China’s cyber economy boom is partly due to Internet giants having easy access to and utilizing a tremendous amount of personal data for free: Taobao and similar online shopping platforms’ recommendation system is based on the analysis of personal data; Tiktok’s operation on recommendations is completely dependent on personal data; other “Internet Plus” businesses took off along with the wave of the Internet boom and have enjoyed or are currently still enjoying the invisible benefits of personal data; the future development of AI will need a significant amount of information input for training, within which how much personal information needed is still unknown.

Now that the momentum of the Internet boom is slowly declining and the monopoly trend of Internet giants gradually showing, with the continuous international criticism of China for poor personal information protection, with several countries lashing out at Tiktok on the the grounds of infringement of personal data, even with, ZAO, the emergence of apps that are unlawful regarding information protection, we witness this “Draft of Personal Information Protection Law” on October 21st, 2020, for the public opinion solicitation released by the Standing Committee of the National People’s Congress of China.

Firstly, it shall be clarified that the Draft is still a long way away from being passed as a law. It is yet to be reviewed at least three times by the Standing Committee of the National People’s Congress, at each of which, the contents may be slightly revised. Therefore, it should not be regarded as the final guide for company compliance. However, the trend for supervision on personal information protection disclosed is indeed worthy of discussion and reference.

Secondly, it shall be pointed out that since 2012,  China’s legislation on personal information protection has undergone a lot, through the two revisions to the Advertising Law in 2015 and 2018, the 2016 Cyber Security Law, the 2017 General Rules of Civil Law, the 2019 E-commerce Law, the “Civil Code” promulgated in 2020 (effective in 2021), to the release of the Draft , the progress of China on the legislation of this area of law and Personal Information Protection conforms to the needs of social development and has also undergone sufficient deliberation.

Under the preceding background, when observing the Draft, we can’t help but expect the future law to serve as a checks and balances approach of domestic and overseas Internet giants and unlawful information protection.

In terms of the protection scope, the Draft draws on international trends for the definition of personal information, approaching the concept of Personal Identifiable Information (PII) in international legislation. It also incorporates the concept of “sensitive personal information” into the system. The intention to expand the scope of the protection of information and strengthening supervision is clear enough to alert companies that rely heavily on user information.

In terms of jurisdiction, the Draft will establish the effectiveness of long-arm jurisdiction over areas outside China. Foreign entities will not be able to collect domestic personal information directly and as easily anymore. Instead, they will need to set up specific agencies or designated representatives in China to be responsible for related affairs and be subject to supervision by competent authorities. A general enterprise must meet at least one of the following conditions to process exporting personal information: (1) Pass the security assessment of the National CyberSecurity and Informatization Department; (2) Certified by a professional organization per the provisions of the aforesaid department; (3) Sign a contract with the overseas recipient, And supervise the recipient’s activities to meet the statutory standards of protection. Operators of critical information infrastructure and personal information processors whose processing amount reaches the line prescribed by the aforesaid department need to pass a security assessment organized by the aforesaid department. In this regard, apart from the past loose supervision, it is obvious that operators whose servers are overseas, or those whose servers are in China but transmit user data to overseas third parties will face stricter supervision and duty of care.

In terms of information processing, the Draft clarifies the principles of “individual notification” and “express consent”. Information processors should inform individuals in detail about the processing of personal information and obtain their individual and express consent; the Draft also sets several exceptions, but all of them are deemed as Emergency or Urgent Circumstances which are social and public interest-oriented. Within a business setting, the necessity to acquire consumers’ consent is almost impossible to bypass, combined with the expansion of the scope of information protection, many businesses will be affected.

In terms of liabilities and penalties, the Draft stipulates that when a violation of such laws occurs under normal circumstances, there is a possible fine of less than RMB 1 million on the entity, and the main responsible person shall be imposed a fine from between RMB 10,000 to RMB 100,000. If the unlawful act mentioned in the preceding paragraph is deemed as grave, the entity shall be imposed a fine of up to CNY50 million, or 5% of the previous year’s annual revenue, with the main responsible person being imposed a fine of between RMB 100,000 to RMB 1 million, the suspension of business for rectification, the revocation of relevant business licenses, or the suspension of business licenses may follow.
If there is a possibility that foreign organizations and individuals cause harm to national security and public interests or infringe on the rights and interests of Chinese citizens, they may also be included in the blacklist, announced to the public and restricted, or prohibited from accessing personal information among other punitive measures. The foregoing significantly increases the cost of violations and the need for compliance.

It is foreseeable that, following this new trend, the importance of data compliance will be greatly improved in business operations, in regards to whether the “Personal Information Protection Law” will become a new counterweight to the meteoric development of the Internet., we will have to observe further with a keen eye. For any of your questions or inquiries about personal information protection, D’Andrea and Partners Legal Counsel with international and multilingual experts is available to support you. Do not miss our vast array of articles on our website or contact us at info@dandreapartners.com.