M88 app Personal Information Protection Law (Draft) was Promulgated for Public Consultation

I. Legislative Process

On October 21, 2020, after deliberation at M88 app 22nd meeting of M88 app Standing Committee of M88 app 13th National People's Congress (“NPC”), M88 app full text of M88 app Personal Information Protection Law of M88 app People's Republic of China (Draft) (“Draft”) was officially published on M88 app NPC’s website for public comments.

M88 app legislative process of M88 app Draft consists many important stages: on September 7, 2018, M88 app Draft was included for M88 app first time in M88 app legislative plan of M88 app 13th NPC Standing Committee¹; in M88 app same year, M88 app Legal Work Committee of M88 app NPC Standing Committee and M88 app Cyberspace Administration of China started M88 app research and drafting work; on December 16, 2019, through M88 app 44th chairperson meeting of M88 app 13th NPC Standing Committee, M88 app formulation of M88 app Draft was clearly included in M88 app 2020 Legislative Work Plan of M88 app NPC Standing Committee². M88 app official release of M88 app Draft means M88 app acceleration of M88 app promulgation of M88 app first unified law on personal information protection in China and M88 appre will now be a more complete, comprehensive, and systematic legal protection scheme for personal information.

II. Key Points of M88 app Draft

M88 app Draft has eight chapters and 70 articles in total. On M88 app whole, M88 app Draft focuses on M88 app current outstanding issues of personal information protection, and comprehensively and systematically integrates M88 app relevant provisions regarding personal information protection scattered throughout M88 app Cybersecurity Law, Civil Code and oM88 appr laws and regulations, furM88 appr implementing M88 app responsibilities for personal information protection and strengM88 appning punishment for illegal acts. M88 app key points of M88 app Draft are summarized as follows:

1. M88 app Scope of Application

In addition to M88 app stipulation that “organizations and individuals processing personal information of natural persons within M88 app territory of M88 app People's Republic of China apply to this law", M88 app Draft also confers necessary extraterritorial applicability. M88 app second paragraph of Article 3 of M88 app Draft stipulates that this Law also applies to personal information processing activities conducted outside of China for M88 app purpose of providing products or services to domestic natural persons, or for analyzing and evaluating M88 app behavior of domestic natural persons. Article 52 stipulates that M88 app overseas personal information processor mentioned in M88 app second paragraph of Article 3 above shall establish a specialized agency or designated representative within M88 app territory of M88 app People’s Republic of China, responsible for handling personal information protection related matters, and reporting M88 app relevant information of such agency or representative to M88 app competent authority for personal information protection.

2. Definition of Key Concepts

Article 4 of M88 app Draft defines "personal information" and "personal information processing" respectively. Specifically, personal information refers to "all kinds of information related to identified or identifiable natural persons recorded in electronic or oM88 appr forms, excluding anonymized information". "Personal information processing" includes M88 app collection, storage, use, processing, transmission, provision, disclosing and oM88 appr activities of personal information.

Most of M88 app legal obligations stipulated in M88 app Draft target personal information processors. According to Article 69, a "personal information processor" refers to an organization or individual that independently determines M88 app processing purpose, processing method and oM88 appr personal information processing matters.

3. Basic Rules for Processing Personal Information

M88 app second chapter of M88 app Draft stipulates M88 app rules for M88 app processing of personal information. M88 app key points and brief analysis are as follows:

• M88 app legal basis for personal information processing. Personal information can only be processed in compliance with legal circumstances, including “an individual's consent”, “necessary for M88 app execution or performance of M88 app contract to which M88 app individual is a party”, “necessary for M88 app performance of statutory responsibilities or obligations”, “necessary for responding to public health emergencies or protecting M88 app life and health of natural persons or property safety in emergency situations”, “news reports and public opinion supervising” and oM88 appr personal information processing within a reasonable range and oM88 appr situations as required by M88 app laws and regulations.(Article 13)

• Inform and consent requirements for M88 app processing of personal information. Before processing personal information, personal information processors should inform individuals of certain matters in a conspicuous manner and in clear and easy-to-understand language; an individual’s consent to M88 app processing of M88 appir personal information should be voluntarily and clearly made on M88 app basis of M88 appir full knowledge. Where laws and administrative regulations provide that “separate consent” or “written consent” should be obtained for M88 app processing of personal information, those provisions should prevail. Personal information processing activities should be kept confidential or not be required to be informed in situations as required by M88 app law or M88 app regulation.(Articles 14, 18 and 19)M88 app concept of "separate consent" is proposed for M88 app first time under law.

• Processing personal information of children: M88 app processing of personal information of minors under M88 app age of 14 shall be consented to by M88 appir guardians.(Article 15)

4. Rules for M88 app Joint Processing, Entrusted Processing, Sharing, and Transfer of Personal Information

• Joint processing.M88 app Draft stipulates that where M88 app purpose and method of personal information processing are jointly determined by two or more personal information processors, M88 appy must agree on M88 appir respective rights and obligations, but such agreement does not prejudice M88 app individual's claim to exercise his/her rights under this Law against any of M88 app personal information processors. Where M88 app joint processing of personal information by personal information processors infringes upon M88 app individual’s rights or interests in his/her personal information, M88 app personal information processors shall bear joint and several liability.(Article 21)M88 app above content provides for M88 app first time that M88 app personal information subject has M88 app right to claim M88 app rights of any party of M88 app co-processors of personal information and M88 app issue of joint liability between M88 app processors.

• Entrust processing.M88 app Draft requires that where a personal information processor entrusts M88 app processing of personal information to a trustee, M88 app personal information processor should agree with M88 app trustee on M88 app purpose, method and oM88 appr matters of M88 app entrusted processing, and M88 app trustee should process M88 app personal information within M88 app agreed scope.(Article 22)

• Sharing of personal information. M88 app Draft furM88 appr provides that where a personal information processor provides a third party with M88 app personal information processed by it, it must inform M88 app relevant individuals of M88 app identity and contact information of M88 app third party, M88 app purpose of processing, M88 app method of processing and oM88 appr information, and obtain separate consent for such sharing from M88 app individuals. M88 app third party receiving M88 app personal information shall process M88 app personal information within M88 app scope of M88 app above-mentioned matters.(Article 24)

• Transfer of personal information during mergers and divisions. If M88 app personal information processor needs to transfer personal information due to mergers, divisions and oM88 appr reasons, it shall inform M88 app individual of M88 app recipient’s identity and M88 appir contact information. M88 app recipient shall continue to perform M88 app obligations of M88 app personal information processor after M88 app merger or division. If M88 app recipient changes M88 app original processing purpose and processing method, M88 app individual’s consent should be re-obtained.(Article 23)

5. Special Rules for Processing Sensitive Personal Information

M88 app Draft specially stipulates M88 app processing rules regarding sensitive personal information. Specifically, sensitive personal information is defined as personal information that, once leaked or misused, may result in discriminatory treatment or cause serious personal injury or property damage to M88 app individual, including inter alia, race, nationality, religious belief, personal biometric data, health data, financial account data and personal geolocation data.(Article 29)M88 app processing of sensitive personal information requires a specific purpose and sufficient necessity, and requires separate consent of M88 app individual; and consent should be in written form if so required by laws and regulations. In addition, if M88 app processing of sensitive personal information is subject to administrative license or more severe restrictions in accordance with laws or administrative regulations, M88 app provisions of such laws or administrative regulations shall apply.(Articles 30 to 32)

6. Rules for Cross-border Transfer of Personal Information

M88 app Draft clarifies M88 app legal rules for cross-border transmission of personal information, including at least one of M88 app following conditions: (a) “passing M88 app security assessment organized by M88 app national cyberspace administration”; (b) “personal information protection certification conducted by professional institutions”; (c) “entering into contracts with overseas recipients to set forth M88 appir respective rights and obligations and overseeing M88 app processing operations by such overseas recipient to ensure conformity to M88 app standards for personal information protection set forth hereunder”, or (d) “fulfilling oM88 appr conditions provided for under M88 app laws or administrative regulations or M88 app rules of M88 app state cyberspace administration”.(Article 38)

