Language

A Chinese Data Privacy Law with Strong Influences from the EU


A Chinese Data Privacy Law with Strong Influences from the EU-China Releases the Draft on Its First Uniform Personal Information Protection Law


Authored by Yingying Zhu


The world has witnessed a torrent of lawmaking, regulatory design and enforcement activities regarding data privacy following the enactment of the General Data Protection Regulation (“GDPR”) [1] of the European Union in May 2018. At present, 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. [2]

 

The inadequacy of personal information protection in China has raised widespread public concerns in this big data land with 904 million netizens,[3] vulnerable to data breaches and cyber frauds. In 2016, a professor at the prestigious Tsinghua University wired more than CNY17 million to a fraud, after she received a scam call from the fraud who knew every detail about the deal of a recent sale of her real property.[4] Incidents like this have led to nationwide discussions and provoked reflection among thinkers, legal experts and law makers. 

 

At present, data protection laws, regulations and specifications in China were scattered in sectional laws, regulations and non-binding guidelines, such as the Criminal Law and its Amendment VII, the Consumer Protection Law, the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, etc.

 

On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of the China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.

 

Being the first comprehensive law that emulates the GDPR, the draft Personal Information Protection Law (“draft PIPL”) has shown strong GDPR influences as well as its unique Chinese characteristics.

Definition of “Personal Information” and “Sensitive Personal Information”

The types of information considered personal under the draft PIPL include various information recorded electronically or in other forms that is relating to an identified or identifiable natural person (“data subject”), excluding the anonymized information. The processing of personal information includes activities such as the collection, storage, use, handling, transmission, provision, and disclosure of personal information.

Here, “personal information” under the draft PIPL is similar in terms of definition to “personal data” used in the GDPR as well as in its predecessor, the EU Data Protection Directive,[5] because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.[6] For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.

 

On a risk-based approach, the draft PIPL defines sensitive personal information (“SPI”) as personal information that once leaked or illegally used may lead to discriminatory treatment or could seriously endanger the safety of persons or property, including information such as one’s race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.[7] Only personal information processors with a specific purpose and sufficient necessity may process SPI. The draft also requires that the individuals' “independent consent” shall be obtained where processing SPI is to be based on individuals' consent and individuals shall also be informed of the necessity of processing SPI and the impact on them.

 

The draft PIPL, for the first time in China’s privacy protection legislation, specifically defines SPI. As improper disclosures of SPI can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that SPI could be specifically defined and appropriately protected.

 

One problem with the draft PIPL’s definition of SPI, however, is that it seems to ignore a certain type of SPI -a person’s private or secret life that in many defamation cases has been the subject of public online shaming. If an individual’s personal private life (usually unpleasant, eccentric or immoral) was posted on some popular online platforms due to mishandling of that individual’s personal information, and the news goes viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. Here, the risk-based definition of SPI in the draft PIPL only covers risks in the form of “discriminatory treatment” or “endangering safety of persons or property”, but leaving out the harm caused to personal reputation and psychological health, which, in many cases, could be the only resulted harm in violation of SPI. The draft PIPL obviously did not give enough consideration to such type of possible harm in its current definition of SPI.

 

Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met. Such data are classified under the label of SPI[8] and sensitive data are clearly listed by its definition.

 

Though differ in defining, the draft PIPL converges with the GDPR in that both recognize SPI is belonging to a specific category of information that must be treated with extra safeguarding.

Rights of Individuals

Under the draft PIPL, individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except otherwise provided by laws and administrative regulations

Specifically, individuals enjoy the following rights:

1)    Right to access:[9] the data subject may consult or reproduce his personal information from the information processor;

2)    Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction;

3)    Right to be forgotten: if the handling of personal information is in violation of law, or any prior agreement, or the purposes of processing have been realized, or an individual has withdrawn the consent, the data subject has the right to request a timely erasure. If, however, the retention period prescribed by law has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop the processing;

4)    Right to be informed: individuals have the right to be informed about rules concerning the processing of their personal information;

5)    Right to refuse automated decision-making: where an individual believes that automated decision-making has a significant impact on one’s rights and interests, one has the right to request an explanation from the personal information processor and has the right to refuse automated individual decision-making.

Under the draft PIPL, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards.[10] It is however interesting to note the “right to data portability”[11] under the GDPR has not been transplanted to its Chinese counterpart. As the right to data portability does not apply to genuinely anonymous data but only to pseudonymous data that can clearly be linked back to a data subject, maybe the notions of cyber- sovereignty and network security with a distinguishable Chinese feature could account for the missing of such right in the Chinese context..

