Language

A Chinese Data Privacy Law with Strong Influences from the EU


A Chinese Data Privacy Law with Strong Influences from the EU-China Releases the Draft on Its First Uniform Personal Information Protection Law


Authored by Yingying Zhu


The world has witnessed a torrent of lawmaking, regulatory design and enforcement activities regarding data privacy following the enactment of the General Data Protection Regulation (“GDPR”) [1] of the European Union in May 2018. At present, 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. [2]

 

The inadequacy of personal information protection in China has raised widespread public concerns in this big data land with 904 million netizens,[3] vulnerable to data breaches and cyber frauds. In 2016, a professor at the prestigious Tsinghua University wired more than CNY17 million to a fraud, after she received a scam call from the fraud who knew every detail about the deal of a recent sale of her real property.[4] Incidents like this have led to nationwide discussions and provoked reflection among thinkers, legal experts and law makers. 

 

At present, data protection laws, regulations and specifications in China were scattered in sectional laws, regulations and non-binding guidelines, such as the Criminal Law and its Amendment VII, the Consumer Protection Law, the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, etc.

 

On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of the China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.

 

Being the first comprehensive law that emulates the GDPR, the draft Personal Information Protection Law (“draft PIPL”) has shown strong GDPR influences as well as its unique Chinese characteristics.

Definition of “Personal Information” and “Sensitive Personal Information”

The types of information considered personal under the draft PIPL include various information recorded electronically or in other forms that is relating to an identified or identifiable natural person (“data subject”), excluding the anonymized information. The processing of personal information includes activities such as the collection, storage, use, handling, transmission, provision, and disclosure of personal information.

Here, “personal information” under the draft PIPL is similar in terms of definition to “personal data” used in the GDPR as well as in its predecessor, the EU Data Protection Directive,[5] because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.[6] For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.

 

On a risk-based approach, the draft PIPL defines sensitive personal information (“SPI”) as personal information that once leaked or illegally used may lead to discriminatory treatment or could seriously endanger the safety of persons or property, including information such as one’s race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.[7] Only personal information processors with a specific purpose and sufficient necessity may process SPI. The draft also requires that the individuals' “independent consent” shall be obtained where processing SPI is to be based on individuals' consent and individuals shall also be informed of the necessity of processing SPI and the impact on them.

 

The draft PIPL, for the first time in China’s privacy protection legislation, specifically defines SPI. As improper disclosures of SPI can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that SPI could be specifically defined and appropriately protected.

 

One problem with the draft PIPL’s definition of SPI, however, is that it seems to ignore a certain type of SPI -a person’s private or secret life that in many defamation cases has been the subject of public online shaming. If an individual’s personal private life (usually unpleasant, eccentric or immoral) was posted on some popular online platforms due to mishandling of that individual’s personal information, and the news goes viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. Here, the risk-based definition of SPI in the draft PIPL only covers risks in the form of “discriminatory treatment” or “endangering safety of persons or property”, but leaving out the harm caused to personal reputation and psychological health, which, in many cases, could be the only resulted harm in violation of SPI. The draft PIPL obviously did not give enough consideration to such type of possible harm in its current definition of SPI.

 

Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met. Such data are classified under the label of SPI[8] and sensitive data are clearly listed by its definition.

 

Though differ in defining, the draft PIPL converges with the GDPR in that both recognize SPI is belonging to a specific category of information that must be treated with extra safeguarding.

Rights of Individuals

Under the draft PIPL, individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except otherwise provided by laws and administrative regulations

Specifically, individuals enjoy the following rights:

1)    Right to access:[9] the data subject may consult or reproduce his personal information from the information processor;

2)    Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction;

3)    Right to be forgotten: if the handling of personal information is in violation of law, or any prior agreement, or the purposes of processing have been realized, or an individual has withdrawn the consent, the data subject has the right to request a timely erasure. If, however, the retention period prescribed by law has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop the processing;

4)    Right to be informed: individuals have the right to be informed about rules concerning the processing of their personal information;

5)    Right to refuse automated decision-making: where an individual believes that automated decision-making has a significant impact on one’s rights and interests, one has the right to request an explanation from the personal information processor and has the right to refuse automated individual decision-making.

Under the draft PIPL, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards.[10] It is however interesting to note the “right to data portability”[11] under the GDPR has not been transplanted to its Chinese counterpart. As the right to data portability does not apply to genuinely anonymous data but only to pseudonymous data that can clearly be linked back to a data subject, maybe the notions of cyber- sovereignty and network security with a distinguishable Chinese feature could account for the missing of such right in the Chinese context..

