Mid-October marked the start of the formal legislative approval process for China’s proposed new law on personal information protection. The milestone draft Personal Information Protection Law (PIPL) underwent is first reading by the Standing Committee of the 13th National People’s Congress and was released for public consultation on 22 October 2020.
For further details on the draft PIPL please refer to our briefing by clicking here. In this briefing we highlight the key provisions of the draft law and set out our observations.
The draft PIPL expands the scope of personal information and sets out the key concepts and principles for processing personal information. It replaces the current consent-based protection regime with a new one allowing multiple legal bases for processing personal information, as well as setting out more detailed requirements for consent. The draft PIPL also lays down obligations on processors when sharing and transferring personal information to third parties. The safeguards on export of personal information and the requirements on data localisation are less stringent and more practical as compared to previous draft regulations. The GDPR-style extraterritorial effect extends the application of the PIPL to processors outside of China. Individuals may exercise a comprehensive set of rights against processors, and processors are required to take a range of measures to protect personal information.
The Cyberspace Administration of China is responsible for coordinating the ministries who are charged with regulating and supervising the protection of personal information, and the draft PIPL equips them with a wide range of powers to discharge their duties. It sets out the legal liabilities for those processing personal information and dramatically increases the economic penalties that may be imposed for breaches. Significantly, public interest litigation is introduced into the personal information protection regime for the first time. New technologies such as automated decision-making are also regulated by the draft PIPL.
Although there are a number of points still to be clarified by future drafts and guidelines, we can now see for the first time the future regulatory landscape of the personal information protection regime in China. Once the PIPL is enacted, it will have a far-reaching impact on protection of personal information as well as the business and compliance practices for companies.
For further details on China’s draft Personal Information Protection Law please refer to our briefing here.