China's Draft 'Personal Information Protection Law' (Full Translation)

Long-awaited legislation on personal data released for public comment
Blog Post
Shutterstock/ tcly
Oct. 21, 2020

This translation is part of the DigiChina Project, based at the Stanford University Cyber Policy Center and a joint effort with New America.

This translation is by Rogier Creemers, Mingli Shi, and Lauren Dudley, and it was edited by Graham Webster.

[Chinese-language original]

Personal Information Protection Law of the People’s Republic of China (Draft)

Table of Contents

Chapter I: General Provisions

Chapter II: Personal Information Handling Rules 

Section I: Common Provisions

Section II: Rules for Handling Sensitive Personal Information

Section III: Specific Provisions on State Organs Handling Personal Information

Chapter III: Rules on the Cross-Border Provision of Personal Information

Chapter IV: Individuals’ Rights in Personal Information Handling Activities

Chapter V: Personal Information Handlers’ Duties

Chapter VI: Departments Fulfilling Personal Information Protection Duties and Responsibilities

Chapter VII: Legal Liability

Chapter VIII: Supplemental Provisions

Chapter I: General Provisions

Article 1: This Law is formulated in order to protect personal information rights and interests, standardize personal information handling activities, safeguard the lawful, orderly, and free flow of personal information, and stimulate the reasonable use of personal information.

Article 2: The personal information of natural persons receives legal protection; no organization or individual may infringe natural persons’ personal information rights and interests.

Article 3: This Law applies to organizations and individuals’ handling personal information activities of natural persons within the borders of the People’s Republic of China.

Where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well:

  1. Where the purpose is to provide products or services to natural persons inside the borders;
  2. Where conducting analysis or assessment of activities of natural persons inside the borders;
  3. Other circumstances provided in laws or administrative regulations.

Article 4: Personal information is all kinds of information recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization handling.

Personal information handling includes personal information collection, storage, use, processing, transmission, provision, publishing, and other such activities.

Article 5: Lawful and proper methods shall be adopted for personal information handling, and the principle of sincerity observed. It is prohibited to handle personal information in fraudulent, misleading, or other such ways.

Article 6: Personal information handling shall have a clear and reasonable purpose, and shall be limited to the smallest scope to realize the handling purpose. It is prohibited to conduct personal information handling unrelated to the handling purpose.

Article 7: The principles of openness and transparency shall be observed in the handling of personal information, and personal information handling rules indicated clearly.

Article 8: In order to realize the handling purpose, the handled personal information shall be accurate and updated in a timely manner.

Article 9: Personal information handlers shall bear responsibility for their personal information handling activities, and adopt the necessary measures to safeguard the security of the personal information they handle.

Article 10: No organization or individual may handle personal information in violation of the provisions of laws and administrative regulations, or engage in personal information handling activities harming national security or the public interest.

Article 11: The State establishes a personal information protection structure, to prevent and punish acts harming personal information rights and interests, strengthen personal information protection propaganda and education, and promote the creation of a good environment for personal information protection, with joint participation from government, enterprise, relevant sectoral organizations, and the general  public.

Article 12: The State vigorously participates in the formulation of international rules [or norms] for personal information protection, stimulates international exchange and cooperation in the area of personal information protection, and promotes mutual recognition of personal information protection rules [or norms], standards, etc., with other countries, regions, and international organizations. 

Chapter II: Personal Information Handling Rules

Section 1: Common Provisions

Article 13: Personal information handlers may only handle personal information where they conform to one of the following circumstances:

  1. Obtaining individuals’ consent;
  2. Where necessary to conclude or fulfill a contract in which the individual is an interested party;
  3. Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
  4. Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
  5. Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
  6. Other circumstances provided in laws and administrative regulations.

Article 14: Consent for handling personal information shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement of wishes. Where laws or administrative regulations provide that specific consent or written consent shall be obtained to handle personal information, those provisions are followed.

Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the individual’s consent shall be obtained again.

Article 15: Where personal information handlers know or should know that the personal information they handle is the personal information of minors who have not reached 14 years of age, they shall obtain the consent of their guardian.

Article 16: Individuals have the right to rescind their consent to personal information handling activities conducted on the basis of individuals’ consent.

Article 17: Personal information handlers may not refuse to provide products or services on the basis that an individual does not consent to the handling of their personal information or rescinds their consent to handle personal information, except where handling personal information is necessary for the provision of products or services.

Article 18: Personal information handlers shall, before handling personal information, explicitly notify individuals of the following items using clear and easily understood language:

  1. The identity and contact method of the personal information handler;
  2. The purpose of personal information handling and handling methods, the categories of handled personal information, and retention period;
  3. Methods and procedures for individuals to exercise the rights provided in this Law;
  4. Other items that laws or administrative regulations provide shall be notified.

Where a change occurs in the matters provided in the previous paragraph, individuals shall be notified about the change.

Where personal information handlers notify the matters as provided in Paragraph I through the method of formulating personal information handling rules, the handling rules shall be public and convenient to read and store.

Article 19: Personal information handlers handling personal information are permitted not to notify individuals about the items provided in the previous Article under circumstances where laws or administrative regulations provide that secrecy shall be preserved or notification is not necessary

Under emergency circumstances, where it is impossible to notify individuals in a timely manner in order to protect natural persons’ lives, health, and the security of their property, personal information handlers shall notify them after the conclusion of the emergency circumstances. 

Article 20: Personal information retention periods shall be the shortest period necessary to realize the purpose of the personal information handling. Where laws or administrative regulations provide otherwise concerning personal information retention periods, those provisions are followed.

Article 21: Where two or more personal information handlers jointly decide on a personal information handling purpose and handling method, they shall agree on the rights and obligations of each. However, said agreement does not influence an individual’s rights to demand any one personal information handler perform under this Law’s provisions.

Where personal information handlers jointly handling personal information harm personal information rights and interests, they bear joint liability according to the law.

Article 22: Where personal information handlers entrust the handling of personal information, they shall conclude an agreement with the entrusted party on the purpose for entrusted handling, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted party.

Entrusted parties shall handle personal information according to the agreement; they may not handle personal information for handling purposes or in handling methods, etc., in excess of the agreement; and after the contract is fulfilled and completed or the entrusting relationship dissolved, return personal information to the personal information handler or delete it.

Without the consent of the personal information handler, an entrust party may not further entrust personal information handling to other persons. 

Article 23: Personal information handlers shall, where it is necessary to transfer personal information due to mergers, separations, and other such reasons, notify individuals about the receiving party’s identity and contact method. The receiving party shall continue to fulfill the personal information handler’s duties. Where the receiving side changes the original handling purpose or handling method, they shall notify the individual again as provided in this Law, and obtain their consent.

Article 24: Where personal information handlers provide third parties with the personal information they handle, they shall notify individuals about the identity of the third party, their contact method, the handling purpose, handling method, and personal information categories, and obtain the specific consent from the individual. Third parties receiving personal information shall handle personal information within the above mentioned scope of handling purposes, handling methods, personal information categories, etc. Where third parties change the original handling purpose or handling methods, they shall notify the individual again as provided in this Law, and obtain their consent.

Where personal information handlers provide anonymized information to third parties, third parties may not use technical or other methods to re-identify individuals.

Article 25: When using personal information to conduct automated decision making, the transparency of the decision making and the fairness and reasonability of the handling result shall be guaranteed. Where an individual believes automated decision making creates a major influence on their rights and interests, they have the right to require personal information handlers to explain the matter, and they have the right to refuse that personal information handlers make decisions solely through automated decision making methods.

Those conducting commercial sales or information push delivery through automated decision making methods, shall simultaneously provide the option to not target an individual’s characteristics.