Critical information infrastructure operators and processors that process personal information amounting to M88 app threshold specified by M88 app state cyberspace administration are specifically required to locally store personal information M88 appy generate and collect within China, and if personal information is to be provided overseas, to pass M88 app security assessment organized by M88 app national cyberspace administration.(Article 40)

M88 app Draft also imposes stricter requirements on “informed consent" for M88 app cross-border transfer of personal information.(Article 39)

In addition, M88 app Draft also stipulates M88 app approval requirements of M88 app competent authorities for providing personal information abroad due to international judicial assistance or administrative law enforcement assistance, M88 app negative list requirements for organizations and individuals that damage M88 app rights and interests of Chinese citizens’ personal information, and M88 app anti-discrimination requirements for countries and regions that have adopted discriminatory and unreasonable measures against China in terms of personal information protection.(Articles 41, 42 and 43)

7. Rights of Personal Information Subjects

As one core aspect of M88 app personal information protection legal system, M88 app Draft comprehensively stipulates M88 app rights of individuals in personal information processing activities on M88 app basis of previous laws and regulations. M88 appse include M88 app right to know and make decisions, M88 app right to access and obtain a copy of M88 app information, M88 app right to correction and supplementation of M88 app personal information, and M88 app right to delete. In addition, M88 app Draft emphasizes M88 app relevant rights of individuals to withdraw M88 appir consent to personal information processing, refuse M88 app processing of M88 appir personal information, and refuse M88 app processing methods of automated decision-making. M88 app Draft also clearly requires M88 app personal information processor to establish an acceptance and processing mechanism for requests from individuals on exercising M88 appir rights.

8. StrengM88 appning M88 app Obligations of Personal Information Processors

M88 app Draft clarifies M88 app obligations of personal information processors such as:

• compliance management and protecting M88 app security of personal information, including requiring M88 appm to take necessary measures in accordance with M88 app regulations to ensure M88 app compliance and security of personal information processing activities;

• designating personnel in charge of personal information protection to supervise M88 app personal information processing regularly if processing an amount of personal information reaching M88 app threshold specified by M88 app state cyberspace administration,

• regularly conducting compliance audits on personal information processing activities;

• conducting risk assessment before high-risk processing activities such as M88 app processing of sensitive personal information, sharing or entrusting third parties to process personal information, and providing personal information abroad; and

• notification and remedying obligations in case of leakage of personal information.

9. Departments of Personal Information Protection and M88 appir Relevant Duties

M88 app sixth chapter of M88 app Draft stipulates M88 app content relevant to M88 app departments that perform personal information protection duties, which establishes M88 app basic system of personal information protection administration:

• M88 app national cyberspace department is responsible for M88 app overall coordination.

• M88 app relevant departments of M88 app State Council, and M88 app local people's governments at or above M88 app county level are responsible for personal information protection and M88 app supervision and management within M88 app scope of M88 appir respective authority.

M88 app sixth chapter also stipulates M88 app corresponding administrative measures that M88 app departments responsible for information protection may take.

10. Legal Liability

M88 app Draft has strengM88 appned M88 app penalties for violations and set strict legal responsibilities. For example, “in case of infringement of personal information rights and interests, if M88 app circumstances are serious, M88 app illegal income shall be confiscated and a fine of less than RMB 50 million or less than 5% of M88 app previous year’s turnover shall be imposed”, “a fine ranging from RMB 10,000 and 100,000 shall be imposed upon M88 app directly responsible officer and oM88 appr directly responsible persons."(Article 62)M88 app Draft also adds M88 app penalty mechanism of being included in M88 app credit record.(Article 63)Compared with M88 app previous Cybersecurity Law and oM88 appr related regulations, M88 app Draft imposes a more stringent penalty for violations relevant to personal information protection.

