No Match Found
Digitalization is becoming the new normal, which means protecting personal information is becoming more important as well. China does not yet have a single, comprehensive law governing data privacy, although Chinese regulations do sporadically mandate data-protection measures. However, since China’s new Cyber Security Law (CSL) contains one chapter setting out privacy requirements, it can be viewed as a “mini privacy law.”
The CSL establishes the legal principles of legality, necessity and propriety in the collection and use of personal data. Following these principles, network operators are required to notify data subjects of the purpose, means and scope of the collection and use of their personal data; they must also obtain consent from users before collecting personal data. The CSL also mandates that network operators safeguard the secrecy of any personal data collected and take proper measures to avoid disclosure, loss or damage. In the event of a data breach, network operators must notify the affected users, inform the relevant Chinese regulators and take remedial action.
The data privacy requirements set out in the CSL are, however, very general, and the law lacks detailed information on implementation. The National Information Security Standardization Technical Committee, a quasi-governmental institution, issued a non-binding guidance document titled Personal Information Security Specification (PI Specification) to fill the information gaps. Since its first issuance in 2017, there have been three rounds of amendments to the PI Specification, with the most recent version coming into force on October 1, 2020.
The PI Specification was drafted based on the EU’s General Data Protection Regulation. It sets out many detailed requirements for data handling, including:
It is notable that certain requirements in the PI Specification are not fully consistent with the CSL. For example, the CSL does not provide for any exception to the requirement that users must consent to the collection of their personal data, but the PI Specification enumerates such exceptional circumstances (such as protecting the public interest and executing contracts). However, given that the PI Specification is non-binding, it is not clear how exemptions provided there would reconcile with the CSL in practice.
On October 21, 2020, China’s top legislative body issued the draft Personal Information Protection Law (Draft PIPL) for public consultation until November 19, 2020. This can be seen as a major step towards finalizing China’s national data law.
The Draft PIPL lays down significant new obligations in relation to the collection, use, processing and transfer of personal information. If enacted, the PIPL will become China’s most comprehensive data law and will have a far-reaching impact on businesses both in and outside of China.
As digital applications become more commonplace and digital systems more complex, businesses active in China will have to pay increased attention to how they handle personal data. At the same time, the guidance provided in this area by the country’s authorities has been sporadic and even inconsistent, despite China’s increasing focus on issues relating to digital security. The CSL does set out privacy requirements to a limited extent, and the non-binding PI Specification provides additional information, even if it is not entirely compatible with the CSL.
The Draft PIPL introduces significant new obligations companies must comply with in their business operations, and its augmented liability and penalty provisions clearly demonstrate the Chinese authorities’ intention to strengthen the protection of personal data. It is anticipated that Chinese regulators will remain active in enforcing the law against non-compliance. The costs resulting from violations are much higher compared to previous laws and regulations. Therefore, it is imperative that companies formulate data compliance and risk management strategies, or update existing strategies, for their operations in the Chinese market.