Recap on the Key Points Which Were Discussed at Our PIPL Seminar
We did hold a great seminar to discuss the proposed Personal Information Protection Law in China last week. Below is recap on the key points:
1. The definition of personal information. The definition of personal information under the Personal Information Protection Law (Second Draft) ( “PIPL” or “Second Draft”) adopts an approach which considers personal information as information that “relates” to an identified or identifiable natural person. However, the definition of personal information under the Civil Code emphasizes “identifying” a specific natural person, which is narrower than the definition in the PIPL. However, this contradiction does not affect the persistent opinion of the legislators who keep the “relates” defining approach of personal information in the Second Draft. This reflects the clear view and attitude of the legislators of the PIPL.
2. Multiple lawful bases for processing personal information. Article 13 of the Second Draft adopts a new provision: “consent is not required if there are circumstances stipulated in the second to seventh paragraphs of the preceding section although other relevant provisions of this Law stipulate that the consent of individuals shall be obtained for the processing of personal information”. This clarifies doubts about the multiple lawful bases in the First Draft and has great practical implications for companies in compliance. According to this provision, if the lawful basis for collecting, processing or exporting personal information was “essential for entering into or performing a contract to which it is a contracting party” (e.g. to enter a sales/service/employment contract), the handler would not need to obtain the consent.
3. Consent and withdrawal. Further to the existing provisions on the right to withdraw consent to the personal information handling activities, Article 16 of the Second Draft was amended with “The personal information handler shall provide a convenient approach for withdrawing consent. The withdrawal of consent shall not affect the validity of the personal information handling activity that is based on the personal consent prior to such withdrawal”. This provision requires a practical mechanism for the withdrawal of consent, i.e. “convenient approach”, and clarifies that the withdrawal of consent does not have a retroactive effect.
4. Cross-border transfer of data. On the basis of multiple lawful bases for processing personal information, cross-border transfer of personal information will no longer have to be based on the consent of personal information subject if the transfer may rely on other lawful basis - this is much clearer in the Second Draft. In addition, Article 38 of the Second Draft adds a new provision on the contract for cross-border transfer and explicitly says that the contract shall be based on “standard contracts formulated by the national cyberspace administration”, which gives the cyberspace administration a new role of drafting the “ Chinese version” of standard contractual clauses (SCCs). The Second Draft sets out the obligation of data localization on “critical information infrastructure operators” and “personal information handlers who handle personal information up to the amount as specified by the national cyberspace authorities”, and where it is necessary to provide personal information abroad, they should pass “security assessment”. However, the Second Draft did not clarify the specific rules, procedures, and requirements of such security assessment. In the future, it is worth to pay close attention to the supplemental regulations on security assessments issued by the national cyberspace administration.
5. Enforcement agencies. Article 61 of the Second Draft adds a number of new elements, clarifying that under the current regulatory landscape of multiple data protection agencies, “the national cyberspace authorities will lead and coordinate” the relevant agencies to promote the protection of personal information. The position of the national cyberspace administration as the main regulatory body has been strengthened. It will also be responsible for “formulating special rules and standards for personal information protection in respect of sensitive personal information, face recognition, artificial intelligence and other new technologies and new applications” and “supporting the research and development of a safe and convenient electronic identity authentication technology”. In addition, as the approach of multiple agencies has been recognized by both the First and the Second Draft, the possibility of establishing a unified data protection agency (DPA) remains relatively low in the subsequent legislative process. It is possible that the role of the national cyberspace administration may be further promoted.
6. Civil liability based on presumption of fault. The Second Draft has removed the provision that “if a personal information handler that is able to prove that it or he or she is not at fault may be relieved or exempted from liability” and adopts the principle of the presumption of fault for civil liability. The Second Draft revises the previous provision as “where any personal information rights and interests are infringed due to a personal information handling activity, and the personal information handler cannot prove that it is not at fault, it shall assume the liability for tort, such as the liability for damages”.
7. Compliance audit. The Second Draft removes the provision that “the authorities performing personal information protection duties shall be entitled to require the personal information handler to entrust a professional institution with such audit”, which was not sufficiently clear in terms of what may trigger an audit and what the nature of such audit is. Article 63 of the Second Draft clarifies that where any considerable risk existing in a personal information handling activity or any personal information security incident discovered by authorities in the course of performing their duties, the personal information handler should entrust a professional institution to audit the compliance of the personal information handling activity. In addition, Article 54 of the Second Draft adds that “a personal information handler shall, on a regular basis, conduct compliance audits in respect of how its personal information handling activities and protection measures comply with the provisions of laws and administrative regulations”, which regards audits as an obligation of all handlers and specifies the nature of audits as “compliance audits”.
8. Handling public information. Article 13 of the Second Draft adds that “handling the personal information that has already been made public in accordance with this Law and within a reasonable scope” as one of the lawful conditions of processing personal information. It also coordinates with Article 1036 of the Civil Code, which states that “properly handling the information that the natural person has publicly disclosed or other information that has been legally and publicly disclosed”. However, the Second Draft does not specify details rules for not handling public information beyond the “purpose for which it is disclosed”. In practice, it can be very common that the “purpose for which it is handled” and the “purpose for which it is disclosed” are inconsistent. This issue needs to be further clarified in the subsequent legislative process.
9. Automated decision-making. The Second Draft provides more reasonable regulation of automated decision-making. Article 25 specifies that in addition to providing the option to not target personal characteristics of an individual, the handler can also choose to “provide the individuals with the channel for rejection”, which allows some space for the development of companies whose core marketing model is based on automated decision-making. At the same time, the amendment limits the circumstances in which an individual has the right to request explanation and refusal to cases where “automated decisions that has a material impact on individual rights and interests”. This reflects a clearer scope of application for the right to refusal.
10. “Gatekeepers” obligations of large Internet platforms. Article 57 of the Second Draft adds that personal information handler who provides basic internet platform services, has massive users and operates complex businesses shall fulfill statutory obligations, including: establish an independent body that is mainly composed of external members to supervise its personal information handling activities; cease the service to any product or service provider on its platform who violates any law or administrative regulation when handing personal information, and; publish social responsibility report on personal information protection on a regular basis and accept supervision by the public. As for the scope of such obligor, the provision should be read as targeting handlers meeting all the three conditions of “provides basic internet platform services”, “has a large number of users” and “operates complex businesses” rather than any one or two conditions of the three. The provision partly draws on the public participation notion of supervising internet platforms in Western countries and also reflects the trend of intensified regulation of Internet platforms in China since the end of last year.