China releases draft on personal information law

24 November 2020

China releases draft on personal information law

On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.

Being the first comprehensive law that emulates the GDPR of the European Union (EU), the draft Personal Information Protection Law has shown strong GDPR influences as the provisions of the law are highly converging with the EU rules, such as the definition of personal data, the protection on sensitive personal data, the extraterritorial applicability, among others. But it also shows its unique Chinese characteristics, for example, it sets out five specific legal bases for processing personal data, which are comparable to the first five legal bases (consent; contract; legal obligation; vital interests; public task) of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.

“For the first time, it specifically defines sensitive personal information (“SPI”) and recognizes SPI is belonging to a specific category of information that must be treated with extra safeguarding,” says Yingying Zhu, Partner, MingDun Law Firm. “Also, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards. Furthermore, because of its extraterritorial applicability, when the law finally comes into force, the Chinese privacy rules can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for specific purposes.”

She adds that when implemented, this will be beneficial to individuals in China since privacy forms the basis of individuals’ rights and freedom.

“To free from unlawful intrusion to personal data and to safely entrust your data to the businesses you are dealing with are critical to the well-being of individuals in China,” she says. “To data processing businesses, living up to the requirements of the data privacy law will not only result in better legal compliance but also help to build up a reputation and a competitive advantage. The process of compliance may cost a lot in the beginning, but in the long run, it will prove to be valuable as real dollars, euros or Chinese yuan will be saved because those in compliance are more likely to avoid fines, litigation costs, negative media attention and reputation damage.”

“Hopefully, the new law could come into force in 2021 and then becomes the major force to safeguard people’s data in China,” she says. “As in other parts of the world, laws and regulations in this area are constantly evolving in China as changes and further judicial interpretations are still in the pipeline. The best practice for most businesses is to build an up- to-date, dynamic, adaptable and effective privacy protection program that can skillfully and nimbly deal with changes as they occur.”


Excel V. Dyquiangco

Law firms

Please wait while the page is loading...