Introduction: the active legislation of personal information protection in China

This October, Information Security Technology - Personal Information Security Specification (GB/T-35273/2018) (“Personal Information Security Specification”), the most specific national standard in the area of personal information protection of China, has been revised and calling for comments for the third time within one year[1], reflecting a rather active legislation in terms of personal information protection in China. This year, a number of laws, regulations and national standards including Measures for Cybersecurity Review (Draft for Comments), Administrative Measures on Data Security (Draft for Comments), Provisions on the Cyber Protection of Children's Personal Information, Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Illegal Use of Information Networks and Assistance in Criminal Activities Committed through Information Networks are released frequently, updated rapidly or even implemented officially.

Compared with Information Security Technology - Personal Information Security Specification (Draft) published in this February (“Personal Information Security Specification February Version” or “February Version”) and Information Security Technology - Personal Information Security Specification (Draft for Comments) published in June (“Personal Information Security Specification June Version” or “June Version”), Information Security Technology - Personal Information Security Specification came out in this October (“Personal Information Security Specification October Version” or “October Version” and together with the February Version and June Version known collectively as “Three Revised Versions of Personal Information Security Specification” or “Three Revised Versions”) has further improved the systematic design of personal information protection. For example, a note is inserted in the definition of “personal information”, confirming that the information formed through processing of personal information or other information by the personal information controller also belongs to personal information; an obligation of assisting the personal information subject to cancel his/her account is added; the obligation of supervising the security in entrusted processing is strengthened, etc. It can be seen that the personal information protection legislation in China is being specified and rationalized according to its own feature of development step by step.

Now if we look back at the General Data Protection Regulation (“GDPR” or “Regulation”) of European Union becoming effective over a year ago in a retrospective angle, how long do we have to march to the level of compliance set up by GDPR, the most strict data protection law ever since? Will we face more compliance challenges caused by conflicts between jurisdictions in the course of development of legal system of personal information protection in China?

This article analyzes in which aspects GDPR requires more than Chinese personal information protection law to be compliant and the conflicts between GDPR and Chinese personal information protection law with Personal Information Security Specification (hereinafter includes Personal Information Security Specification and its Three Revised Versions if not explained particularly) at core and together with other laws and regulations related to personal information protection in China (collectively as “Personal Information Protection Law”). Due to limited length of this article, we only selected some issues that are significant and attract wide attention for our readers to refer to.

I. Main Differences Between Chinese Personal Information Protection Law and GDPR

Chinese Personal Information Protection Law started relatively late. The Chinese legislation has formed its own personal information protection rule with reference to the systematic design of GDPR generally, while taking the reality of data industry of China into account. It is not sufficient for GDPR if we only abide by Chinese Personal Information Protection Law in some aspects that seem to be alike.

1. Extra Territorial Effect

Chinese Personal Information Protection Law is generally applied to the data process by organizations or individuals within Chinese border.

As for the extra-territorial effect of Chinese Personal Information Protection Law, among all the effective Personal Information Protection Law, only the Cybersecurity Law of the People’s Republic of China[2] expressly stipulates that it has legal effect outside China when overseas network operator publishes illegal information or attack critical information infrastructure of China. Article 20 of Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments) provides for its legally binding nature in situation where overseas institutions collect personal information of domestic users through the Internet. Beyond that, the extra-territorial effect of Personal Information Protection Law is still unclear.

GDPR stipulates expressly that GDPR applies extra-territorially to organizations or individuals established outside the European Union if they offer goods or services to data subject in European Union (irrespective of whether a payment of the data subject is required) or the monitoring of their behaviour as far as their behaviour takes place within the Union.[3]

2. Principles Relating to Processing

The basic principles required by Personal Information Security Specification when processing personal information includes consistency between rights and liabilities, clear purposes, solicitation for consent, minimum sufficiency[4], openness and transparency, guarantee of security and involvement of personal information subjects. [5]

The above principles are also reflected and written down in GDPR.[6] In addition to that, GDPR also requires the principle of accuracy, i.e., personal information should be accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay.[7] This principle has yet not been introduced into Chinese Personal Information Protection Law.

