and tested, but it is the only practical means to monitor the processing of personal data held in digital form.
The Law imposes very onerous burdens for personal data acquired by businesses located outside China or sent offshore from China for “processing”.
Foreign companies whose business is large enough will need to consider carefully the obligations imposed by the Law. Among them the need to appoint a Protection Officer and ensure their systems are audited. If the data collected meets the threshold, they must also pass the security assessments set out in the Law or store it on servers within China.
Smaller businesses too cannot ignore the provisions of the Law.
- The Law is comprehensive, but in its present form lacks detail in some key areas. Despite this, prudence suggests that planning for the obligations imposed by it should commence immediately.
- The obligations imposed upon cross-border transactions are particularly onerous. Dealing with these and the associated costs will have to be managed carefully.
- Many of the obligations imposed by the Law will require a technical response via software that may not yet exist. The personal data governed by the Law exists in a digital form and can only be monitored and dealt with digitally.
- Despite any difficulties, there is an obligation to comply. Those that gather and process personal data in or from China need to be preemptive rather than reactionary.
Graham BROWN & PENG Wei
# If you would prefer to have articles in printable PDF format, please let us know by email. #