China, being a heavily populated nation, is also home to a great number of online users. It was evident that when a draft law on personal data protection would be issued, it would be historic. The Personal Information Protection Law of the People’s Republic of China (“Draft Law”) was released for public consultation on October 21, 2020. It primarily revolves around examining the scope of “personal information” and the obligations of the data processors, which has been a pressing concern in China for a long time now.
Lawmakers claim that the existing laws were not sufficient to provide for adequate security to consumers regarding privacy. Article 62 of the Draft Law prescribes the fines and consequences in situations where companies have defaulted. When personal information is handled in violation with any provisions of this law, a correction will be ordered along with confiscation of the unlawful income with a subsequent issue of a warning. However, if the correction is refused, then a fine of not more than 1 million Yuan is fined, and the people directly and indirectly responsible for it, shall be fined with an amount between 10,000 and 100,000 Yuan. When the offence is grave, the fine may be charged up to a maximum of 50 million Yuan, or 5% of the annual revenue in addition to the correction and confiscation. The company may also be subject to suspension and cancellation of business activities and license. The directly and indirectly responsible persons in this case would be fined between 100,000 and 1 million Yuan.
Article 65 also penalizes infringement of personal information rights and interests due to personal information handling activities by making the personal information handler liable for compensating individuals for the loss they suffered or the benefit obtained by the personal information handler.
The new draft clarifies the definition of “personal information” as well as “sensitive personal information”, and widened its scope by including aspects on ethnicity, race, medical and financial data, etc.
Article 4: Personal information is all kinds of information recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization handling.
Personal information handling includes personal information collection, storage, use, processing, transmission, provision, publishing, and other such activities.
Article 29: Personal information handlers may handle sensitive personal information only for specific purposes and when sufficiently necessary.
Sensitive personal information means personal information that, once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security, including information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, etc.– Draft Law
The Draft Law also includes under its ambit, any default by overseas companies with respect to consumer privacy in China. Article 3 specifies three circumstances in which companies outside China may be under the purview of the Draft Law, i.e., its extra-territorial application:
- Where the purpose is to provide products or services to natural persons inside the borders;
- Where conducting analysis or assessment of activities of natural persons inside the borders;
- Other circumstances provided in laws or administrative regulations.
While China has seemingly tightened their stand on data protection, the country had to consider their steps very intricately so as to not result in barring technological advancements, since collection, processing, storage and disclosure of private data is an inevitable feature now.
Even though the Draft Law provides greater clarity on the scope of personal information and is long due, concerns have been raised over the law being vague and having certain grey areas in terms of its execution.
Reported by Stuti Agrawal, Student Ambassador