Principles and Conditions for Data Processing

Under the draft PIPL, the general principles for data collection are: data shall be collected lawfully and justifiably, openly and transparently, accurately and kept up-to-date and data collection shall have clear and reasonable purposes and be limited to the minimum scope to achieve such purposes of processing. The data processing activities shall meet the following conditions:

(1) With the consent of the individual;

 

(2) It is necessary for entering into or performing a contract to which the individual is a party;

 

(3) It is necessary for performing of legally-binding duties or obligations;

 

(4) It is necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property under an emergency;

 

(5) It is within a reasonable range in order to carry out acts such as news reporting and public opinion overseeing in the public interest; or

 

Other circumstances warranted by laws or administrative regulations.

 

The GDPR provides six legal bases for processing personal data, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests pursued by the controller or by a third party.[12] The draft PIPL sets out the above five specific legal bases for processing personal data, which are comparable to the first five legal bases of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.

 

Under the draft PIPL, consent, albeit the most well-known one, is just one of the legal bases a business can rely on to justify the proceeding of individuals’ personal data. Furthermore, for consent to be valid, it must be freely-given, unambiguous and explicit, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. The draft PIPL also specifies that if there are changes to the purposes or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be re-obtained.

 

Extraterritorial Applicability

 

The GDPR has an extraterritorial scope, because it may apply to businesses established outside the European Union when they offer goods or services to data subjects in the European Union or monitor their behavior when it takes place in the European Union.[13]

 

Modeling on the GDPR’s approach towards extraterritorial application, Article 3 of the draft PIPL expands the law’s territorial scope to data processing activities outside China. Any data processing activities that process personal data within P.R. China, if meeting any of the following conditions, will fall under the territorial scope of the Chinese data protection law:

 

(1) for the purpose of providing products or services to natural persons within the territory;

 

(2) to analyze and evaluate the conduct of natural persons in the territory; or

 

(3) other circumstances provided for by laws and administrative regulations.

 

If this clause remains intact in the final legal text, it means that the Chinese privacy rules now can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for the above-listed purposes.

Obligations of Personal Information Processor

Under the draft PIPL, the personal information processor, the one who collects, stores, uses, handles, transmits, provides, and discloses personal information, shall have the following obligations:

(1) take necessary measures to ensure the legal compliance of personal information processing activities and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information;

(2) while processing personal information at certain volume, shall designate a person in charge to be responsible for overseeing personal information processing activities and any protection measures taken;

(3) if processing Chinese individuals’ personal information outside China as provided in Article 3 of the Law shall establish a point of contact within China;

(4) shall conduct periodic audits and risk assessments in advance for certain categories of personal information processing activities;

(5) where there is incident of personal information leakage, shall immediately take remedial measures and notify the supervisory authorities.

Once a data breach occurs, the GDPR requires data controllers to notify supervisory authorities of a security breach within 72 hours after it has been aware of it.[14] Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.[15]

In comparison, the draft PIPL is not specific about the timeframe for notification to the supervisory authorities and where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals.

Liabilities and Penalties

Violations of the draft PIPL may be subject to a fine of up to CNY1 million (about EUR 0.128 million); the directly responsible management and other directly responsible person may be subject to a fine of between CNY10,000 (about EUR1,283) to CNY100,000 (about EUR12,831). Serious violations of the draft PIPL can be fined up to CNY 50 million (about EUR 6.4 million) or up to 5% of the preceding year's turnover. Where there is an illegal act of data processing activities, it is to be recorded in the business’ credit files with a public announcement posted.

In comparison, under GDPR, the less severe infringements could result in a fine of up to EUR10 million, or 2% of the business’ global annual revenue in the preceding financial year, whichever is higher. For more severe infringements, GDPR sets a maximum fine of EUR 20 million or 4% of annual turnover, whichever is higher.[16]

In an age of constant, complex and sometimes intrusive technological innovation, the high penalties on noncompliance aim to have a deterrent effect on rule-breakers who are mishandling people’s data or using people’s data without adequate measures in place to safeguard them.

Conclusion

The draft PIPL, being the first dedicated law to data privacy protection in China, thus forming a unified force of enforcement, marks a milestone in the country data privacy legislation. The law shows a broader scope of application than the previous sectional laws and regulations and levels up the country’s protection on data privacy closer to the GDPR standards, a.k.a., the global standards, given the large number of countries around the world that have adopted the GDPR model. While highly converging with the EU rules, the draft PIPL demonstrates a unique Chinese characteristics thus showing a strong Chinese voice with a subtle EU accent.

The laws and regulations on data privacy are constantly evolving in China with changes still in the pipeline. We are here to help if you have any problems, issues, concerns regarding data privacy protection inside or outside China.

 



[1] The General Data Protection Regulation (EU) 2016/679.

[2] See https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.

[3]See https://www.thehindu.com/news/international/chinas-netizen-population-hits-record-904-million-report/article31451143.ece.

