(a) Cybersecurity Law of the PRC (Promulgated by the Standing Committee of the National People's Congress on 7 November 2016);

(b) Data Security Law of the PRC (Promulgated by the Standing Committee of the National People's Congress on 10 June 2021 and will take effect on 1 September 2021);

(c) Regulations for the Security Protection of Critical Information Infrastructure (Draft for Public Comment) (Promulgated by the Cyberspace Administration of China on 10 July 2017);

(d) Measures for Cyber Security Review (Revised Draft for Public Comment) (Promulgated by the Cyberspace Administration of China on 10 July 2021);

(e) Measures for the Security Assessment of Cross-border Transfer of Personal Information (Draft for Public Comment) (Promulgated by the Cyberspace Administration of China on 13 June 2019);

(f) Administrative Measures on Data Security (Draft for Public Comment) (Promulgated by the Cyberspace Administration of China on 28 May 2019);

(g) Interim Administration Measures for Mobile Internet APP Personal Information Protection (Draft for Public Comment) (Promulgated by the Ministry of Industry and Information Technology of the PRC on 26 April 2021);

Notably, on 29 April 2021, the Standing Committee of the National People's Congress of China further released the 2nd  Draft of Personal Information Protection Law (Bill for Second Deliberation, hereinafter referred to as “ Draft PI Law") for public comment (the first draft was released on October 21, 2020). 

To give a nutshell of the implications of the Draft PI Law (if it is finally passed in the current form), we set out answers below to 10 commonly asked questions.  

Yes, it does.  To some extent, the  Draft PI Law has extra-jurisdictional effect for anyone who “processes" PI. 

The law shall apply to you if you process any PI of PRC natural person outside the territory of China in any of the following circumstance:

(a) for the purpose of providing products or services to natural persons in China.

(b) for analyzing and/or assessing the conduct of natural persons in China.

(c) in any other circumstance as provided by any law or administrative regulation.[1]

Therefore, even if you operate a website or APP outside the territory of China, you will need to comply with the PRC law so long as you collect PI from natural persons within the territory of the PRC and provide products or services to them.  To comply with the law, you shall set up a specialized agency or appoint a representative within the territory of China and report the related information to the authorities performing PI protection duties.[2]

“PI" means all kinds of information relating to identified or identifiable natural persons recorded by electronic or other means but excluding anonymized information.[3]

“PI processing" is broadly defined as activities including PI collection, storage, use, handling, transmission, provision, and disclosure, among others.[4]

“PI processor" means any organization or individual that independently determines on the purposes, methods, and other matters concerning PI processing.[5]

You must comply with the following rules (non-exhaustive):

(a) Lawful and proper manners.  You shall use lawful and proper manners, exercise good faith, and shall not use misleading, fraudulent or coercive means to process PI.[6]

(b) Reasonable and clear purpose.  You shall process PI:

i. for a clear and reasonable purpose;

ii. within the minimum scope required for achieving the processing purpose;  

iii. in manners that have minimum impacts on personal rights and interests; and

iv. refrain from engaging in processing activities irrelevant to the processing purpose.[7]

(c) Openness and transparency.  You shall follow the principles of openness and transparency, disclose the rules for processing PI, and explicitly indicate the purpose, method, and scope of information processing.[8]

(d) Accuracy and completeness. You shall avoid adverse impacts on the rights and interests of individuals caused by inaccurate and incomplete PI.[9]

(e) Responsibility. You shall be responsible for your PI processing activities and take necessary measures to ensure the security of the PI that you process.[10]

You can only process PI under any of the following circumstances:

(a) You have obtained the relevant person’s consent;

(b) It is necessary for concluding or performing a contract to which a natural person is a party;

(c) It is necessary to fulfil any statutory duties or obligations;

(d) It is necessary to protect any natural person's life, health and property safety under emergency circumstances or public health emergency events;

(e) You are processing any PI that has been made public within a reasonable scope according to the law;

(f) You are processing PI within the reasonable scope for conducting news reports, public opinion-based supervision, and other activities for the public interest; or

(g) in other circumstances provided by law.

The relevant person’s consent is not required under the above circumstances (b) – (g).[11]

Informed consent remains the primary and most used justification for processing PI.  The Draft PI Law sets out the following requirements for obtaining a valid consent:

(a) You must notify the following matters before processing PI:

i. The identity and contact information of the PI processor.[12]

ii. The purposes, methods, categories of the processed PI, and the preservation period (generally, it shall be the shortest period necessary to achieve the processing purpose).[13]

iii. Methods and procedures for individuals to exercise their rights provided in the PI Law.[14]

iv. Other matters provided by laws and administrative regulations.[15]

(b) The requirements of consent:

i. The consent shall be expressed by individuals voluntarily and explicitly on the premise of being fully informed.[16]

ii. You shall obtain the consent of the minor's parents or other guardians when the minor is under 14.[17] This could be relevant to network game operators. 

iii. The individual shall have the right to withdraw his/her consent.[18]

iv. Unless the processing of PI is necessary for the provision of products or services, you may not refuse to provide products or services simply because the individual does not consent to the processing of his/her PI or has withdrawn his/her consent.[19]

Yes, you can, but subject to the following conditions:

(a) You shall conclude a contract with the engaged party to set out the purposes and period of the processing, processing methods, categories of PI, protection measures, as well as the rights and obligations of both parties.

(b) You shall supervise the processing activities of the engaged party.

(c) The engaged party shall process PI according to the agreement.

(d) The engaged party shall return or delete all PI if the engagement contract is ineffective, null and void, revoked, or rescinded.

(e) The engaged party shall not sub-engage the PI processing to anyone else without your consent.[20]

If you engage a third party to process any PI of PRC natural persons, you are obliged to ensure that the agreement with the third party contains the above provisions.