Principles and Conditions for Data Processing

Under the draft PIPL, the general principles for data collection are: data shall be collected lawfully and justifiably, openly and transparently, accurately and kept up-to-date and data collection shall have clear and reasonable purposes and be limited to the minimum scope to achieve such purposes of processing. The data processing activities shall meet the following conditions:

(1) With the consent of the individual;

 

(2) It is necessary for entering into or performing a contract to which the individual is a party;

 

(3) It is necessary for performing of legally-binding duties or obligations;

 

(4) It is necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property under an emergency;

 

(5) It is within a reasonable range in order to carry out acts such as news reporting and public opinion overseeing in the public interest; or

 

Other circumstances warranted by laws or administrative regulations.

 

The GDPR provides six legal bases for processing personal data, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests pursued by the controller or by a third party.[12] The draft PIPL sets out the above five specific legal bases for processing personal data, which are comparable to the first five legal bases of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.

 

Under the draft PIPL, consent, albeit the most well-known one, is just one of the legal bases a business can rely on to justify the proceeding of individuals’ personal data. Furthermore, for consent to be valid, it must be freely-given, unambiguous and explicit, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. The draft PIPL also specifies that if there are changes to the purposes or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be re-obtained.

 

Extraterritorial Applicability

 

The GDPR has an extraterritorial scope, because it may apply to businesses established outside the European Union when they offer goods or services to data subjects in the European Union or monitor their behavior when it takes place in the European Union.[13]

 

Modeling on the GDPR’s approach towards extraterritorial application, Article 3 of the draft PIPL expands the law’s territorial scope to data processing activities outside China. Any data processing activities that process personal data within P.R. China, if meeting any of the following conditions, will fall under the territorial scope of the Chinese data protection law:

 

(1) for the purpose of providing products or services to natural persons within the territory;

 

(2) to analyze and evaluate the conduct of natural persons in the territory; or

 

(3) other circumstances provided for by laws and administrative regulations.

 

If this clause remains intact in the final legal text, it means that the Chinese privacy rules now can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for the above-listed purposes.

Obligations of Personal Information Processor

Under the draft PIPL, the personal information processor, the one who collects, stores, uses, handles, transmits, provides, and discloses personal information, shall have the following obligations:

(1) take necessary measures to ensure the legal compliance of personal information processing activities and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information;

(2) while processing personal information at certain volume, shall designate a person in charge to be responsible for overseeing personal information processing activities and any protection measures taken;

(3) if processing Chinese individuals’ personal information outside China as provided in Article 3 of the Law shall establish a point of contact within China;

(4) shall conduct periodic audits and risk assessments in advance for certain categories of personal information processing activities;

(5) where there is incident of personal information leakage, shall immediately take remedial measures and notify the supervisory authorities.

Once a data breach occurs, the GDPR requires data controllers to notify supervisory authorities of a security breach within 72 hours after it has been aware of it.[14] Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.[15]

In comparison, the draft PIPL is not specific about the timeframe for notification to the supervisory authorities and where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals.

Liabilities and Penalties

Violations of the draft PIPL may be subject to a fine of up to CNY1 million (about EUR 0.128 million); the directly responsible management and other directly responsible person may be subject to a fine of between CNY10,000 (about EUR1,283) to CNY100,000 (about EUR12,831). Serious violations of the draft PIPL can be fined up to CNY 50 million (about EUR 6.4 million) or up to 5% of the preceding year's turnover. Where there is an illegal act of data processing activities, it is to be recorded in the business’ credit files with a public announcement posted.

In comparison, under GDPR, the less severe infringements could result in a fine of up to EUR10 million, or 2% of the business’ global annual revenue in the preceding financial year, whichever is higher. For more severe infringements, GDPR sets a maximum fine of EUR 20 million or 4% of annual turnover, whichever is higher.[16]

In an age of constant, complex and sometimes intrusive technological innovation, the high penalties on noncompliance aim to have a deterrent effect on rule-breakers who are mishandling people’s data or using people’s data without adequate measures in place to safeguard them.

Conclusion

The draft PIPL, being the first dedicated law to data privacy protection in China, thus forming a unified force of enforcement, marks a milestone in the country data privacy legislation. The law shows a broader scope of application than the previous sectional laws and regulations and levels up the country’s protection on data privacy closer to the GDPR standards, a.k.a., the global standards, given the large number of countries around the world that have adopted the GDPR model. While highly converging with the EU rules, the draft PIPL demonstrates a unique Chinese characteristics thus showing a strong Chinese voice with a subtle EU accent.

The laws and regulations on data privacy are constantly evolving in China with changes still in the pipeline. We are here to help if you have any problems, issues, concerns regarding data privacy protection inside or outside China.

 



[1] The General Data Protection Regulation (EU) 2016/679.

[2] See https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.