[4] See http://www.techweb.com.cn/tele/2017-02-20/2489197.shtml.

[5] The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).

[7] While an official translation is not yet available, the author has referenced the source at https://www.chinalawtranslate.com/en/personal-information-protection-draft for the translation of the texts of the draft PIPL.

[8] Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

[9] The subtitles are used in this article for convenience only; they are not part of the draft PIPL.

[10] Rights for individuals under the GDPR, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights.

[11] The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/.

[12] GDPR, Article 6(1).

[13] GDPR, Article 3(2).

[14] GDPR, Article 33(1).

[15] GDPR, Article 34(1).

[16] See https://www.itgovernance.co.uk/dpa-and-gdpr-penalties.

  • 相关资讯 More
  • 点击次数: 999999
    2025 - 05 - 16
    作者:张嘉畅2025年4月21日,在世界知识产权日来临之际,最高人民法院举行了知识产权宣传周新闻发布会,并在会上发布2024年人民法院知识产权典型案例。其中第八案,浙江省东阳市人民法院(2024)浙0783刑初585号案为著作权侵权案件。侵权人最终被认定触犯侵犯著作权罪,刑期最高长达4年,最低有期徒刑10个月(缓刑1年零4个月)。此外,3名侵权人还被处以最高150万元的民事罚金。在本案当中,被告陆某某自2020年起,开设了多个违规盗版视频网站,未经权利人授权许可,非法向公众提供各类影视作品。另外两被告季某某、方某明在明知陆某某开设的网站为违规网站的情况下,依然向其出售影视网站模板,并持续为其提供技术服务,共计收取6990余元。在此期间,陆某某与非法广告商合作,在其开设的盗版网站上投放涉黄、涉赌广告,广告费收入超过148万元人民币。2024年初,3名被告人被公安机关抓获归案,公诉机关指控三被告人触犯《中华人民共和国刑法》第二百一十七条侵犯著作权罪。又因上述盗版网站大量传播当时影院热映的《飞驰人生2》、《第二十条》、《热辣滚烫》等贺岁档电影,各电影出品方提起了附带民事诉讼,要求被告人赔偿经济损失。浙江省东阳市人民法院一审认定,被告人陆某某以盈利为目的,未经著作权人许可,通过信息网络向公众传播他人视听作品,违法所得数额巨大;被告人方某、季某某明知他人侵犯著作权仍提供帮助,以上被告人均构成侵犯著作权罪。综合在案事实,法院最终判处被告人陆某某有期徒刑四年,并处罚金150万元;被告人方某有期徒刑一年,缓刑一年六个月,并处罚金1.6万元;被告人季某某有期徒刑十个月,缓刑一年四个月,并处罚金1万元;被告人陆某某赔偿附带民事诉讼各原告人经济损失共计88万元。本案判决充分彰显了知识产权民事、刑事、行政“三合一”审判模式的效能。它不仅妥善解决了各被告人的定罪及量刑问题,还有效处理了被害人的民事赔...
  • 点击次数: 1000002
    2025 - 05 - 09
    作者:陈巴特将银行账户借给父亲临时周转,儿子凭什么要承担还款责任?这或许是很多人的第一反应。正是因为持有这种想法的人很多,现实生活中,亲友、同事甚至企业和员工之间,借用银行账户的情形大量存在。殊不知,出借银行账户,出借人存在很大法律风险,很可能和借款人或债务人承担连带责任或补充责任。一定条件下,出借人甚至可能构成犯罪。一、基本案情陈某与张某系多年好友关系。2021年初,陈某因资金周转需要,向张某提出借款30万元,月利率为1%,按月还息,先息后本,两年还清。张某考虑双方好友关系以及有利可图,便同意借款。因张某在农业银行账户有足够的活期存款可使用,遂要求陈某使用农业银行账户接收借款。又因陈某此前未开设农业银行账户,故在未向儿子陈小某告知用途的情况下,借用儿子的农业银行账户,并指示张某将借款转入该账户。于是,张某将30万元借款转入陈小某的农业银行账户。陈小某对父亲陈某使用其银行账户借款并不知情,亦未实际使用该借款。 