In our last article, we discussed the Draft Person Information Protection Law (the “Draft”) and its effect on PI processing by government authorities and other third parties. In this article, we will take a look at the Draft from an international angle.
Extending Jurisdiction Towards Foreign Entities
The Draft intends to address a tricky issue regarding foreign entities by first laying down the concept of long-arm jurisdiction with regard to foreign entities’ processing of PI from China.
Under Article 3 of the Draft, if a foreign entity processes PI from China for the purposes of providing services/products or analyzing/evaluating individual behaviors, that foreign entity is then subject to the regulation of the Draft. This is quite a common practice which has been adopted by other countries or jurisdictions like the EU and the United States.
Furthermore, the Draft provides that such foreign entities shall establish a specific entity or designate a representative in China to handle related PI protection matters and report required information to authority. Foreign entities will have to make adjustments to such provision once it turns effective.
Common Points with International Standards
As we previously mentioned, some articles in the Draft are in line with common practice adopted abroad. The EU and the US both passed PI-related regulations in recent years, and it therefore seems natural for China to take some hints from already existing regulations. We decided to offer below a very brief comparison of the GDPR and the Draft.
| KEY POINTS | DRAFT | GDPR |
| No. of Provisions | 70 | 99 |
| Chapters | I General Provisions II Rules on PI Handling III Rules on Cross-border Transfer of PI IV Rights of Individuals in PI V Obligations of PI Handlers VI Authorities Performing PI Protection Duties VII Legal Liability VIII Supplementary Provisions |
I General Provisions II Principles III Rights of the data subject IV Controller and processor V Transfers of PI to third countries or international organizations VI Independent supervisory authorities VII Cooperation and consistency VIII Remedies, liability and penalties IX Provisions relating to specific processing situations X Delegated acts and implementing acts XI Final provisions |
| Bases of Data Processing | [Article 13] 1.Consent 2.Contract 3.Statutory Responsibilities/Obligations 4.Essential for public/private health and property in emergency situations 5.Public interest Others as stipulated by laws |
[Article 6] 1.Consent 2.Contract 3.Legal Obligations 4.Vital interest of the data subject 5.Public interest Legitimate interest |
As you can see, not only the document structure, but also the legal bases for data processing therein are similar. What is missing in the Draft, however, is the concept of ‘legitimate interest,’ which is a hot topic in regard to data processing according to GDPR. The explanation on how to understand it is constantly evolving thanks to ECJ judgements and respective EU guidelines.
It will be interesting, and we in fact think it is likely that China will decide to codify at least a somewhat similar concept in the near future.
Cross-border Transmission & Localization of PI
As the purpose of the Draft is to ensure the orderly and free flow of PI, the Draft gives specific guidance for cross-border transmission of PI.
From the regulation angle, according to Article 38 of the Draft, PI protection certification or contracting with a foreign entity plus proper supervision would likely be enough to satisfy cross-border transmission requirements. From the individual angle, disclosure of key information such as identity, purpose, and processing method, as well as individual’s consent are necessary.
Furthermore, if an entity holds a large amount of PI, then that PI must be stored within the territory of China pursuant to Article 40 of the Draft. This means that offshore servers storing PI collected from China may no longer be an acceptable practice to regulators in China. So how much is too much?That is as yet unclear – the Draft itself is silent on precisely what the threshold will be.
One other aspect to note is that even if a foreign entity cooperates with a Chinese entity to process PI from China, it will still also be subject to obligations based on the different cooperation models, as we mentioned in our last article.
Blacklist System for Non-compliance
While the Draft significantly enhances the monetary penalties for non-compliance, enforcing such penalties against foreign entities can be hard. Therefore, the Draft has introduced a blacklist system specifically for foreign entities and foreigners: if they violate the PI interests of Chinese citizen or endanger the national security or public interest,the authorities will then restrict or forbid their cross-border transmission of PI and make public announcements regarding the violations. This reputational damage could, in some ways, be more severe than any monetary penalty.
Bottom Line
Once the Draft takes effect, foreign entities collecting or receiving PI from China will have to review their workflow and come up with new arrangements or adjustments to fully comply with Chinese law.
This is the second article of a series of articles we plan to write about cybersecurity, data protection, and compliance. We are now offering data compliance services and related trainings through DaWo Academy. Please don’t hesitate to reach out if you have any questions.