Sensitive PI is any PI that, once leaked or illegally used, may result in discrimination or seriously endanger personal or property security, including information such as race, ethnicity, religious belief, personal biometric features, medical and health information, financial accounts, and personal whereabouts.[21]

For example, if you manage a medical and health company that processes any such information, your company will be subject to the “enhanced" rules, which include the followings: 

(a) You must have specific purpose and sufficient necessity before processing sensitive PI.[22] Compared with the “clear and reasonable purpose" standard of non-sensitive PI, this is apparently a higher standard. 

(b) You must obtain separate consent from the relevant individual (or written consent if any law or administrative require so).[23]  This means you cannot rely on a “collective" consent.

(c) You must have informed the individual of the necessity of processing his/her sensitive PI and the impact on him/her.[24] That means your notification shall contain more details than the notification to individuals for non-sensitive PI. 

Please note that this could be relevant to any multinational company that has subsidiaries in China and need to transfer any PI (including information of their PRC employees) to their headquarters in overseas. 

You shall meet one of the following conditions before transferring any PI abroad:

(a) Pass the security assessment organized by the cyberspace administration of China (“CAC") if the PI has reached or exceeded the quantity threshold specified by the CAC or if you are an operator of critical information infrastructure[25].

(b) Obtain the PI protection certification from a specialized institution designated by CAC.

(c) Conclude a contract with the overseas recipient based on the model contract developed by the CAC, agreeing on both parties' rights and obligations, and supervise and ensure the overseas recipients can meet the PI protection standards as established by the Draft PI Law.

(d) Other conditions provided in laws or administrative regulations or by CAC.[26]

You shall also meet the following conditions before transferring PI abroad:

(a) You shall notify individuals of the overseas recipient's identity, contact information, processing purposes, processing methods, categories of PI, the methods in which individuals may exercise the rights provided in the PI Law, and other relevant matters.[27]

(b) You shall obtain the individuals' separate consents (rather than collective consent).[28]

(c) You shall conduct a risk assessment prior to cross-border transfer of PI.[29]

Please note that, the Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Public Comment) (released by the CAC on 13 June 2019) (hereinafter referred to as the “Draft Security Assessment Measures") has set out more stringent requirements for cross-border transfer of PI.

According to the Draft Security Assessment Measures, if you are a network operator[30] and propose to transfer PI outside the territory of China, you shall meet the following requirements:

(a) You shall apply to the provincial cyberspace administrations for security assessment for cross-border transfer of PI.[31]  

(b) The security assessment shall focus on the following factors:

i. Compliance with the relevant laws, regulations, and policies.

ii. Whether the contract clauses can fully safeguard the lawful rights and interests of individuals.

iii. Whether the contract can be effectively performed.

iv. Whether the network operator or the recipient had ever damaged the lawful rights and interests of individuals regarding PI or experienced any major network security incident.

v. Whether you have obtained PI in a lawful and proper manner.

vi. Other contents that shall be assessed.[32]

(c) You shall provide the following materials, and be responsible for the authenticity and accuracy of the materials:

i. Application form.

ii. The contract signed between the network operator and the recipient.

iii. Analysis report on PI security risks and security safeguard measures.

iv. Other materials required by CAC.[33]

(d) You shall establish the cross-border PI transmission record and store it for at least five years.[34]

Please note that the Draft Security Assessment Measures and the Draft PI Law are not fully consistent on certain issues. For example, the conditions that shall be satisfied for transferring PI abroad. However, they are both in draft forms. It is likely that further amendments will be made to make them consistent when they are formally released. 

The likely consequences may include:

(a) rectification order;

(b) order of suspension of relevant business;

(c) warning;

(d) confiscation of illegal gains; and

(e) fines.[35]

Please note that:

(a) The amount of fine is large.  Notably, if the circumstance of illegal conduct is “serious", the PI processor may face a fine up to RMB 50,000,000 or 5% of its revenue in the preceding year.  The PI processor’s business license or other relevant operation permits may also be revoked.  Each of the directly liable person in charge and other directly liable persons may also face personal fines (up to RMB 1,000,000).[36]

(b) The burden of proof is on you.  The PI Processor has the burden of proof and shall be held liable to pay damages to the relevant individuals if the PI Processor cannot prove its innocence.  The damages shall be determined based on the loss of the individual or the benefits gained by the PI Processor.[37]

(c) The public prosecutor, the department performing PI protection functions, or the organization determined by CAC may initiate class actions at court on behalf of many individuals whose interests have been damaged. [38]

(d) In certain circumstance, the entity and their responsible officials may even face criminal liability.  The possible offences include infringement on citizens’ PI[39], refusing to perform the obligation of information network security management[40], and illegally providing state secrets[41].

(a) No one is allowed to export PI stored in China at the request of foreign judicial or law enforcement authorities, unless approved by the competent authority of China.[42] 

(b) The CAC may establish a “blacklist" to include foreign entities or individuals who engage in PI processing activities that damage the rights and interests of PRC citizens regarding PI, or endanger national security, or public interests of China.  The “blacklisted" entities or individuals will be restricted or prohibited from receiving any PI from China.[43]

(c) China reserves the right to adopt reciprocal measures if any country or region adopts any prohibitive, restrictive, or other similar discriminatory measures against China in terms of PI protection.[44]

Please note that these provisions may create a conflict of obligations if you are required by the law of a foreign country to transfer abroad the PRC stored PI.

According to one commentator, data privacy will be the most important issue in the next decade.[45]  As the Personal Information Protection Law (“China’s GDPR") is fast approaching, you should closely watch further legal developments, carefully review your contracts, data protection policies, compliance procedures, and seek professional advice when needed.