Personal Information: Go International, Go Local

Nathaniel Rushforth

Nate Rushforth is an American associate. He studied at the McGill University Faculty of Law in Montreal, Quebec and at the University of Arizona College of Law in Tucson, Arizona. He holds a Juris Doctor from the University of Arizona College of Law.

In our last article, we discussed the Draft Person Information Protection Law (the “Draft”) and its effect on PI processing by government authorities and other third parties. In this article, we will take a look at the Draft from an international angle.

Extending Jurisdiction Towards Foreign Entities

The Draft intends to address a tricky issue regarding foreign entities by first laying down the concept of long-arm jurisdiction with regard to foreign entities’ processing of PI from China.

Under Article 3 of the Draft, if a foreign entity processes PI from China for the purposes of providing services/products or analyzing/evaluating individual behaviors, that foreign entity is then subject to the regulation of the Draft. This is quite a common practice which has been adopted by other countries or jurisdictions like the EU and the United States.

Furthermore, the Draft provides that such foreign entities shall establish a specific entity or designate a representative in China to handle related PI protection matters and report required information to authority. Foreign entities will have to make adjustments to such provision once it turns effective.

Common Points with International Standards

As we previously mentioned, some articles in the Draft are in line with common practice adopted abroad. The EU and the US both passed PI-related regulations in recent years, and it therefore seems natural for China to take some hints from already existing regulations. We decided to offer below a very brief comparison of the GDPR and the Draft.

KEY POINTSDRAFTGDPR
No. of Provisions7099
ChaptersI General Provisions
II Rules on PI Handling
III Rules on Cross-border Transfer of PI
IV Rights of Individuals in PI
V Obligations of PI Handlers
VI Authorities Performing PI Protection Duties
VII Legal Liability
VIII Supplementary Provisions
I General Provisions
II Principles
III Rights of the data subject
IV Controller and processor
V Transfers of PI to third countries or international organizations
VI Independent supervisory authorities
VII Cooperation and consistency
VIII Remedies, liability and penalties
IX Provisions relating to specific processing situations
X Delegated acts and implementing acts
XI Final provisions
Bases of Data Processing[Article 13]
1.Consent
2.Contract
3.Statutory Responsibilities/Obligations
4.Essential for public/private health and property in emergency situations
5.Public interest
Others as stipulated by laws
[Article 6]
1.Consent
2.Contract
3.Legal Obligations
4.Vital interest of the data subject
5.Public interest
Legitimate interest

As you can see, not only the document structure, but also the legal bases for data processing therein are similar. What is missing in the Draft, however, is the concept of ‘legitimate interest,’ which is a hot topic in regard to data processing according to GDPR. The explanation on how to understand it is constantly evolving thanks to ECJ judgements and respective EU guidelines.

It will be interesting, and we in fact think it is likely that China will decide to codify at least a somewhat similar concept in the near future.

Cross-border Transmission & Localization of PI

As the purpose of the Draft is to ensure the orderly and free flow of PI, the Draft gives specific guidance for cross-border transmission of PI.

From the regulation angle, according to Article 38 of the Draft, PI protection certification or contracting with a foreign entity plus proper supervision would likely be enough to satisfy cross-border transmission requirements. From the individual angle, disclosure of key information such as identity, purpose, and processing method, as well as individual’s consent are necessary.

Furthermore, if an entity holds a large amount of PI, then that PI must be stored within the territory of China pursuant to Article 40 of the Draft. This means that offshore servers storing PI collected from China may no longer be an acceptable practice to regulators in China. So how much is too much?That is as yet unclear – the Draft itself is silent on precisely what the threshold will be.

One other aspect to note is that even if a foreign entity cooperates with a Chinese entity to process PI from China, it will still also be subject to obligations based on the different cooperation models, as we mentioned in our last article.

Blacklist System for Non-compliance

While the Draft significantly enhances the monetary penalties for non-compliance, enforcing such penalties against foreign entities can be hard. Therefore, the Draft has introduced a blacklist system specifically for foreign entities and foreigners: if they violate the PI interests of Chinese citizen or endanger the national security or public interest,the authorities will then restrict or forbid their cross-border transmission of PI and make public announcements regarding the violations. This reputational damage could, in some ways, be more severe than any monetary penalty.

Bottom Line

Once the Draft takes effect, foreign entities collecting or receiving PI from China will have to review their workflow and come up with new arrangements or adjustments to fully comply with Chinese law.

This is the second article of a series of articles we plan to write about cybersecurity, data protection, and compliance. We are now offering data compliance services and related trainings through DaWo Academy. Please don’t hesitate to reach out if you have any questions.