Dec. 14, 2020
This article is part of the DigiChina Project, based at the Stanford University Cyber Policy Center and a joint effort with New America.
The Chinese government in October released the long-awaited draft of its comprehensive privacy law, the Personal Information Protection Law (PIPL). DigiChina’s full English translation is here. As a whole, the draft PIPL largely follows mainstream global approaches to personal data protection, adopting many elements common to other privacy laws, such as notice-and-consent, individual rights, and a comprehensive set of data governance duties for personal information handlers. Notably, it also briefly addresses some still emerging topics in privacy law, such as algorithmic transparency and facial recognition. And it restricts processing of personal information that has already been made public, limiting further use of such data to the scope of use for which the data was originally made public. The draft PIPL is a crucial piece for China’s data governance legal regime, and although it is still subject to revision, it provides insight into the evolving process and potential future directions of Chinese regulation.
Precursors to the Personal Information Protection Law
The draft PIPL’s legislative history can be traced back to as early as 2003, when the State Council assigned the job of brainstorming a Chinese privacy law to the Institute of Law at the Chinese Academy of Social Sciences. After a thorough study of privacy laws from the European Union and many countries, including the United States, Japan, South Korea, and Canada, the Chinese scholars, led by Zhou Hanhua, prepared an earlier draft PIPL in 2005, seeking to establish a framework built upon the experiences of other countries but tailor-made for China’s political and social realities. Unfortunately, for various reasons, that effort didn’t make it to the National People’s Congress (NPC) for an official legislative process. Fifteen years later, the latest draft PIPL released for comment by the NPC’s legislative team has emerged in a different technological environment and amidst an already burgeoning domestic data governance regime.
Currently, China’s Cybersecurity Law is the most common reference point in Chinese privacy law. This milestone law, which came into force in June 2017, was in its own words enacted to “ensure cybersecurity; safeguard cyberspace sovereignty and national security, and social and public interests; protect the lawful rights and interests of citizens, legal persons, and other organizations; and promote the healthy development of the informatization of the economy and society” (Article 1). With its emphasis on cybersecurity, national security, and national interests, the Cybersecurity Law is one of three recent pillars framing China’s national security legal regime, together with the National Security Law and the Anti-Terrorism Law. Still, it is also a significant piece of China’s data governance regime.
As this DigiChina timeline shows, prior to the Cybersecurity Law, China already had quite a few sectoral laws addressing personal information protection, with differing levels of detail and stringency, in the areas such as finance, credit reporting, telecommunications, internet, healthcare, e-commerce, and postal services. China also criminalizes certain privacy-relevant behaviors, including the illegal sale or provision of personal information, or refusal by a network service provider to fulfill its administrative duties to maintain information network security under circumstances specified in the Criminal Law.
Since enactment of the Cybersecurity Law, China has accelerated the establishment of a broader data governance regime, issuing or proposing numerous supporting or related regulations, as well as national standards, to help implement the Cybersecurity Law. Among these are a special regulation on children’s personal data, a draft regulation on security assessment for the cross-border transfer of personal data, and the Personal Information Security Specification (a national standard that, while technically nonbinding, exerts great influence on companies doing business in China).
In the summer of 2020, shortly before the draft PIPL was released, the Chinese government released a draft Data Security Law, seeking to strengthen its data governance by establishing a detailed system of data security rules, with an emphasis on national security and national interests. Along this path, the government has also shown a strong drive to reduce and penalize abusive personal data practices by businesses through various interagency actions.
In May 2020, China passed the Civil Code, a foundational legal instrument composed of 1,260 articles that codify detailed legal rules related to almost all civil and commercial matters, including property, contracts, personal rights, family, inheritance, and torts. The new Civil Code dedicates a whole chapter to the protection of privacy rights and personal information, protecting them as a foundational civil right and setting the stage for the Personal Information Protection Law.
How will the Personal Information Protection Law tie other Chinese data laws together?
