Personal Information Gets Real

In a recent article, we discussed the status of laws and regulations regarding personal information (“PI”) protection. With the release of the groundbreaking draft Personal Information Protection Law (the “Draft”), we thought it would be valuable to start offering a look at the changes it brings to the cybersecurity and data framework in China.

Forecast – A Coalescing System

First, it’s important to take a revisit the current state of things – after several rounds of comment-seeking and amendment, the Draft joins other comprehensive legislative developments this year. Interestingly, it even incorporates some general practices of other jurisdictions’ data laws, such as the notion of regulating offshore information processing, and shifts some focus onto discernable guidelines for solving problems encountered in daily practice.

Once the Draft is officially implemented, it will fill one of the remaining spaces in the current framework, moving towards forming a comprehensive system of PI protection, and joining the Cybersecurity Law, the Civil Code, and various other supporting regulations, rules, and standards.

How will it do this? Below are a couple less frequently talked about aspects of the Draft.

Restrictions on PI Processing by the Government

Although we can certainly appreciate the government’s largely successful response to COVID-19, which necessitated the collection and processing of PI, we can also agree that a government’s access to PI should never be boundless.

To avoid overreach on this front, the Draft actually places some important limits on what authorities can do. According to Article 35 of the Draft, the principle of “Notification-Consent” will be applied to the government in general, and PI processed by the authorities should be limited – no excessive processing is allowed.

In addition, Under Article 36, while the government may seek help from other capable third parties for PI processing, this will also be subject to the consent of the individual.

How this will play out in practice remains to be seen, but it is encouraging to see this in the draft language itself.

Other Third-Party Processing

Many companies may not have the capability or qualification to process the PI they collect. So they may turn to third party for help. To clarify their obligations, the Draft makes different requirements applicable to different cooperation models:

Cooperation Model	Key Points
Co-processing	Respective rights and obligations to be agreed upon Such agreements shall not affect exercise of individuals’ rights Joint liability will be imposed in case of PI breach
Entrusted Processing	Important details such as purpose, method shall be agreed upon Entrusted processor shall work only within agreed scope Entrusted processor shall return or delete PI after the entrustment ends No sub-entrustment is allowed without consent
Transfer of PI	Information of PI receiver shall be disclosed Receiver shall undertake the obligations of PI processor Consent acquired in case of change of purpose or method
Provision to Third Party	Identity of third party shall be disclosed Consent is required for provision Consent is required in case of change of purpose or method Re-identification of anonymous PI by third party is not allowed

Bottom Line

The Draft reflects China’s determination to regulate PI processing more closely, and is another step down the road towards a comprehensive data regulation framework. It is becoming increasingly clear that companies with even a minimal amount of exposure to personal information must be careful about best practices.

This is the first of a series of articles we plan to write about cybersecurity, data protection, and compliance. Additionally, we are now offering data compliance services and related trainings. Please don’t hesitate to reach out if you have any questions.