On October 21, 2020, the Standing Committee of the 13th National People's Congress of China issued the Draft Law for Personal Information Protection (the “Draft”) for public comment through November 19.The Draft focuses on rules for protecting the collection and use of personal information (“PI”) by data processors in China. Importantly for advertising in China, the Draft clarifies a few critical issues and questions :
Extraterritorial effect
It appears to follow the approach taken by the General Data Protection Regulation ("GDPR") of the European Union,the Draft asserts jurisdiction over organizations and individuals who undertake activities outside the borders of China if the PI of natural persons within China is involved, and where the purpose of such activities is to provide products or services to natural persons inside China as well as to analyze or assess their activities.
Further, the Draft requires overseas PI processors to set up special agencies or appoint designated representatives in China to be responsible for PI protection related matters. However, the Draft does not define “special agencies or designated representatives”,nor does it clarify whether the overseas PI processors need to establish an entity in China.
Informed consent and Opt Out
As is already stipulated in the existing rules for collection and use of PI, the Draft is clear that the processing of PI shall be conducted in a legal and proper manner, with clear and reasonable objectives. It shall be limited to the minimum scope of the processing purpose, and shall include open processing rules, ensure the accuracy of information, and adopt security protection measures, etc.
Further, the Draft establishes the core principle of "informed consent" and provides users the right to opt out of authorization for collection of their PI. The service provider cannot deny service to such users who opt out of the authorization. This will significantly affect PI processors in digital marketing; i.e., if a user does not agree for the processor to gather their PI, then the processor cannot push messages to the user’s devices (e.g. send advertisements), based on the user’s activities online.
The Draft also restricts the processing of Sensitive PI (i.e., PI that, once leaked or illegally used, may lead to personal discrimination or serious harm to personal and property safety, including PI regarding race, nationality, religious belief, personal biological features, medical history, health, financial account, and personal whereabouts). Under the Draft, Sensitive PI can only be processed when it is for a specific purpose and is sufficiently necessary. Moreover, where handling Sensitive PI, the PI handlers must obtain specific and additional consent from the individual, even if it has already obtained general consent for PI collection.
Cross-border transfer requires prior security assessment
The Draft stipulates that where critical information infrastructure operators and PI handlers need to provide PI abroad in quantities that exceed a certain threshold, they must first pass an official security assessment. For general PI processors, they must obtain PI protection certification from a specialized body according to provisions by the state cybersecurity and informatization department, or conclude an agreement with the foreign receiving party in which the parties agree on both sides’ rights and obligations, and supervise their PI handling activities in compliance with PRC laws to satisfy the requirement.
Fines up to CNY 50 million (around USD 7.5 million) or 5% of annual turnover
The Draft states the administrative punishment for violations. Where PI is handled in violation of the Draft or without adopting necessary security protection measures, the PI processor shall be subject to one or more of a rectification order, a warning, confiscation of illegal gains; where correction is refused, it shall be subject a fine of up to CNY 1 million (around USD 140k). Additionally, the persons directly in charge and other directly responsible persons shall be imposed a fine between CNY 10,000 and CNY 100,000 (around USD 1.4k to USD 14k). Where the circumstances are serious, they shall be subject to one or more of a rectification order, a warning, confiscation of illegal gains, and a fine of not more than CNY 50 million(around USD 7.5 million) , or 5% of last year’s annual turnover. They may also be subject to orders of suspension of related business activities, cessation of business for rectification, and report to the relevant competent department for cancellation of corresponding professional licenses or cancellation of business permits. The persons directly in charge and other directly responsible persons shall be imposed a fine between CNY 100,000 (around USD 14k ) and CNY 1 million (around USD 140k).
Observations
The Draft, if promulgated, will be the first law to focus on PI protection in China. It would create specific obligations for PI processors, that is relevant to digital marketing in China. The Draft is particularly of note for its extraterritorial effect: regardless of whether occurring inside or outside of China, any activities involving the collection of PI from people in China is covered to the regulation and subjects the data processors to fines, i.e., potentially 5% of annual turnover for a serious violation.