On November 1, 2021, the Personal Information Protection Law of the People’s Republic of China (the “PRC”) (the “Personal Information Protection Law”) went into effect, two months after the Data Security Law of the PRC (the “Data Security Law”) went into effect. The Data Security Law and the Personal Information Protection Law are two key pieces of legislation in the field of information security following the adoption of Cyber Security Law of the PRC (the “Cybersecurity Law”) in June 2017. The Data Security Law lays down the regulatory framework and principles of data protections and sets the tone for administrative rules and regulations which are being formulated by Chinese regulators to implement the law. The Personal Information Protection Law establishes the principal legal basis for collecting and processing personal information and consolidates the personal data protection rules previously scattered across different laws and regulations. The Data Security Law and the Personal Information Protection Law also regulate outflow of data and personal information from mainland China.
What Are Covered by These Laws
Coverage of Data Security Law. The Data Security Law regulates the processing of data. It defines “data” as any informational record that is in digital or other forms, and defines “data processing” as collection, storage, use, processing, transmission, provision and/or publication of data.
Coverage of Personal Information Protection Law. The Personal Information Protection Law regulates the processing of personal information. It defines “personal information” as any information recorded in digital or other forms that relate to identified or identifiable natural persons, excluding anonymized information. Note that the Personal Information Protection Law distinguishes between anonymized information and de-identified information:
- “Anonymization” means an irreversible process in which personal information is processed in such a manner that it has made it impossible to associate such information with any specific individual (i.e., it can never be re-identified); and
- “De-identification” means a process in which personal information is processed in such a manner that such information cannot be associated with any specific individual without combining with additional information or data (i.e., it can be re-identified with the help of additional information or data).
Thus, de-identified information may still be personal information and subject to the provisions of the Personal Information Protection Law.
“Processing of personal information,” as defined in the Personal Information Protection Law, has a meaning similar to “data processing” in the Data Security Law, but also includes deletion of personal information.
Potential Exterritorial Impacts. According to the Data Security Law, processing data outside the PRC which harms the national security or public interest of the PRC or legal rights or interests of Chinese citizens or entities is subject to the Data Security Law. Similarly, under the Personal Data Protection Law, processing personal information outside the PRC for the purpose of offering products or services to individuals in the PRC or assessing the behaviors of individuals in the PRC needs to comply with the Personal Information Protection Law. As a result, under these two laws, Chinese regulators can exert jurisdiction over overseas activities if certain criteria are met.
Classification of Data
Important Data. The Data Security Law provides a scheme for classifying data into different categories based on the relative importance and sensitivity, as well as potential damages if such data is leaked or misappropriated. Regulators in different sectors are expected to formulate their respective scopes of “important data,” which should be subject to enhanced protections. For instance, several Chinese regulators jointly issued the Provisions on Administration of Automotive Data Security (Pilot) in August 2021. Under the Provisions, “important data” in automotive industry includes data on traffic and logistics flow that reflects economic situation, audio and visual data of the environment outside the vehicle, etc. According to the Provisions, important data in automotive industry is required to be stored in the Mainland China and processors of such important data are required to conduct risk assessments regularly and submit assessment reports to competent authorities. Whether certain type of medical data or clinical data will be categorized as “important data,” and what procedures will need to be complied with in respect of such types of medical data or clinical data, remain to be seen.
National Core Data. A stricter regime is expected in managing and processing “national core data,” which means data that concerns national security, people’s livelihood in general or important public interest, or is crucial to national economy.
Processing Personal Information – Consent
Permitted Situations. The Personal Information Protection Law prescribes the situations under which processors are permitted to process personal information. Those situations include but are not limited to:
- Where individuals’ consents have been obtained;
- Where processing is necessary for performing a contractual obligation or carrying out human resources management;
- Where processing is necessary for fulfilling legal duties or obligations; and
- Where processing is necessary for news reporting in public interest.
Informed Consents. If a processor is relying on individuals’ consents to process personal information, the processor needs to ensure that individuals’ consents are given on an informed basis, and individuals have the right to withdraw their consents.
Minimizing the Scope of Personal Information Collected. Even if the processing of personal information falls within one of the situations permitted by the Personal Information Protection Law, the Law requires processors to minimize the scope of personal information collected and not to collect more than what is necessary for their purposes of processing.
Prohibition against Conditioning Provisions of Products or Services on Consents. Further, processors may not refuse to provide or offer products or services to individuals who do not agree to give consents to the processing of their personal information, unless the processing of their personal information is essential for the provision of products or services.
