The number of internet users in China has rapidly increased to over 900 million individuals as of March 2020. As internet availability continues to rise in China and the country’s digital community grows in virtually all industries and populations, the People’s Republic of China is keying into the fact that foreign and domestic businesses seeking to capitalize on China’s market must adhere to rules regarding processing and transferring personal information across China’s borders.
On October 21, 2020, the National People’s Congress Standing Committee unveiled its draft Personal Information Protection Law (PIPL) to the public for view and comment. If enacted, PIPL will be China’s comprehensive law on the protection of personal data. The necessity of PIPL was cited in part by the National People’s Congress Standing Committee due to China’s explosive growth of information integration and the amount of personal data collected. The Committee asserted that protection of its citizen’s personal information was of utmost importance for economic development and that there needed to be clear requirements in order to strengthen personal information protection. Interestingly, PIPL provides numerous data protection principles similar to those we have seen enacted under the European Union’s General Data Protection Regulation and the California Consumer Privacy Act. Specifically, the draft PIPL appears to take on general principles of transparency, fairness, limitations of purpose for data processing, retention limitations, and accountability. Some of the more notable items within the draft PIPL include:
- Scope and Application: The draft PIPL applies to personal data processed in China regardless of nationality of the data subjects. Moreover, the draft language appears to be broad enough to encompass an overseas data controller or processor’s activities in China, even if the controller or processor does not actually have any presence in China. PIPL would apply to the processing of personal information when: 1) the purpose is to provide services or goods to persons in the territory of China; 2) analyzing activities of persons in the territory of China; and 3) there are other circumstances provided by applicable laws and regulations.
- Personal Information: Under the draft PIPL, personal information is any recorded information relating to an identified or identifiable natural person, though it excludes anonymized information. Such personal information includes race, ethnicity, religion, biometric information, health information, and financial information.
- Processing of Personal Information: Processing includes the collection, storage, use, transmission, provision, and publication of personal information. The PIPL draft cites six legal bases for processing personal information in China:
- Where the individual has consented to the processing;
- Where the processing is necessary under a contract between the processor and the individual;
- Where the processing is necessary for the performance of a legal obligation;
- Where the processing is necessary under a public health incident or to protect proprietary interests of individuals under imminent
and urgent situations;
- Where the processing occurs for purpose of reporting news or in the public interest; or
- Where required by applicable laws or regulations.
- Consent: Under the draft PIPL, general requirements for a data subject’s consent in order to properly process personal information include: 1) that the data subject is fully informed; 2) consent is freely given; and 3) consent is unambiguous.
- Rights of Individuals: The draft PIPL also includes the data subject’s rights regarding the processing of their personal information, including the following:
- The right to be informed of the processing activities;
- The right to restrict or refuse certain processing activities;
- The right to access and obtain a copy of their personal information;
- The right to request the processor to timely correct and supplement personal information that is inaccurate or incomplete; and
- The right to expunge or delete personal information upon certain circumstances.
Although the period for public comments to the draft PIPL has ended, the Committee will no doubt be considering possible revisions to the comprehensive law prior to ratification. For global businesses that are already sensitive to the ever increasing laws and regulations surrounding data collection and processing, PIPL is absolutely one proposed law to follow closely. Taft’s Privacy and Data Security Practice has extensive experience assisting companies navigating these laws, and will continue to follow PIPL’s progress and provide updates at Taft’s Privacy & Data Security Insights.