In a recent article, we discussed the status of laws and regulations regarding personal information (“PI”) protection. With the release of the groundbreaking draft Personal Information Protection Law (the “Draft”), we thought it would be valuable to start offering a look at the changes it brings to the cybersecurity and data framework in China.
Forecast – A Coalescing System
First, it’s important to take a revisit the current state of things – after several rounds of comment-seeking and amendment, the Draft joins other comprehensive legislative developments this year. Interestingly, it even incorporates some general practices of other jurisdictions’ data laws, such as the notion of regulating offshore information processing, and shifts some focus onto discernable guidelines for solving problems encountered in daily practice.
Once the Draft is officially implemented, it will fill one of the remaining spaces in the current framework, moving towards forming a comprehensive system of PI protection, and joining the Cybersecurity Law, the Civil Code, and various other supporting regulations, rules, and standards.
How will it do this? Below are a couple less frequently talked about aspects of the Draft.
Restrictions on PI Processing by the Government
Although we can certainly appreciate the government’s largely successful response to COVID-19, which necessitated the collection and processing of PI, we can also agree that a government’s access to PI should never be boundless.
To avoid overreach on this front, the Draft actually places some important limits on what authorities can do. According to Article 35 of the Draft, the principle of “Notification-Consent” will be applied to the government in general, and PI processed by the authorities should be limited – no excessive processing is allowed.
In addition, Under Article 36, while the government may seek help from other capable third parties for PI processing, this will also be subject to the consent of the individual.
How this will play out in practice remains to be seen, but it is encouraging to see this in the draft language itself.
Other Third-Party Processing
Many companies may not have the capability or qualification to process the PI they collect. So they may turn to third party for help. To clarify their obligations, the Draft makes different requirements applicable to different cooperation models:
Cooperation Model | Key Points |
Co-processing |
|
Entrusted Processing |
|
Transfer of PI |
|
Provision to Third Party |
|
Bottom Line
The Draft reflects China’s determination to regulate PI processing more closely, and is another step down the road towards a comprehensive data regulation framework. It is becoming increasingly clear that companies with even a minimal amount of exposure to personal information must be careful about best practices.
This is the first of a series of articles we plan to write about cybersecurity, data protection, and compliance. Additionally, we are now offering data compliance services and related trainings. Please don’t hesitate to reach out if you have any questions.