China passes draft law on personal data protection


On 21 October 2020, China's National People’s Congress published the Draft Personal Data Protection Law for public consultation, which will be held until 19 November 2020. Once passed, this legislation will be the first designated personal data protection law in China.

The basic data-protection principles and requirements for data-processing activities included in the draft are consistent with the different regulations, administrative rules and technical standards currently in force. In addition, the draft clarifies a few critical issues and questions:

Exterritorial effect: the draft states that Chinese data-protection law is applicable to a foreign company processing the personal data of individuals physically located within China if the company supplies goods or services to individuals located within China, or has processed data to analyse or assess the behaviour of individuals in China. The regulations apply even if the processing activities occur outside of China. Foreign companies will also be required to establish organisations or appoint representatives within China to handle data-protection related matters.

Lawful basis: instead of relying on the consent of data subjects as a golden rule for permitting the processing of personal data, the draft proposes other lawful bases for data processing, including for the performance of a contract to which the data-subject is a party; fulfilling legal duties or obligations; responding to a public-health crisis; protecting the life, health or property of an individual under emergency circumstances; or any processing considered necessary for protecting the public interest.

Cross-border transfer: critical information infrastructure (CII) operators and other non-CII data controllers whose processing activities have reached certain levels (the standard for which has not yet been published) are required to store in China all personal data collected within the territory. No cross-border transfer is allowed unless the transfer passes security assessments organised by cybersecurity administrative authorities. For other general data controllers wanting to transfer personal data collected within the territory to a foreign country, they must either obtain certificates issued by designated testing institutions or sign data-protection contracts with the foreign recipients of the data and ensure that the processing activities of the recipients comply with Chinese regulations.

Penalty: according to the draft, if a company violates the law and the circumstances are serious, all of the company’s relevant illegal income will be confiscated. The company will also be subject to an administrative fine of up to RMB 50 million or 5% of the total turnover of the previous year. The company's business licence may also be revoked.

Please click here for the full Chinese language version of the draft.

For more information on this draft law and data-protection regulations in China, contact your regular CMS partner or local CMS experts: