Navigating China Episode 17: China’s Draft Privacy and Security Laws

Second drafts of the new overarching national personal data protection and data security laws have just been published, and give a clearer picture of the impending new national frameworks in China.

1. Draft Personal Information Protection Law

The Draft Personal Information Protection Law (Draft PIPL) will – once passed – become the first comprehensive personal data protection law in China. While the PRC authorities clearly considered data protection laws around the world when drafting the Draft PIPL, including GDPR, CCPA and some Asia data protection laws, it is misleading to describe the Draft PIPL as “China’s GDPR”: the Draft PIPL very much has its own flavour. Helpfully this new second draft does not substantially change the compliance obligations when handling personal information set out in the initial draft published in October 2020 (for our summary click here). Key clarifications in the second draft include:

• Overseas data transfer: the Cyberspace Administration of China (CAC, the key data protection authority) will publish model clauses for organisations to use as one mechanism for lawfully transferring personal information overseas.
  
  Unfortunately some of the long-standing uncertainties around overseas data transfer – notably any thresholds above which certain personal or sensitive personal information must remain in China – have not yet been further clarified. That said, there is nothing to indicate a trend back towards data localisation (meaning that the recent draft TC260 guidelines on online shopping (click here) remain an outlier).
• Additional governance obligations on certain online businesses: new governance obligations will apply to: (i) organisations processing a “significant amount” (not yet defined) of personal information of online users; (ii) organisations that have a “complex business type” (also not yet defined); and (iii) organisations that provide “Basic Internet Platform Services”.
  
  These additional obligations include:
  • establishing an independent body, comprising external members, who will be responsible for supervising the organisation’s personal information processing activities;
  • stopping online products/services if the organisation fails to process personal information within the platform or when providing the product/service in accordance with relevant laws and regulations; and
  • regularly publishing reports on the organisation’s data protection compliance.

This reflects a general move in China towards encouraging responsible self-governance by online businesses for their data protection compliance, rather than simply relying on regulator enforcement. This clearly imposes far wider governance obligations than the existing China data protection framework, and so organisations will be eagerly anticipating clarification as to the thresholds above which such steps must be taken.

• Data subject rights: these appear to be extended to deceased individuals, with close relatives able to exercise the deceased individual’s data subject rights. This is fairly aligned with Singapore’s protection of personal data of recently (within 10 years) deceased individuals, although no time frame is yet specified for China.
• Key data protection authority: CAC is confirmed to be the lead data protection authority, although it is anticipated that other regulators (such as industry regulators and the MPS/PSB will retain a role in enforcement of cyber and data compliance).
• Additional guidelines: CAC intends to publish new guidelines on handling of sensitive personal information, and as regards personal data handling in connection with AI, facial recognition technology and other new technologies.

2. Draft Data Security Law

The second draft of the Draft Data Security Law (Draft DSL) focuses far more on general data security principles than the initial, narrower first draft published in July 2020. In essence, it sets out a data security framework with which organisations processing data (not limited to personal information) in China – or processing China data outside of China (i.e. extra-territorial effect) - must comply. This latest draft stresses the connection between compliance with the PRC Cybersecurity Law, industry guidelines and other administrative regulations regarding data security or data protection and this new Draft DSL. Key provisions include:

• Data security management: technical, organisational and other data security measures must be adopted, as well as deployment of data security training. Details of the practical steps to be taken by different organisations and for different classes of data will be published in due course.
• Data classification: the PRC authorities will introduce a tiered data classification system against which organisations must assess their data and adopt the relevant tiered security measures.
• Incident contingency planning: this must be undertaken with regard to data incidents.
• Regular risk assessments: these must be conducted for processing of “important data” (as defined in the PRC Cybersecurity Law and clarified in subsequent measures).
• CIIO data localisation requirements: those organisations designated as critical information infrastructure operators (CIIOs) must comply with data localisation and cross-border data transfer measures under the PRC Cybersecurity Law and subsequent measures.
• Sanctions: failure to comply with the Draft DSL may result in fines (on organisations and directors/managers) and loss of business operating licences.

Consultations on the second drafts of both the Draft PIPL and the Draft DSL are open until late May 2021.