Will China's changes to its legal landscape make investigations and litigation involving information stored in the Country much more difficult?
China is moving forward with its first exhaustive privacy law.
Already in 2016, the People's Republic instituted the Cybersecurity Law (CSL), its main purpose was to protect and regulate the Country's Critical Information Infrastructure. To further address the rising concerns related to the protection of personal information and “important data”, two additional laws were introduced: Data Security Law (DSL) and Personal Information Protection Law (PIPL).
The DSL's main intent was to regulate data processing activities that could have a national security impact, in particular those related to “important data,” while the PIPL was created to protect personal information. Both laws have an important meaning for businesses operating in China that, broadly defined, collect, store, and use data/personal information. On April 29, 2021, the Standing Committee of the National People's Congress of China (NPC) the country's top legislator, released the 2nd draft of the DSL and PIPL for public comment, until May 28, 2021. Once finalized, these three laws, the CSL, DSL, and PIPL, are going to build a convoluted data protection and cybersecurity regulatory framework ruling cross-border transfers of personal and non-personal data.
In particular, the proposed arrangements in the 2nd draft of the DSL and PIPL would add features to already existing laws in several ways.
Here you can find a short overview of the key aspects of the 2nd draft of the DSL and PIPL.
Data Security Law, DSL
1) Data processing activities
The first draft of the DSL points out that this law applies to entities carrying out “data activity” on data that “covers all electronic and non-electronic records of information.” The second draft replaces this term with “data processing activity,” which, according to Article 3 incorporate “the collection, storage, use, refining, transmission, provision, or public disclosure of data”. This revision lines up with the term of “processing” under the PIPL, which is similarly defined as “the collection, storage, use, refining, transmission, provision, or public disclosure of personal information.”
2) Provide the data classification and categorization protection system
The 2nd draft of the DSL demands the central government to implement a “data categorization and classification system”, on national level in order to govern data. Moreover, the central government shall release a catalogue of “important data” and enforce increased protection requirements on “important data”, Article 20.
3) Emphasizing the importance of multi-level protection system
The 2nd draft of the DSL particularly underlines that entities undertaking data processing activities need to implement an internal data security program, which comprehends training personnel and the enforcement of other technical measures, in compliance with the requirements under the Multi-Level Protection Scheme (short “MLPS”), a cybersecurity framework, according to Article 26, under which the government classifies companies' networks physically located in China.
4) Cross-border transfer of important data
Furthermore, the new law prescribes notice and consent for cross-border transfers. Companies must undertake an internal risk assessment prior to transferring data out of China and must also record these transfers. A legitimate transfer mechanism such as a standard transfer agreement, or a security assessment administered by the Cyberspace Administration of China is also mandatory.
5) Request for data by foreign judicial or law enforcement organs
According to Article 35 of the 2nd draft of the DSL, if a foreign judicial or law enforcement organ demands of data that is “stored” within China, such data shall not be provided unless China’s “competent government agency” has authorised such a provision. If treaties or agreements concluded or participated in by China have pertinent provisions about transferring data based on foreign requests, it is permitted to act in line with those provisions. Although, the DSL specifies that it does not apply to state secrets, personal information, or military data, but it applies to all other scenarios in which companies process non-personal data.
6) Penalties for unauthorized provision of data to overseas authorities
Article 46 of the 2nd draft of the DSL states the penalties for the violation regarding Art. 35 of the DSL, starting from a warning to a fine between RMB 100,000 and RMB 1 million for companies and a fine ranging between RMB 20,000 and RMB 200,000 for responsible employees.
Personal Information Protection Law, PIPL
1) Highlighting the principle of minimum necessary
Article 6 of the 2nd draft of the PIPL stress the principle of minimum necessary, by demanding that personal information processing shall be restricted to the minimum scope necessary to fulfil the processing purpose, and shall be performed through a method with the smallest influence on the individual’s rights and interests.
2) A new legal basis for processing personal information
The 2nd draft of the PIPL introduces in its Article 13 a new legal basis for processing personal information, by stating that, when processing previously disclosed personal information within a logical scope, consent is not compulsory. Remarkably, processing personal information on this basis shall also apply to Article 28 of the PIPL, which prescribes the rules for using disclosed personal information.
3) Rules for withdrawing consent
The 1st draft of the PIPL has granted the withdrawal of consent by the data subject. In the 2nd draft, Article 16 of the PIPL prescribes in addiction, that personal information handler (which is alike to the “data controller” under the GDPR) shall allow individuals to withdraw their consent in an easy way. Further, the withdrawal of consent shall not have any repercussions regarding personal information processing activities already begun before the data subject withdraw his or her consent.
4) Cross-border transfer of personal information
The only change established in the 2nd draft of the PIPL regarding cross-border transfer of personal information is that, if a processing entity wants to transfer personal information overseas by signing a transfer agreement, it has to use the “standard contract” published by the Cyberspace Administration of China (short CAC).
These two new drafts leave many questions open, among others, what non-China agencies may define as “judicial and enforcement agencies”. Also the planned restrictions in the DSL and PIPL make even more difficult for multinational companies to decide, in case of a government request or judicial order to produce data or documents stored in China, if they must comply with the request and confront potential penalties and hardship for infringing Chinese law, wait for approval from the Chinese government, or recline to comply with the request and face negative consequences under the laws of the requesting country. In this regard, companies must keep in mind several factors when they deal with a request from a judicial or enforcement agency to produce data stored in China. These two laws are by the way, expected to be enacted within 2021 and will enter into effect in 2022, although companies operating in China ought to get prepared for them without delay.