3. Consent of Personal Information Subject

(1)   Explicit Consent

It is not necessary to obtain an explicit consent from personal information subject for all the processing behaviours of personal information under Chinese Personal Information Protection Law. Compared with Personal Information Security Specification, February Version and June Version, Personal Information Security Specification October Version specially made it clear that the concept of “consent” includes implied consent. Article 3.7 of Personal Information Security Specification October Version stipulates that, the acts made by personal information subject that clearly authorize a specific processing include both authorization by active permission (i.e. explicit consent) and by negative omission (e.g. the personal information subject chooses not to leave the information collection area after being informed of the collection).

GDPR defines the “consent of data subject” as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”[8]. This equals to the “explicit consent” defined by Chinese Personal Information Protection Law. Based on this definition, the consent obtained from the data subject under GDPR must be explicit and the Regulation excludes the application of implied consent.

(2) Freely Given Principle 

Both Chinese Personal Information Protection Law and GDPR stipulate that the consent of personal information subject should be given freely but not out of being forced.

Personal Information Security Specification only provides for the application of freely given principle between equal entities, such as the providers of products or services, who should not force personal information subject to accept the functions offered by the products or services and the corresponding personal information collection request against the free will of personal information subject when collecting personal information from their clients.[9]

However, GDPR takes more situations into consideration when applying the principle of freely given. According to its relevant guidelines[10], the imbalance of power between the data controller and data subject needs to be considered to decide if the consent is freely given by the data subject, such as public authorities and individuals and employers and employees.

4. Lawfulness of Processing

Under Chinese Personal Information Protection Law, the consent of personal information subjects must be obtained as the legal basis of its processing when the controller collects, shares, transfers, discloses or otherwise processes personal information, save for administrative enforcement and judicial purposes[11]. Personal Information Security Specification sets out some exceptions to this, which include situation where the personal information is collected through various open channels. For example, the information is voluntarily published by the personal information subject to the general public, or the personal information is collected from information that has been legally publicized, such as legal news reports and information published by the government, or a news agency processes personal information on a necessary basis for releasing news reports in a legal manner.[12] Even though Personal Information Security Specification makes exceptions to the consent of personal information subject, provisions in laws and regulations that have mandatory effect in China do not have such exceptions.

GDPR allows the controller to process the personal information on various legal bases other than the consent of data subject. However, acquiring personal data through lawful public channels and the necessary processing of personal information for the purpose of lawful news reporting by news agency are not among any those bases. Therefore, even if a data subject voluntarily discloses to the public its personal data, it does not mean an implied consent to processing of his or her personal data for any purpose by any data controller. For news agencies, except that according to the law of European Union or its member states, the processing of personal information is deemed as necessary for compliance with a legal obligation to which the controller is subject, for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, processing of personal information without consent of personal data subject on the ground of lawful journalist activities cannot be justified. [13]

5.  Obligation of Disclosure

There are some differences between the provisions of disclosure obligation owed to personal information subject for controllers in Chinese Personal Information Protection Law and GDPR.

Automated decision-making as an example, Personal Information Specification does not prescribe specifically what to disclose in the situation of automated decision-making. While GDPR particularly points out that if there is automated decision-making, including profiling, the data controller should disclose meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.[14]

6. Collection of Children’s Personal Information: Substantial Review of the Consent Given by Guardian

The collection of personal information should follow the principle of solicitation of consent.[15] When it comes to children, their guardian should be the one who gives consent on their behalf. However, there is currently no requirement for the controller to substantially review the consent given by the guardian in Chinese Personal Information Protection Law.