Article 26: Personal information handlers may not publish the personal information they handle; except where they obtain specific consent from the individual or laws or administrative regulations provide otherwise.

Article 27: The installation of image collection or personal identity recognition equipment in public venues shall occur as required to safeguard public security and observe relevant State regulations, and clear indicating signs shall be installed. Collected personal images and personal identity characteristic information can only be used for the p urpose of safeguarding public security; it may not be published or provided to other persons, except where individuals’ specific consent is contained or laws or administrative regulations provide otherwise.

Article 28: Personal information handlers handling already published personal information shall conform to the purpose at the time said personal information was published; where they exceed a reasonable scope related to said purpose, they shall notify the user according to the provisions of this Law and obtain their consent.

Where the purpose at the time the personal information was published is not clear, personal information handlers shall handle published personal information in a reasonable and cautious manner; for activities using published personal information having a major influence on individuals, the individual shall be notified according to the provisions of this Law, and their consent obtained.

Section 2: Regulations for Handling Sensitive Personal Information

Article 29: Personal information handlers may handle sensitive personal information only for specific purposes and when sufficiently necessary. 

Sensitive personal information means personal information that, once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security, including information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, etc.

Article 30: Where handling sensitive personal information based on individual consent, personal information handlers shall obtain specific consent from the individual. Where laws or administrative regulations provide that written consent is obtained for handling sensitive personal information, those provisions are followed.

Article 31: Where personal information handlers handle sensitive personal information, apart from the requirements of Article 18 of this Law, they shall also notify the individual about the necessity of sensitive personal information handling, as well as the influence on the individual.

Article 32: Where laws or administrative regulations provide that relevant administrative licenses shall be obtained or stricter restrictions imposed for the handling of sensitive personal information, those provisions are followed.

Section 3: Specific Provisions on State Organs Handling Personal Information

Article 33: This Law applies to State organs’ activities of handling personal information; where this Section contains specific provisions, the provisions of this Section apply.

Article 34: State organs handling personal information to fulfill their statutory duties and responsibilities shall conduct them according to the powers and procedures provided in laws or administrative regulations; they may not exceed the scope or extent necessary to fulfill their statutory duties and responsibilities.

Article 35: State organs handling personal information for the purpose of fulfilling statutory duties and responsibilities shall notify individuals according to the provisions of this Law and obtain their consent, except where laws or administrative regulations provide that secrecy shall be protected, or where notification and obtaining consent will impede State organs’ fulfillment of their statutory duties and responsibilities.

Article 36: State organs may not publish the personal information they handle or provide it to other persons, except where laws or administrative regulations provide otherwise or the individual’s consent is obtained.

Article 37: Personal information handled by State bodies shall be stored within the borders of the People’s Republic of China; where it is necessary to provide it abroad, a risk assessment shall be conducted. Relevant departments may be required to provide support and assistance for risk assessments.

Chapter III: Regulations on the Cross-Border Provision of Personal Information 

Article 38: Where personal information handlers need to provide personal information outside the borders of the People’s Republic of China for business or other such requirements, they shall meet at least one of the following conditions:

  1. Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40 of this Law;
  2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
  3. Concluding an agreement with a foreign receiving party, agreeing on both sides’ rights and obligations, and supervising their personal information handling activities’ satisfaction of the personal information protection standards provided in this Law;
  4. Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Article 39: Where personal information handlers provide personal information outside of the borders of the People’s Republic of China, they shall notify the individual about the foreign receiving side’s identity, contact method, handling purpose, handling methods, and personal information categories, as well as ways for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters, and obtain individuals’ specific consent.

Article 40: Critical information infrastructure operators and personal information handlers handling personal information reaching quantities provided by the State cybersecurity and informatization department shall store personal information collected and produced within the borders of the People’s Republic of China domestically. Where they need to provide it abroad, they shall pass a security assessment organized by the State cybersecurity and informatization department; where laws or administrative regulations and State cybersecurity and informatization department provisions permit that security assessment not be conducted, those provisions are followed.

