Personal Data Regulation In China: Personal Information Protection Law, Other Rules Amended
On April 29, 2021, China released the second draft of the Personal Information Protection Law (PIPL), the country’s first comprehensive personal data protection legislation.
The updated draft includes more detailed requirements about what personal information internet companies are allowed to collect from users, and how they must handle this data.
Most notably, the updated PIPL will require certain companies to establish independent oversight bodies to ensure user information is being managed in accordance with the law.
After another round of consultation, lawmakers will release a third and final draft version of the law, which legislative observers expect to be passed before the end of the year. The first version of the PIPL was released in October 2020.
While the PIPL is the most significant personal information law in the making, it is accompanied by other similar legal and regulatory efforts concurrently in development by Chinese policymakers.
As these regulations come closer to completion, all businesses with a digital presence in China will need to take steps to comply with the new requirements.
What Are The Key Features Of China’s Personal Information Protection Law?
The PIPL is a far-reaching law that will regulate how personal information is collected, stored, used, and shared in China. The PIPL takes strong inspiration from the EU’s influential General Data Protection Regulation (GDPR), which is the world’s most comprehensive data governance law.
Before the PIPL, personal data use was mostly regulated by various smaller pieces of legislation or as components of other national legislation. Among the most significant is the Cybersecurity Law, which regulates the use, storage, and cross-border transfer of different types of personal data along with other data management practices.
According to Article 4 of the draft PIPL, personal information is information recorded electronically or by other means that identifies or can identify an individual. This does not include anonymized data that cannot be traced back to the user.
The core principle of the PIPL is one of informed consent by the user. The PIPL requires companies to acquire user consent to collect their information, describe how their information will be used, and give users the option to opt out.
If users do not consent to sharing data, companies can only refuse to provide services to them if their data is needed to provide such services. In other words, companies cannot refuse services to users who opt out of sharing data that is outside of the company’s core business scope. Moreover, users can request to view their personal data held by the company, and request corrections and deletions.
Companies that violate the PIPL can be fined up to RMB 50 million (US$7.74 million), or up to five percent of annual turnover. These penalties are similar to those found in the GDPR.
What Has Changed In The Second Draft?
The most significant update in the second draft of the PIPL is Article 57, which requires some companies to establish independent oversight bodies staffed mainly by external personnel. These oversight bodies are similar to the role of a Data Protection Officer (DPO) in the GDPR, which is a position responsible for monitoring compliance with data protection rules.
This applies to companies that are “foundational internet platforms”, have a large number of users, or have complex operational models. While it is not exactly clear as to what types of companies the PIPL applies to, its provisions appear to target internet, social media, and artificial intelligence giants like Alibaba, Baidu, and Tencent – all of whom handle vast amounts of private information.
Additionally, such companies will need to publish public social responsibility reports to describe the actions they are taking to protect user privacy, a process also overseen by the independent oversight body. This requirement is an accountability mechanism to allow for public scrutiny and encourage companies to adopt information privacy practices that go beyond the legal minimum.
The updated PIPL also includes a number of smaller changes and clarifications. Article 49, for instance, states that deceased persons will have their personal information rights handled by their immediate family.
How Is China Regulating Data And Internet Companies?
The PIPL is among the most important laws that observers expect China to adopt this year, but it is not the only one that will change the regulatory landscape for data use.
On March 22, 2021, the Cyberspace Administration of China, the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, and the State Administration for Market Regulation jointly released regulations describing what types of data are considered “necessary” for 39 different types of mobile apps. Similar to the PIPL, the regulations state that apps should not deny users services if they deny access to personal data beyond their business scope.
Further, on April 23, 2021, the National Information Security Standardization Technical Committee released draft regulations for what would be China’s first national standard on facial recognition data. According to the draft, facial recognition data should be treated separately from other biometric data, including requiring written permission to capture facial data.
On April 26, 2021, the MIIT released a provisional regulation on the use of personal information by mobile apps. The regulation delineates responsibilities for app developers, host platforms, and device makers and emphasizes informed consent and data minimization. The next week, Xiao Yaqing, the head of MIIT, said that the ministry had ordered over 100 apps be removed from app stores over the preceding three months for abusing user data.
Also in late April, the National People’s Congress Standing Committee started a second review of the draft Data Security Law, adding an amendment that would fine companies for sharing data to overseas police, courts, and investigators without government permission. The Data Security Law is another piece of legislation that will regulate and restrict the ability of both Chinese and foreign companies to send data stored in China overseas.
Beyond data regulations, Chinese regulators have been advancing anti-trust cases and legislation targeting the country’s domestic tech giants. In April 2021, Chinese regulators imposed an RMB 18.23 billion (US$2.82 billion) fine upon Alibaba after an anti-monopoly investigation determined that the company engaged in monopolistic practices and abused its market dominance. Pony Ma, the founder of Tencent, also met with anti-trust officials in March, though his company has not yet been fined.
Taken together, these various laws and regulatory efforts will create a new framework for data collection, use, and sharing in China. While these will most directly affect internet and tech companies, aspects will be relevant to virtually all companies that require access to and process personal data in their operations in China.
Regulating personal data is thus a top priority for Chinese policymakers in 2021 and companies may use the draft laws and regulations to begin to prepare for the compliance standards that will come into effect after their final passing and implementation in the near future.