[3]See https://www.thehindu.com/news/international/chinas-netizen-population-hits-record-904-million-report/article31451143.ece.

[4] See http://www.techweb.com.cn/tele/2017-02-20/2489197.shtml.

[5] The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).

[7] While an official translation is not yet available, the author has referenced the source at https://www.chinalawtranslate.com/en/personal-information-protection-draft for the translation of the texts of the draft PIPL.

[8] Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

[9] The subtitles are used in this article for convenience only; they are not part of the draft PIPL.

[10] Rights for individuals under the GDPR, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights.

[11] The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/.

[12] GDPR, Article 6(1).

[13] GDPR, Article 3(2).

[14] GDPR, Article 33(1).

[15] GDPR, Article 34(1).

[16] See https://www.itgovernance.co.uk/dpa-and-gdpr-penalties.

  • 相关资讯 More
  • 点击次数: 999999
    2024 - 09 - 13
    作者:金涟伊为确保药品在生产、销售和使用过程中的安全性,国家市场监督管理总局发布了药品生产监督管理办法、药品经营和使用质量监督管理办法等一系列法规、规章,设立了药品生产质量管理规范、药品溯源制度等配套制度,同时,对于违反相关法律法规部门规章的行为,国家依法予以处罚,确保落实药品安全。处罚手段中,“没收违法所得”是最常见的处罚方式。 实践中,药品案件的违法所得应当如何确定? 对于该问题,国家食品药品监督管理局曾于2007年2月8日作出《国家食品药品监督管理局关于“违法所得”问题的批复》(国食药监法[2007]74号),批复称,一般情况下,《药品管理法》、《药品管理法实施条例》中的“违法所得”,是指“实施违法行为的全部经营收入”。《药品管理法》第八十二条、第八十七条(对应2019年修订后的第一百二十二条、第一百三十八条)规定的“违法所得”是指“实施违法行为中收取的费用”。《药品管理法实施条例》第八十一条(对应2019年修订后的第七十五条)规定的“违法所得”是指“售出价格与购入价格的差价”。 如参考以上批复,对于药品案件的违法所得可以有两种计算方式。第一种即以全额计算。此种计算方式可称之为“全额说”,是将违法所得等同为涉案产品的销售收入,计算违法所得时不扣除合法成本或税收。此种计算方式带有惩罚性,当事人应当承担超过其获利的处罚责任,其投入成本越高,惩罚性越明显。 第二种是对于《药品管理法实施条例》第七十五条的情况,即“药品经营企业、医疗机构未违反《药品管理法》和本条例的有关规定,并有充分证据证明其不知道所销售或者使用的药品是假药、劣药的”,此种情况药品经营企业、医疗机构无主观违法恶意,适用惩罚性处罚手段显失公平,因此违法所得以售出价格与购入价格的差价进行计算。 此外,不论以何种方式计算违法所得,都应当排除应退赔的部分。行政处罚法第...
  • 点击次数: 1000010
    2024 - 08 - 30
    作者:陈巴特朋友张先生今年年初入职一家科技公司,担任技术主管一职,因工作需要,常常受公司安排出差,而且通常在周末夜间乘坐夕发朝至的火车卧铺,出差时间也通常连续长达十天半月,期间必然经过双休日,有时甚至经过法定节假日。但是,公司从未向其支付加班工资。张先生百思不得其解,其始终认为,被安排到外地出差的在途时间,以及双休日仍出差在外,属于自己的时间却不能由自己支配,因此应视为加班。近日,张先生约我“喝茶”,我义务为其解答后,张先生释然,果断放弃了申请仲裁的计划。张先生的疑虑,或许正是很多劳动者困扰的问题。那么,当出差遇到休息日,究竟算不算加班呢?一、加班是什么?根据《中华人民共和国劳动法》第四十四条,加班是指劳动者在正常工作时间之外,按照用人单位的安排进行的工作。