Article 41: Where it is necessary to provide personal information outside of the borders of the People’s Republic of China for international judicial assistance or administrative law enforcement assistance, an application shall be filed with the relevant competent department for approval according to the law.

Where the People’s Republic of China has concluded or participates in international treaties or agreements that contain provisions concerning providing personal information outside of the borders of the People’s Republic of China, those provisions are followed.

Article 42: Where foreign organizations or individuals engage in personal information handling acts harming personal information rights and interests of citizens of the People’s Republic of China, or harming the national security or public interest of the People’s Republic of China, the State cybersecurity and informatization department may put them on a list limiting or prohibiting personal information provision, issue a warning, and adopt measures such as limiting or prohibiting the provision of personal information to them, etc.

Article 43: Where any country or region adopts discriminatory prohibitions, limitations or other similar measures against the People’s Republic of China in the area of personal information protection, the People’s Republic of China may adopt retaliatory measures against said country or region on the basis of actual circumstances.

Chapter IV: Individual Rights in Personal Information Processing Activities

Article 44: Individuals have the right to know and the right to decide relating to their personal information, and have the right to limit or refuse the handling of their personal information by others, unless laws or administrative regulations stipulate otherwise. 

Article 45: Individuals have the right to access and copy their personal information from personal information handlers, except in circumstances provided in Article 19 Paragraph I of this Law.  

Where individuals request to access or copy their personal information, personal information handlers shall provide it in a timely manner.

Article 46: Where individuals discover their personal information is incorrect or incomplete, they have the right to request personal information handlers correct or complete their personal information. Where individuals request to correct or complete their personal information, personal information handlers shall verify the personal information and correct or complete it in a timely manner.

Article 47: Personal information handlers shall, actively or based on individual requests, delete personal information where one of the following circumstances occurs:

  1. The agreed retention period has expired, or the handling purpose has been achieved;
  2. Personal information handlers cease the provision of products or services;
  3. The individual rescinds consent;
  4. Personal information handlers handled personal information in violation of laws, administrative regulations, or agreements;
  5. Other circumstances provided by laws or administrative regulations.

Where the retention period provided by laws or administrative regulations has not expired, or personal information deletion is technically hard to realize, personal information handlers shall cease personal information handling.

Article 48: Individuals have the right to request personal information handlers explain personal information handling rules.

Article 49:  Personal information handlers shall establish mechanisms to accept and handle applications from individuals to exercise their rights. Where they reject individuals’ requests to exercise their rights, they shall explain the reason.

Chapter V: The Duties of Personal Information Handlers

Article 50: Personal information handlers shall, on the basis of the personal information handling purpose, handling methods, personal information categories, as well as the influence on individuals, possibly existing security risks, etc., adopt the necessary measures to ensure personal information handling conforms to the provisions of laws and administrative regulations, and prevent unauthorized access as well as personal information leaks or theft, distortion, or deletion:

  1. Formulating internal management structures and operating rules;
  2. Implementing tiered and categorized personal information management;
  3. Adopting corresponding technical security measures such as encryption, de-identification, etc.;
  4. Reasonably determining operational limits for personal information handling, and regularly conducting security education and training for employees;
  5. Formulating and organizing the implementation of personal information security incident response plans;
  6. Other measures provided in laws or administrative regulations.

Article 51: Personal information handlers who handle personal information reaching quantities provided by the State cybersecurity and informatization department shall appoint persons responsible for personal information protection, responsible for conducting supervision of personal information handling activities as well as adopted protection measures, etc.

Personal information handlers shall publish the name, contact methods, etc., of persons responsible for personal information protection, and report them to the departments fulfilling personal information protection duties and responsibilities.