GDPR requires that controller should make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology, i.e. to substantially review the authenticity of the consent given by the guardian.[16] For instance, if a user subscribing an online service admits he or she is under the cut-off age of children, the user should provide the email address of a parent. The controller should contact the parent to obtain their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility.[17]

7. Rights of Personal Information Subject

From a perspective of the rights enjoyed by personal information subject, GDPR confers the right to restriction of processing and right to object additionally to the data subject compared with Chinese Personal Information Protection Law.

Besides, there are difference in terms of the content of the rights of the personal information subject between the two. For example, Personal Information Security Specification limits the right to erasure of personal information subject with certain conditions. That means only can the personal information subject exercise his or her right to erasure when the controller collects or uses personal information in violation of laws and regulations or in breach of the agreement with the personal information subject.[18]

GDPR has no such limits on the exercise of the said right of personal data subject. Even if the processing does not violate relevant laws or regulations, the data subject can still exercise his or her right to erasure on statutory ground like the personal data are no longer unnecessary for the purposes of processing thereof, withdrawal of consent, the right to object the processing, compliance with a legal obligation in European Union or member state law to which the data controller is subject or the personal data of children have been collected in relation to the offer of information society services.[19]

8. Handling of Personal Information Security Incidents

Chinese Personal Information Protection Law and GDPR both require the controller to report personal information security incidents to the supervisory authority competent. However, the Personal Information Security Specification does not specify the controller’s reporting period but only stipulates that the controller should “report in a timely manner pursuant to the National Contingency Plan for Cybersecurity Incidents and other relevant regulations”[20] While the current National Contingency Plan for Cybersecurity Incidents does not specify the reporting period either.

On the contrary, GDPR expressly requires that the controller notifies the personal data breach to the supervisory authority competent no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.[21]

9. Organizational Management Requirements

In addition, in terms of organizational management requirements, there are also many differences between Chinese Personal Information Protection Law and GDPR, such as the designation and tasks of the data protection officer[22], records of processing activities[23], prior consultation with the supervisory authority[24], etc.

II. Conflicts between Chinse Personal Information Protection Law and GDPR in terms of Cross-border Transfer of Data

As mentioned above, based on the extra territorial jurisdiction of GDPR, after the controller in China collects personal information from the data subject in the European Union, it should meet the rights requests of the data subject under GDPR.

In this case, if the data subject exercises the right of access, in accordance with the right of access under Article 15 and right to data portability under Article 20 of GDPR, the controller in China is obliged to respond to the right request of the data subject, including obtaining from the controller confirmation as to whether or not personal data concerning him or her are being processed, the purposes of the processing, the categories of personal data concerned and the copies of the personal information being processed; if the data subject exercises the right to data portability, the controller shall provide the data subject with the personal information in a structured, commonly used and machine-readable format, and the data subject shall have the right to transfer those data to another controller without hindrance from the original data controller.

Meanwhile, the investigative powers granted to each supervisory authority in the European Union by GDPR also allow each supervisory authority “to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks” and “to carry out investigations in the form of data protection audits”[25].

Article 37 of Cybersecurity Law of the People’s Republic of China stipulates: “Personal information and important data collected and produced by critical information infrastructure operators during their operations within the territory of the People’s Republic of China shall be stored within China. If it is indeed necessary to provide such information and data to overseas parties due to business requirements, security assessment shall be conducted in accordance with the measures developed by the national cyberspace administration in conjunction with relevant departments of the State Council, unless it is otherwise prescribed by any law or administrative regulation.” Article 2 of Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments) stipulates: “The provision abroad of the personal information collected by network operators during their operations within the territory of the People’s Republic of China (hereinafter referred to as ‘cross-border transfer of personal information’) shall be subject to security assessment in accordance with these Measures. Where it is determined after security assessment that the cross-border transfer of any personal information may affect national security or damage public interests or it would be difficult to effectively protect personal information security, the cross-border transfer of such information shall be prohibited.”

If the controller in China needs to meet the rights requests of the data subject under the GDPR or cooperate with the supervisory authorities in the European Union for investigation, but the Chinese supervisory authority decides that the personal information shall not be transferred to other counties after the said personal information is submitted to the Chinese supervisory authority for assessment, in this case, there will be a material conflict between Chinese Personal Information Protection Law and GDPR.

