Exploring the Upcoming China’s Draft Personal Information Protection Law
On October 21, 2020, China released the first draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 14 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
Prior to the Draft, China adopts a consent principle in determining the lawfulness of processing personal information, which means that, unless otherwise provided by law and administrative regulation, processing of personal information should be subject to the personal information subject’s informed consent. Besides, the widely referenced national standard Personal Information Security Specification (GB/T 35273-2020, whose revised version was implemented on October 1, 2020) demonstrates some circumstances under which processing could be justified without consent, however, as such national standard has no legal force, they may not qualify effective defence in disputes.
In light of the limitation of the consent principle as well as the increasingly complex processing scenarios, the PIPL takes an approach similar to the GDPR, which provides multiple lawful basis for processing personal information in addition to consent.
Generally, the most commonly used lawful basis for processing is consent. In practice, consent should be obtained in different ways in consideration of the type of data as well as the specific processing actitivies. The Draft presents new requirements for obtaining consent and also clarifies personal information subject’s right to withdraw consent.
Other Lawful Basis
As afore-mentioned, under the Draft, in addition to consent, processing of personal information could also be based on other lawful basis, which is quite similar to the GDPR.
Specifically, the Draft stipulates that, personal information could be processed (without consent) where the processing is necessary (1) for the conclusion or performance of a contract with the individual; (2) for the performance of statutory duties or for compliance with legal obligations; or (3) for coping with public health emergencies or for the protection of the life, health and property safety of an individual. Meanwhile, to carry out such activities as news reporting for the purpose of public interests, personal information processor1 could process personal information within a reasonable scope. Besides, the Draft also provides the catch-all clause that personal information could be processed if otherwise specified by law and administrative regulation.
Source: Dentons China news