Article 52: Personal information handlers outside the borders of the People’s Republic of China as provided in Article 3 Paragraph II of this Law shall establish a dedicated entity or appoint a representative within the borders of the People’s Republic of China, to be responsible for matters related to the personal information they handle, and will report the name of the relevant entity or the name and contact method, etc., of the representative to the departments fulfilling personal information protection duties and responsibilities.

Article 53: Personal information handlers shall regularly conduct audits of whether or not their personal information handling operations, the protection measures they adopt, etc., conform to the provisions of laws and administrative regulations. The departments fulfilling personal information protection duties and responsibilities may require that personal information handlers entrust specialized entities to engage in audits.

Article 54: Personal information handlers shall conduct a risk assessment in advance of the following personal information handling activities, and record the handling situation:

  1. Handling sensitive personal information;
  2. Using personal information to conduct automated decision making;
  3. Entrusting personal information handling, providing personal information to third parties, or publishing personal information;
  4. Providing personal information abroad;
  5. Other personal information handling activities with a major influence on individuals.

The risk assessment content shall include:

  1. Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
  2. The influence on individuals and the degree of risk;
  3. Whether or not the adopted security protection measures are lawful, effective, and suited to the degree of risk.

Risk assessment reports and handling status records shall be preserved for at least three years.

Article 55: Where personal information handlers discover a personal information leak, they shall immediately adopt remedial measures, and notify the departments fulfilling personal information protection duties and responsibilities and the individuals. The notification shall include the following items:

  1. The cause of the personal information leak;
  2. The categories of leaked personal information and the harm that may be created;
  3. Adopted remedial measures;
  4. Measures individuals may adopt to mitigate harm;
  5. Contact method of the personal information handler.

Where personal information handlers adopt measures that are able to effectively avoid harm created by information leaks, personal information handlers are permitted to not notify individuals; however, where departments fulfilling personal information protection protection duties and responsibilities believe a personal information leak may create harm to individuals, they may require personal information handlers to notify individuals.

Chapter VI: Departments Fulfilling Personal Information Protection Duties and Responsibilities.

Article 56: The State cybersecurity and informatization department is responsible for comprehensive planning and coordination of personal information protection work and related supervision and management work. Relevant State Council departments are responsible for personal information protection, supervision, and management work within their respective scope of duties and responsibilities, according to the provisions of this Law and relevant laws and administrative regulations.

County-level and higher People’s Governments’ relevant departments’ personal information protection, supervision and management duties and responsibilities are determined according to relevant State regulations. 

Departments provided in the previous two Paragraphs are jointly named departments fulfilling personal information protection duties and responsibilities.

Article 57: Departments fulfilling personal information protection duties and responsibilities fulfill the following personal information protection duties and responsibilities:

  1. Conducting personal information protection propaganda and education, and guiding and supervising personal information handlers’ conduct of personal information protection work;
  2. Accepting and handling personal information protection-related complaints and reports;
  3. Investigating and handling unlawful personal information handling activities;
  4. Other duties and responsibilities provided in laws or administrative regulations.

Article 58: The State cybersecurity and informatization department and relevant State Council departments, according to their duties, responsibilities, and powers, organize the formulation of personal information protection-related rules and standards, advance the construction of a socialized service system for personal information protection, and support relevant organs in conducting personal information protection assessment and certification services.

Article 59: When departments fulfilling personal information protection duties and responsibilities fulfill personal information protection duties and responsibilities, they may adopt the following measures:

  1. Interviewing relevant concerned parties, investigating circumstances related to personal information handling activities;
  2. Consulting and reproducing a concerned party’s contracts, records, receipts as well as other relevant material related to personal information handling activities;
  3. Conducting on-side inspections, conducting investigations of suspected unlawful personal information handling activities;
  4. Inspecting equipment and goods related to personal information handling activities; equipment and goods related to personal information activities where there is evidence to prove they are unlawful may be sealed or confiscated.

Where departments fulfilling personal information protection duties and responsibilities fulfill their duties and responsibilities according to the law, concerned parties shall provide assistance and cooperation, and they may not obstruct or impede them.