III.  Compliance Advice

As mentioned above, for Chinese enterprises (especially those having overseas business), it is not enough only complying with Chinese Personal Information Protection Law to meet the supervisory requirements of the European Union, and they may even face a dilemma due to the conflict of jurisdictions. It is suggested that such enterprises comprehensively sort out data compliance requirements of different jurisdictions, clarify differences and conflicts, and formulate targeted solutions based on this. For enterprises having data exchange operation with entities within the European Union, it is necessary to communicate with such overseas entities on the data exchange as early as possible, and prepare data transfer agreement etc. in advance, so as to avoid the liability for breach of contract due to failure to provide personal information to overseas entities or minimize the difficulty in completing the security assessment procedure for cross-border transfer of personal information required by Chinese Personal Information Protection Law due to failure to obtain the cooperation of the counterparty once the security assessment procedure for cross-border transfer of personal information of China is implemented.

Notes:

[1] The National Information Security Standardization Technical Committee has revised the Personal Information Security Specification three times and published Three Revised Versions for comments/drafts, including the Personal Information Security Specification (Draft) released on February 1, 2019, the Personal Information Security Specification (Draft for Comments) released on June 25, 2019 and the Personal Information Security Specification (Draft for Comments) released on October 24, 2019.

[2] Articles 50 and 75 of Cybersecurity Law of the People’s Republic of China

[3] Article 3 of GDPR

[4] Personal Information Security Specification October Version changed the “minimum sufficiency” to “minimum necessity”.

[5] Article 4 of Personal Information Security Specification October Version.

[6] Article 5 of GDPR

[7] Article 5(1) (d) of GDPR

[8] Article 4(11) of GDPR

[9] Article 5.3 of the Personal Information Security Specification October Version. Compared with Personal Information Security Specification, this article is added in the Three Revised Versions, and its content remain basically the same in the Three Revised Versions, only with some minor adjustments.

[10] 3.1.1, Article 29 Working Party Guidelines on Consent under Regulation 2016/679

[11] For example, pursuant to Article 25 of E-commerce Law of the People’s Republic of China: “Where the relevant authorities require, according to any law or administrative regulation, an e-commerce operator to provide relevant e-commerce data and information, the e-commerce operator shall do so. The relevant authorities shall take necessary measures to protect the security of the data and information provided by e-commerce operators, strictly keep confidential the personal information, privacy, and trade secrets therein, and shall not divulge, sell, or illegally provide them to any other person.” Under such circumstance, the consent of personal information subject is no longer needed for the relevant authorities to obtain or for the e-commerce operator to provide personal information thereto.

[12] Article 5.6 of Personal Information Security Specification October Version. Compared with Personal Information Security Specification, the Three Revised Versions all added “related to the personal information controllers’ performance of obligations as stipulated by laws and regulations” in the exceptions of obtaining authorization, and deleted “other circumstances as stipulated by laws and regulations”.

[13] Article 6 of GDPR

[14] Articles 13(2) (f) and 14(2) (g) of GDPR

[15] Article 9 of Provisions on the Cyber Protection of Children’s Personal Information

[16] Article 8(2) of GDPR

[17] 7.1.4, Article 29 Working Party Guidelines on Consent under Regulation 2016/679

[18] Article 7.10 of Personal Information Security Specification October Version

[19] Article 17 of GDPR

[20] Article 9.1 c) of Personal Information Security Specification October Version

[21] Article 33(1) of GDPR

[22] Article 10.1 of Personal Information Security Specification October Version; Articles 37, 38 and 39 of GDPR

[23] Article 10.3 of Personal Information Security Specification October Version (Compared with Personal Information Security Specification, this article is newly added in the Three Revised Versions); Article 30 of GDPR

[24] Article 36 of GDPR

[25] Article 58(1) (a) and (b) of GDPR