China publishes the second draft of Personal Data Protection Law


On 29 April 2021, the second draft of the PRC Personal Data Protection Law was published to solicit public opinions until 28 May 2021. Highlights of this draft include:

Extra-territorial effect: If a company processes any personal data of an individual located within China, the Chinese data protection law will apply even if the processing occurs outside of China as long as the purpose of the processing is to supply products or services to the individual; or the individual’s activities are being analysed and assessed. The company must either establish an entity or appoint a representative in China to handle data protection related matters.

Additional lawful bases: Consent is no longer the “golden rule”. The contract, legal obligations, vital interests, and public tasks are all specified in the draft as lawful bases for processing. However, 'legitimate interests' as defined by the EU's GDPR is still not a lawful basis in this draft.

Joint and several liability between co-controllers: While co-controllers may allocate internally their respective data protection obligations, they shall bear joint and several liability for any data violations or infringements.

Automated decision-making: An individual has the right not to be subject to a decision based solely on automated processing since the decision may significantly affect this person's legal interests. The draft, however, is silent on how to decide such significance.

Data localisation: In additional to critical information infrastructure operators (“CII Operators”), companies who process personal data reaching a certain amount as specified by the regulator (“Large-scale Operators”) must store in China all the personal data collected or generated in China. However, the draft does not specify what this specific amount is. If any data needs to be transferred to a foreign jurisdiction, security assessments organised by the regulator must be passed in advance.

Cross-border transfer: A company that is neither a CII Operator nor a Large-scale Operator must satisfy one of the following requirements before it may transfer any personal data outside of China: (i) pass security assessments organised by the regulator; (ii) obtain certificates issued by designated professional institutions; or (iii) sign standard contracts formulated by the regulator with foreign recipients, and continue to monitor the recipients’ performance.

Data protection officer: Large-scale operators must appoint a data protection officer, publish the officer’s contact information, and record the appointment with the regulator. The draft does not specify whether other non-large scale operators must also appoint data protection officers.

Data protection impact assessment: A data protection impact assessment must be conducted before any of the following processing activities can be carried out: (i) processing sensitive personal data; (ii) using personal data to make automated decisions; (iii) entrusting others to process personal data, or sharing or publishing personal data; (iv) transferring personal data outside of China, and (v) other processing activities that may significantly affect the individuals’ interests.

Breach notification: As an exception to the general obligation to report a data breach and notify the concerned individuals, the draft proposes that the notification is not necessary if effective measures have been taken to prevent any damages resulting from the breach. However, the regulator has the power to request that notifications be made if it determines that there could be potential damage to the individuals.

Liability: In case of a serious data violation or infringement, a company may be subject to an administrative fine not exceeding RMB 50 million or 5% of the previous year’s revenue, confiscation of illegal income, suspension of business, or revocation of business licences. The draft also introduces a reverse onus mechanism, which requires a company to bear the liability to an individual whose interests are damaged during any of the company's data processing activities unless the company can prove that it has no fault.

Please click here for a full version (Chinese only) of the draft.