On April 29, 2021, the National People’s Congress Standing Committee of the People’s Republic of China released a second draft of the Personal Information Protection Law (the “PIPL”) for public comment. In general, the second draft does not deviate much from the prior version released in October 2020. For further details on the original draft of the PIPL, please see our previous blog and client alert.
China’s Personal Information Protection Law: What It Means to Companies (Client Alert)
China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)
We have summarized the highlights of the proposed changes contained in the second draft below:
- Cross-border Transfers. The first draft of the PIPL set out three conditions for legitimizing the cross-border transfer of personal information. The easiest condition to achieve is for personal information processors (“PIPs”), which are akin to ‘Data Controllers’ under the EU’s GDPR, to conclude a contract with the overseas recipient. The second draft requires such contract to be in a standard form prepared by the government; however, no form was published with the second draft. The obligations imposed by the government’s form contract on data exporters and importers will be critical to continued cross-border data flows involving China.
- Basis for Processing. The second draft specifically distinguishes consent-based processing from the other enumerated lawful bases for processing personal information (which continue to exclude a “legitimate interests” test). The second draft does, however, clarify that PIPs should be able to process personal information that is in the public domain on a reasonable basis.
- Data Subject Rights. The second draft establishes certain additional conditions in relation to the data subject rights set out in the first draft, including the right to withdraw consent and the right of data deletion. Further, it provides that the rights of a deceased data subject may be exercised by close relatives.
- PIP Obligations. Compared to the initial draft, the second draft imposes additional obligations on PIPs with regard to processing by entrusted parties (akin to the GDPR concept of “data processors”) and automated decision-making used in marketing and information push delivery. It also requires PIPs to conduct regular compliance audits.
- Platform Processors. In addition to the obligations imposed on all PIPs, the second draft imposes additional obligations on PIPs that provide foundational internet platform services on a mass market basis and using complex business models. These obligations include the establishment of an independent organization to supervise the processing activities, publishing a periodic social responsibility reports on personal information protection, and suspending use of the platform by non-compliant service providers. These obligations are intended to target large e-commerce and social media platforms.
The period for public comments will expire on May 28, 2021. It is still unknown when the law will be officially enacted, though the expectation is that it will happen before the end of this year. Once the PIPL is adopted, implementation rules are expected to follow, including the rules and standards on sensitive personal information and emerging technologies and applications, such as facial recognition and artificial intelligence.
Our Data Privacy & Cybersecurity team has established an internal working group comprising GDPR, US, Asia Pacific and China-based data privacy experts who have substantial experience advising on relevant regulations in China. If you would like specialist advice on these and related issues, please contact our team; Nicholas Chan, Scott Warren, Lindsay Zhu, Rosa Barcelo, Alan Friel, Ann LaFrance