借款期限届满后,陈某只偿还了一年的利息。张某多次催讨,陈某虽向张某承诺一定会偿还剩余借款本息,但其迟迟未予偿还。张某忍无可忍,将陈某和陈小某一同诉至人民法院,要求陈某偿还本息,陈小某承担连带清偿责任。二、争议焦点庭审中,原告张某提交的证据《借条》和《银行交易明细清单》,能充分证明陈某向其借款及偿还了一年利息的事实,被告陈某亦完全认可尚未偿还的借款本息金额且愿意偿还。但是,双方在陈小某是否应当承担连带还款责任的问题上,产生重大分歧。法庭围绕该争议焦点展开辩论。原告张某主张:首先,原告虽要求陈某提供农业银行账户接收借款,但陈某完全可以亲自到农业银行新开设自己的农业银行账户,不必借用其儿子陈小某的农业银行账户接收借款。 其次,被告陈某和陈小某系父子关系,原告完全有理由相信陈某借用陈小某的农业银行账户时向陈小某告知了用途,陈小某对自己的农业银行账户接收张某...
  • 点击次数: 1000007
    2025 - 04 - 25
    作者:常春摘要:在当今激烈的商业竞争中,知识产权已成为企业核心竞争力的重要组成部分。然而,随着知识产权保护意识的增强和权利类型的多样化,不同知识产权之间的冲突也日益凸显。特别是外观设计专利权与商标权之间的冲突,近年来在汽车、鞋服、电子产品等领域频繁发生。本文将通过国家知识产权局公布的"汽车"外观设计专利无效案(第57220号决定)和"运动鞋"外观设计专利维持有效案(第563861号决定)两起典型案例,深入剖析外观设计专利权与在先商标权冲突的法律适用标准、判断方法及实务应对策略,并给出乐法律适用标准的系统梳理与前瞻思考。 一、外观设计与商标权冲突的法律框架与理论基础知识产权体系中的外观设计专利权与商标权在保护客体和功能上存在本质差异,却又在实践中常常产生交叉与冲突。我国《专利法》第二条第四款明确规定:"外观设计,是指对产品的整体或者局部的形状、图案或者其结合以及色彩与形状、图案的结合所作出的富有美感并适于工业应用的新设计。"而《商标法》第八条则规定,任何能够将自然人、法人或者其他组织的商品与他人的商品区别开的标志,包括文字、图形、字母、数字、三维标志、颜色组合和声音等,以及上述要素的组合,均可以作为商标申请注册。这两种权利在保护目的上各有侧重——外观设计专利保护的是产品具有美感的创新设计,防止他人未经许可实施该设计;商标权保护的则是识别商品或服务来源的标志,防止他人使用相同或近似标志造成市场混淆。 正是由于外观设计中可能包含具有识别功能的图案、色彩等元素,而商标也可能具有装饰性美感,二者在特定情况下会产生保护客体的重合。《专利法》第二十三条第三款专门针对这一问题作出规定:"授予专利权的外观设计不得与他人在申请日以前已经取得的合法权利相冲突。"这一条款确立了商标权等在先权利对外观...
  • 点击次数: 100010
    2025 - 04 - 18
    作者:王辉对于待岗没有合同约定,亦没有制度规定,就待岗事宜也未与员工协商一致,用人单位仅凭一纸通知强行安排员工待岗,在该种情况下,员工如何通过法律手段维权?且看下文案例及本文律师浅见。一、实务案例◆案例1:(2023)京01民终3298号某股份公司与李某签订了自2013年8月26日起的无固定期限劳动合同。2021年1月18日某股份公司向李某发送内容为《待岗通知书》的电子邮件,载明“……一、待岗原因。因公司业务调整,您所在部门整体撤销,而您未服从调岗也未竞聘新的岗位,造成目前无部门和岗位接收,已待岗数月,经数次协商,截至目前未就变更劳动合同达成一致意见,考虑到稳定员工就业关系及基本生活保障,以及企业现实困难等因素,公司不行使劳动合同单方解除权,即日起通知待岗。二、待岗起始时间:2021年1月18日。三、待岗终止时间:竞聘公司新岗位成功。四、待岗期间待遇:……按照工作所在地最低工资标准发放,……待岗期间,公司不安排工作任务,无特殊情况不需到岗。……待岗期间相关补助不再发放……”2021年1月20日李某回复邮件称“对于公司2021年1月18日出具的待岗通知书,我完全不认可并且不接受。后李某以要求某股份公司支付工资为由,向北京市海淀区劳动人事争议仲裁委员会提出申请,该委作出京海劳人仲字[2021]第9220号裁决书。李某对裁决不服提起诉讼,主张某股份公司应向其支付自2020年9月26日至2021年7月25日期间的工资差额共计306590.53元。一审法院认为,某股份公司通知李某自2021年1月18日起待岗,李某明确表示不同意待岗,并经常询问工作任务,某股份公司并未安排工作。某股份公司未举证证明存在企业停产停业等合法合理安排待岗的情形,亦未就待岗安排及待岗期间的待遇与李某达成协商一致,应自行承担相应法律后果。因此,被安排待岗期间李某之所以未能正常提供劳动,系因某股份公司未依据劳动合同...
× 扫一扫,关注微信公众号
铭盾MiNGDUN www.mdlaw.cn
Copyright© 2008 - 2025 铭盾京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开