Personal Information Protection Law
China has recently published the final draft of the Personal Information Protection Law, which is set to take effect on November 1st. This new law can be considered to be China’s analogue to the GDPR in Europe and has many of the same features and obligations placed upon companies.
Below, we have summarised the most relevant points from the forthcoming law.
Individual’s Rights
The law provides for individuals to enjoy certain rights in relation to their privacy:
a) right to know of what personal information is collected;
b) right to limit or prohibit the processing of personal information;
c) right to ask for a copy of their personal information from the processors;
d) right to correct and delete their personal information; and
e) right to request the processors to explain the collection of data.
Basis for Processing
The Law establishes the following legal basis for the processing of personal information, of which one of the criteria must be met for the processing to be lawful:
a) consent from the data subjects;
b) the necessity for concluding or performing contracts to which the data subject is a party,
c) necessity for performing legal duties or obligations;
d) to respond to public health emergencies, or necessity for the protection of life, health, and property safety under emergency circumstances;
e) processing, within the reasonable scope, of personal information for conducting news reports, or other acts in the public interest;
f) processing, within the reasonable scope and in accordance with the law, of personal information that has been made public by data subjects or through other lawful means; and
g) other circumstances as stipulated by laws and administrative regulations
Cross-Border Transfers of Personal Information
These transfers can only be for legitimate purposes such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL.
In addition, both a proper legal basis and consent by the data subjects will be required in order for such transfer to be lawful.
(1) Legal basis
The legal basis for cross-border transfers of personal information under the Law are:
a) passing a security review organized by the cyberspace administration if the transferor is an operator of critical information infrastructure or the volume of the affected personal information reaches the threshold specified by the CAC;
b) obtaining a personal information protection certification from a professional agency in accordance with the rules of the CAC;
c) entering into an agreement with the overseas recipient based on a standard contract form formulated by the CAC; or
d) other conditions provided by laws, administrative regulations or the CAC.
(2) Consent
Data subjects are to be informed of the following matters and they must give their direct consent to the cross-border transfer of their personal information:
a) the name, contact details of the overseas recipient;
b) the purposes and methods of the processing;
c) the types of affected personal information; and
d) the methods and procedures for exercising the rights provided by the Law with the overseas recipient.
Extraterritorial Reach
The Law will have extraterritorial effect and will apply to the following processing activities:
a) processing, within China, of personal information of natural persons; and
b) processing, outside of China, of personal information of natural persons who are in China,
if such processing is:
for the purpose of providing products or services to natural persons in China;
to analyse/evaluate the behaviour of natural persons in China;
or other circumstances prescribed by laws and administrative regulations.