Article 60: Where departments fulfilling personal information protection duties and responsibilities discover relatively large risks exist in personal information handling activities or personal information security incidents occur, they may conduct a talk with said personal information handler’s legal representative or main responsible persons according to regulatory powers and procedures. Personal information handlers shall adopt measures according to requirements to correct the matter and eliminate the vulnerability.

Article 61: Any organization or individual has the right to file a complaint or report about unlawful personal information handling activities with departments fulfilling personal information protection duties and responsibilities. Departments receiving complaints or reports shall handle them promptly and according to the law, and notify the complaining or reporting person of the handling outcome. Departments fulfilling personal information protection duties and responsibilities shall publish contact methods to accept complaints and reports.

Chapter 7: Legal Liability 

Article 62: Where personal information is handled in violation of this Law or personal information is handled without adopting necessary security protection measures in accordance with regulations, the departments fulfilling personal information protection duties and responsibilities orders correction, confiscate unlawful income, and issue a warning; where correction is refused, a fine of not more than 1 million Yuan is additionally imposed; the directly responsible person in charge and other directly responsible personnel are fined between 10,000 and 100,000 Yuan.

Where the circumstances of the unlawful acts mentioned in the preceding Paragraph are grave, the departments fulfilling personal information protection duties and responsibilities order correction, confiscate unlawful income, and impose a fine of not more than 50 million Yuan, or 5% of annual revenue. They may also order the suspension of related business activities, cessation of business for rectification, and report to the relevant competent department for cancellation of corresponding professional licenses or cancellation of business permits. The directly responsible person in charge and other directly responsible personnel are fined between 100,000 and 1 million Yuan.

Article 63: Where unlawful acts as provided in this law occur, they will be entered into credit files as provided by relevant laws and administrative regulations, and be published.

Article 64: Where State organs fail to fulfill the personal information protection duties as provided in this Law, their superior organs or the departments fulfilling personal information protection duties and responsibilities shall order correction; the directly responsible person in charge and other directly responsible persons will be disciplined according to the law.

Article 65: Where personal information rights and interests are infringed due to personal information handling activities, the personal information handler is liable for compensating individuals for the loss they suffered or the benefit obtained by the personal information handler; where it is difficult to determine the losses suffered by the individual or the benefits obtained by the personal information handler, a People’s Court shall determine the amount of compensation according to the actual situation. Where a personal information handler is able to prove that they are not at fault, they may be relieved or exempted from liability.

Article 66: Where personal information handlers handle personal information in violation of the provisions of this Law, infringing on the rights and benefits of many individuals, the People’s Procuratorates, departments fulfilling personal information protection duties and responsibilities, and the State cybersecurity and informatization department may file a lawsuit with a People’s Court according to the law. 

Article 67: Where a violation of the provisions of this Law constitutes a violation of public security management, public security management punishment shall be imposed according to the law; where it constitutes a crime, criminal liability is investigated according to the law.

Chapter VIII: Supplementary Provisions

Article 68: This law does not apply where a natural person handles personal information for personal or household affairs.

Where laws contain provisions on the personal information handling in the process of statistical or archival  management activities organized and implemented by all levels’ People’s Governments and relevant departments, those provisions are followed.

Article 69: The following terms of this Law are defined as follows:

  1. “Personal information handler” refers to organizations and individuals that autonomously determine handling purposes, handling methods, and other such personal information handling matters.  
  2. “Automated decision making” refers to activities that use personal information to automatically analyze, assess, and decide, via computer programs, individual behaviors and habits, interests and hobbies, or situations relating to finance, health, or credit status.
  3. “De-identification” refers to the process of personal information undergoing handling to ensure it is impossible to identify specific natural persons without support of additional information.
  4. “Anonymization” refers to the process of personal information undergoing handling to make it impossible to distinguish specific natural persons and impossible to restore.

Article 70: This Law enters into force on [day, month, year].