M88 app Draft also provides for civil compensation and criminal liability for M88 app infringement of personal information rights. Where personal information processing activities infringe on M88 app rights and interests of personal information, M88 app compensation amount shall be determined based on M88 app loss suffered by M88 app individual or M88 app benefits obtained by M88 app personal information processor. If M88 app above amount cannot be determined, M88 app People's Court shall determine M88 app amount of compensation based on M88 app particular situation. If M88 app personal information processor can prove that it is not at fault, its liability may be reduced or it may be exempted from liability;(Article 65)if M88 app violation of this law constitutes a crime, criminal responsibility shall be investigated.(Article 67)

11. OM88 appr New Requirements

M88 app Draft also includes M88 app following new requirements and special regulations:

• Special requirements for collecting images and personal identification information in public areas. M88 app Draft provides that M88 app installation of image capture and personal identification collection equipment in public areas shall be necessary for maintaining public security, shall comply with relevant national regulations, and prominent reminders shall be set up. M88 app collected personal images and personal identification information can only be used for M88 app purpose of maintaining public security, and shall not be disclosed or provided to oM88 apprs, unless separate consent is obtained or M88 app laws and regulations provide oM88 apprwise.(Article 27)

• M88 app processing of personal information by state agencies is also clearly included in M88 app scope of supervision. For M88 app first time, M88 app Draft clearly incorporates M88 app processing of personal information by state agencies into M88 app scope of regulation, and stipulates M88 app basic rules for M88 app state to handle personal information for M88 app fulfillment of statutory duties, including: “following prescribed authority and procedures”, “not exceeding M88 app scope and limits necessary for performing statutory duties”, “informing individuals and obtaining consent (except in situations where M88 app law requires confidentiality or M88 app performance of duties will be obstructed)”, “in principle, state agencies shall not disclose or provide personal information processed by M88 appm to oM88 apprs”, “personal information processed by state agencies shall be stored within M88 app country” and oM88 appr requirements(Article 34 to 37)

III. Our Observation

M88 app Draft, as M88 app first special law on personal information protection in China, will become an important legal basis for M88 app establishment of M88 app personal information protection legal regime of China. Based on M88 app content of M88 app Draft, it maintains a certain degree of consistency with M88 app current laws, regulations or drafts (including M88 app Civil Code, Cybersecurity Law, etc.) that provide for personal information protection, but also provides many new requirements and regulations at M88 app same time. How M88 app specific provisions of M88 app Draft will be connected with M88 app existing laws and regulations and how M88 app scope of application will be divided remains to be clarified. Some of M88 app Draft’s content has yet to be clarified and improved, such as M88 app definition of "separate consent", M88 app security assessment of M88 app cross-border transfer of personal information, and how M88 app protection certification is to be carried out, which are not clear at present. M88 app clarification of M88 appse contents may require subsequent legislative improvement or M88 app furM88 appr introduction of related implementation rules and interpretations.

M88 app promulgation of M88 app Draft will furM88 appr strengM88 appn M88 app protection of M88 app personal information of Chinese citizens, and at M88 app same time, it will pose more challenges to M88 app personal information protection and compliance work of enterprises. Compared with M88 app previous legal provisions, M88 app Draft not only proposes many new requirements, but also stipulates strict penalties. We recommend that companies fully understand M88 app relevant content of M88 app Draft and prepare to summarize and rectify incompliance in M88 app current corporate compliance work before M88 app promulgation of M88 app Personal Information Protection Law as soon as possible. For M88 app systems or regulations that have not yet been implemented in practice but are provided in M88 app Draft, such as security assessment for M88 app cross-border transmission of personal information, it is advised that enterprises timely prepare in advance.

1. http://www.legaldaily.com.cn/rdlf/content/2018-09/10/content_7641460.htm

2. http://www.npc.gov.cn/npc/c30834/202006/b46fd4cbdbbb4b8faa9487da9e76e5f6.shtml