Additional Consent and Other Requirements for Sensitive Personal Information. Under the Personal Information Protection Law, “sensitive personal information” is defined as personal information the leakage or illegal use of which would easily cause harm to the dignity of individuals or serious damages to the safety of individuals or properties. Sensitive personal information includes information relating to biometric identification, religious beliefs, specific identities, health condition, financial account, individual location tracking, etc. Processing sensitive personal information is subject to individuals’ separate consents. Processors are only permitted to process sensitive personal information if it is for a specific and legitimate purpose and demonstrates necessity. In addition, processors are required to perform an impact assessment prior to processing sensitive personal information, and to retain the relevant reports and records for at least three years.
Cross-Border Transfer of Data and Personal Information
CII Operators. In addressing cross-border transfer of important data, the Data Security Law distinguishes operators of critical information infrastructure (“CII”) and other data processors. CII operators must comply with the existing rules under the Cybersecurity Law which requires them to store all personal information and important data locally in the PRC only and not to transfer such information and data outside the PRC unless they have gone through the safety assessment requested by regulators.
Other Data Processors and Proposed Measures on Security Assessment of Cross-Border Data Transfer. If other data processors need to transfer important data outside the PRC, they must follow the security rules to be established by regulators pursuant to the Data Security Law. On October 29, 2021, the Cyberspace Administration of China (the “CAC”) released the draft Measures on Security Assessment of Cross-Border Data Transfer for public comments. The draft Measures list the areas that need to be assessed by domestic transferring parties prior to cross-border data transfer, specify the key provisions which the transfer agreements between domestic transferring parties and overseas receiving parties should contain, and itemize the documents required to be submitted to Chinese regulators. Once made final, the Measures would provide clarity on the security assessment requirements and procedures pertaining to cross-border transfer of important data and personal information.
Additional Measures. In addressing cross-border transfer of personal information, the Personal Information Protection Law requires processors to perform an impact assessment prior to transferring personal information overseas. Moreover, processors shall inform individuals of the specifics of overseas receiving parties and the purposes of cross-border transfer, obtain individuals’ separate consents to the transfer overseas of their personal information, and take appropriate measures to procure that overseas receiving parties process the personal information in a manner meeting the standards established by the Personal Information Protection Law.
Export Control. Under the Data Security Law, data relating to protection of national security and interest or fulfillment of international obligations that is categorized as controlled items may be subject to export control. It is worth noting that the Export Control Law of the People’s Republic of China, which was amended in December 2020, has added that data can also be subject matters of export control. While the export control mechanism concerning data (such as know-how, algorithms and source codes) is yet to be released by the PRC government agencies, future parties of a potential licensing deal involving the PRC data should be aware of the expansion of the scope of export control and examine the subject matters of the proposed license and transfer plan against the then-applicable export control list.
Government Consent Required. Last but not least, the Data Security Law has made it clear that domestic individuals and entities storing data in the PRC may not provide such data to foreign judicial or enforcement agencies without Chinese regulator’s prior approval. Multinational corporations with presences in the PRC should take into consideration this rule and evaluate its impact before responding to foreign judicial or enforcement agencies, as their compliance with a foreign court request or order for documents might put them in violation of the PRC law, which would result in penalties as stated below.
Penalties for Violating Data Security Law. The Data Security Law sets out a series of penalties for violations. Depending on the seriousness of the relevant violations, regulators may impose fines ranging from RMB 100,000 to RMB 10 million. If the violation is serious, regulators may order the violators to suspend or even revoke the business license.
Penalties for Violating Personal Information Protection Law. The Personal Information Protection Law also sets out a series of penalties for violation. Depending on the seriousness of the relevant violations, regulators may confiscate illegal gains and impose fines ranging from RMB 1 million to RMB 50 million or 5% of annual business turnover for the previous year. If the violation is serious, regulators may also order to suspend or even revoke the business license. Apart from administrative penalties, it is worth noting that the Personal Information Protection Law shifts the burden of proof to processors (i.e., defendants) in civil actions – if a personal data processor gets sued for allegedly infringement of an individual’ rights and interests in personal information and fails to prove that it was not at fault, it shall be liable for damages.
It is recommended that multinational companies with businesses or operations in the PRC keep up with the latest developmental trends on data and privacy laws in the PRC and seek expert advice when establishing or modifying their information policies and strategies, taking into account the different business models they adopt or pursue and the nature of the data that is transmitted or exchanged during their operational activities. We should also keep in mind that in addition to data and privacy laws, there are other layers of Chinese regulations that may impact data processing activities, such as the PRC cybersecurity review measures and the regulations governing cross-border transfer of Chinese human genetic resources, in particular how these regulations overlap with each other and whether approvals by one regulatory agency could constitute approvals under other regulations too.
Goodwin Procter LLP and its affiliates have offices in the U.S., England, France, Germany, Hong Kong and Luxembourg, and do not practice PRC law. The information contained in this publication is based upon the current understanding of Goodwin lawyers active in the firm’s Asia practice.