包括正常工作日延长工作时间,或者双休日或国家法定假期期间工作。认定加班需要有特定的工作内容为支撑。对加班的劳动者,用人单位应当依法支付高于正常工作时间工资的工资报酬。在竞争激烈的当今社会,加班司空见惯,已然形成“加班文化”。适当的加班,对用人单位的经营发展及劳动者收入的提高,有一定积极意义。但超时加班与体面劳动、舒心工作、全面发展不相符,与国家提倡的提升人民生活品质也脱节。如果劳动者加班后不能获得相应的报酬,则其合法权益将会受到侵害,用人单位也违反了法律规定。 二、休息日出差在途,算不算加班?加班的本质是在正常工作时间之外进行额外的工作,需要以特定的工作作为内容支撑,并非单纯的时间经过。出差在路上的时间,主要是乘坐交通工具,如同正常上下班在路上的耗时,都是为下一步工作而进行准备的时间。期间劳动者如未实际进行工作任务的执行,也没有产生具体的工作成果,仅有时间的消逝,则并不满足加班的这一认定条件。况且,出差在途期间,劳动者虽然不能自由支配时间,但仍可以照常休息,如乘坐高铁、飞机等交通工具时,可以休息或从事个人活动,...
  • 点击次数: 1000006
    2024 - 08 - 23
    作者:常春引言实用新型专利作为专利权的一种重要类型,主要保护具有新颖性和创造性的产品的形状、构造或其结合,而不涉及工艺或方法。然而,在实际的专利申请和审查实践中,部分实用新型专利的权利要求中引入了方法特征。这种现象引发了学术界和实务界对其合法性和合理性的讨论。本文通过分析相关案例和法律规定,探讨实用新型专利申请中是否可以引入方法特征,并对这种引入是否符合专利法的保护范围和实用新型专利的立法初衷进行详细探讨。一、实用新型专利的保护客体及方法特征的引入现象根据《中华人民共和国专利法》第二条规定,“实用新型专利的保护客体是对产品的形状、构造或者其结合提出的新的技术方案。”不同于发明专利,实用新型专利不保护制造方法、使用方法等工艺过程。这一限定决定了实用新型专利在权利要求撰写时,通常不会涉及方法特征。然而,在实际申请中,一些申请人为了强调产品的创新性,往往在权利要求中加入方法特征,试图通过这些特征对产品形状或构造的创新性进行补充说明。这种情况尤其在涉及产品制造工艺与产品构造密切相关的领域较为常见。二、引入方法特征的实用新型专利权利要求分析尽管方法特征不属于实用新型专利的保护客体,但在权利要求中引入方法特征并非完全无效。关键在于方法特征是否会对产品的形状、构造产生影响。如果该方法特征能够使产品具有特定的形状、构造,则在新颖性、创造性判断中,这些特征仍然可以对权利保护范围起到限定作用。例如,(2019)最高法知行终133号案。该案件涉及一种建筑构件的实用新型专利,权利要求中包含了生产该建筑构件的方法特征。最高人民法院在审理时指出,虽然实用新型专利可以包含方法特征,但这些特征必须对产品的最终形状、构造产生直接影响,才能在专利保护范围内予以考虑。如果方法特征只是工艺流程的一部分,而未对产品本身的形状、构造产生实质性影响,则这些特征应当被排除在新颖性和创造性判断之外。再例如,(2017)最高...
  • 点击次数: 1000003
    2024 - 08 - 16
    作者:王辉近年来,随着竞业限制案件数量逐年递增,竞业限制越来越受到广泛关注,而实务中又颇多争议。下文就对竞业限制领域常见问题以“一问一答”形式进行归纳、提炼,望能对无论是企业还是打工人有所助益。一、什么是竞业限制?  有关法律法规并未对竞业限制有明确定义。但具体来说,基本可以归纳为:竞业限制是指用人单位和知悉本单位商业秘密或其他对本单位经营有重大影响的劳动者约定在与该劳动者解除或终止劳动关系后,一定期限内不得在生产或经营同类产品、从事同类业务的有竞争关系的其他用人单位任职,或自行生产或经营同类产品、从事同类业务。法律依据主要是《中华人民共和国劳动合同法》(以下简称《劳动合同法》)第二十三条及第二十四条。二、用人单位可以与哪些人签订竞业限制协议?根据《劳动合同法》第二十四条之规定,竞业限制的人员限于用人单位的高级管理人员、高级技术人员和其他负有保密义务的人员。实践中,用人单位应根据自身经营情况及劳动者任职情况与那些确实或有条件知悉用人单位商业秘密的人员签署竞业限制协议,而不应盲目与所有员工签订竞业限制协议,徒增用工成本。三、竞业限制的期限可以随意约定吗?根据《劳动合同法》第二十四条之规定,竞业限制的范围、地域、期限由用人单位与劳动者协商约定,不违反法律、法规规定即可。其中,竞业限制的期限不得超过两年,超出两年的期限部分无效。四、竞业限制的经济补偿标准是多少?有约定从约定。如用人单位与劳动者在劳动合同或者保密协议中或者单独签订竞业限制协议约定了竞业限制,但未约定补偿金标准的,劳动者履行了竞业限制义务,可以要求用人单位按照劳动者在劳动合同解除或者终止前十二个月平均工资的30%按月支付经济补偿。若月平均工资的30%低于劳动合同履行地最低工资标准的,按照劳动合同履行地最低工资标准支付。具体法律依据详见《最高人民法院关于审理劳动争议案件适用法律问题的解释(一)》(以...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开