From the Cybersecurity Law and the Civil Code, to the draft Data Security Law and this new draft PIPL, the Chinese government is weaving a foundational framework of laws constituting a data governance regime, at very least indicating the broad strokes of what is to be regulated. The evolution of this framework so far indicates a legislative willingness to absorb and align with global trends in privacy law. On the other hand, China clearly faces challenges in harmonizing both new and existing laws and regulations where they intersect.
The Cybersecurity Law and the Civil Code both have dedicated chapters mainly focused on personal information protection, and the draft Data Security Law would regulate security matters related to all data activities in China, which also includes those around personal data. Under China’s legislative hierarchy, the draft PIPL would have the same level of authority as the Cybersecurity Law and the future Data Security Law, but its position relative to the Civil Code would be a bit more tricky.
Whether conceptually or in their specific provisions, the overlaps are numerous. Data security is an element of cybersecurity, and both laws are framed heavily in relation to national security. While data security is also an indispensable element of personal information protection, data security looks different through the lens of safeguarding individual privacy versus the lens of defending national security. Personal information protection in China today is largely regulated through administrative regulatory tools, but it is also a civil law issue as highlighted in the Civil Code. This systemic complexity is not unique to China, but the draft PIPL reveals the challenges China faces when it comes to consistency and compatibility among its data laws. Although the Chinese government is learning fast from world trends, it still has limited legislative capacity in this field compared to some leading jurisdictions such as the European Union, and seems to be struggling to balance the instinct of strong government control, an awareness of increasing public grievances against rampant personal data abuse, and the desire to nurture the new digital economy.
For example, in the Cybersecurity Law, legitimacy of collection and use of personal information hinges entirely on consent. The later Civil Code, however, expressly allows personal data processing in pursuance of other laws and regulations, not exclusively with consent. Article 13 of the draft PIPL then gives five specific lawful bases to allow personal data processing, including consent, plus the catch-all clause, “other circumstances provided in laws and administrative regulations.” In contrast to the Cybersecurity Law’s rigidly restrictive approach, the draft PIPL obviously is more flexible, and in that way it is also more consistent with other major privacy laws such as the European Union’s General Data Protection Regulation (GDPR). On the other hand, the draft PIPL would expand data localization requirements beyond the “critical information infrastructure” (CII) operators covered in the Cybersecurity Law, requiring non-CII operators in general to store personal data locally if the amount of such data reaches certain thresholds set by the government (Article 40).
The PIPL draft and the Cybersecurity Law have several other overlaps and tensions. For example, Article 24 of the draft PIPL would require data handlers to fully disclose and obtain individuals’ specific consent for sharing their data with third parties. A similar requirement is also present in Article 42 of the Cybersecurity Law, which says “network operators”—a category defined so broadly that it includes almost every business entity in China that uses a network—shall not provide personal information to others without consent of the data subject. If these provisions were enforced, they could lead to a huge compliance burden for businesses, particularly large companies that engage hundreds of third-party vendors on matters that involve the personal data of employees, job applicants, customers, users, etc. As drafted, Article 24 of the PIPL may also conflict Article 13 in the same draft, which allows data processing without consent for certain other purposes that could entail personal information sharing with third parties. Fixing this tension within the PIPL draft by removing the consent requirement from Article 24, however, would then put the PIPL in tension with the Cybersecurity Law.
The PIPL’s potential interactions with the Civil Code are another puzzle. The Civil Code is a foundational civil law. It protects individual rights relating to personal information as a civil right, which technically grants private rights of action, allowing people to sue those who mishandle their personal data in violation of the Civil Code. Pivoting around the term “personal information rights and interests (个人信息权益)” that in Chinese emphasizes the facet of “interests” rather than “rights” on personal information, the draft PIPL only vaguely addresses the civil rights issue. Whether these two laws would function separately or jointly in future privacy law cases is not yet clear. Currently, the draft PIPL defines “personal information” in a more expansive way than the Civil Code. And while the Civil Code in general gives a free pass to process personal information that has already been legally disclosed in the public domain, the new draft PIPL, in a more protective manner, restricts processing to the reasonable scope of the use for which the information initially entered the public domain. The Civil Code also includes the concept of “private information (私密信息) within personal information” (Article 1034), which is not mentioned in the draft PIPL. The draft PIPL follows the usual international privacy law approach of only distinguishing sensitive personal data from non-sensitive personal data.
While issues like these could potentially be explained away through a nuanced application of China’s principles and rules for solving conflicts of laws, or ironed out through regulator’s selective enforcement, this kind of complicated overlap with subtle differences in wording is not rare in China’s data governance regime. This produces much uncertainty, with practical impact on many entities struggling and obliged to comply with “all applicable laws.”
China’s Personal Information Protection Law and the World
These days, China’s government is increasingly assertive on the global stage. In early September, it launched its own “Global Data Security Initiative,” to help write the global standards on data security. This ambition to be among global rule makers is also present in the draft PIPL, which states that China will actively engage in the global rule-making on personal information protection.
Other provisions of the draft reflect the government’s willingness to extend elements of its data governance regime beyond Chinese territory. The draft PIPL largely follows an approach to extraterritorial applicability similar to that of many countries’ privacy laws, including the GDPR, but it is broader, providing potentially expansive legal grounds to regulate foreign entities if authorized by other Chinese “laws or administrative regulations” (Article 3). In Chapter 3, which covers cross-border data transfer, the draft law addresses this issue in multiple layers. Recognizing business needs to transfer data abroad, the draft PIPL provides several legal bases to do so: passing a government security review, getting certified by certain institutions, using a contractual arrangement, or as permitted by other laws and rules. But if the data is generated by CII operators or the amount of the data to be processed by non-CII operators reaches certain thresholds, as mentioned above, a heightened set of legal requirements apply, tilting toward data localization as a default. The draft law also addresses how it will handle requests by international law enforcement for data located in China, regardless whether the entities hosting the data are domestic or foreign. The government could restrict or forbid foreign organizations from handling personal data of Chinese citizens if they harm the personal information rights and interests of Chinese citizens or threaten the national security or public interest. Lastly, similar to the draft Data Security Law, the draft PIPL authorizes countermeasures against any country that “adopts discriminatory prohibitions, limitations, or other similar measures” against China with respect to personal information protection (Article 43).
Although these provisions are alarming to some, many uncertainties remain about how and to what extent they will be implemented, if they are enacted. As is often the case in Chinese laws, as opposed to lower-level implementing rules and standards, the language tends to be broad and vague, leaving plenty of wiggle room for interpretation and enforcement, along with the flexibility for further refinement through implementing rules and standards when the government deems the timing right. Chinese regulators would also have a lot of work to do to be able to meaningfully enforce these provisions, such as establishing a well-balanced security review system for cross-border data transfer, a powerful and effective mechanism to cut the long-arm reach of certain foreign laws such as the U.S. CLOUD Act, and the robust regulatory capability to decide when to condemn treatment by a foreign government as constituting “discriminatory” measures against China and what potentially far-reaching countermeasures to take. Moreover, before the Cybersecurity Law, the numerous sectoral laws and rules designed to protect personal information were rarely enforced, and the Cybersecurity Law itself too has been selectively enforced and only partially implemented. Nevertheless, the mere existence of these provisions in a final law would be a significant presence in the digitally interconnected world, adding another strong current to the tumultuous seas of data governance, particularly in light of the recent Schrems II decisionfrom the EU that already casts a shadow over global data transfer to China, as well as the Chinese government’s ambition to play a more active role in shaping the international norms of data governance.
Before this draft law can be enacted, however, it has several processes to pass through, and it might be modified substantially. The public comment period for this draft closed on November 19. Normally the legislative process requires two more rounds of official review and discussion by the legislative body, the Standing Committee of the NPC, before a potentially revised draft PIPL can be put to a vote by the full NPC. The timeline for this process is not clear. But since the PIPL has appeared on the government’s list of legislation planned for deliberation between 2018 and 2023, we can expect this law to be passed during this period, possibly very soon.
The author thanks Graham Webster for valuable comments and editing. All views and words expressed only represent the personal opinions of the author.