On 20 August2021, the Standing Committee of the Chinese National People’s Congress approved the new Personal Information Protection Law. The law will take effect from 1 November 2021 and it is regarded as the first comprehensive law on data protection in China.
It should be kept in mind that this law is placed in a broader context that is radically different from that of GDPR. The Chinese personal information law has a relevant political and military aim, as it is part of the cyber strategy of China. The cyber strategy of China itself, in turn, is part of the much broader strategy for controlling space. Thus regulating personal data is on the same level of military operation across the domains of land, sea and air, which it includes, for example, also satellite, cybersecurity and information warfare (including propaganda).
The consequence is that, while it regulates those who handle data in China, the central government reserves complete access to and usage of data.
The text itself learnt from the GDPR experience: “personal data” (ironically, in an American semantic, “personal information”) has a similar definition, the same for “processing”, controller and processor (called respectively “personal information processing entity” and “entrusted party”). Data breaches are called “data leaks” like in the USA.
An interesting slight divergence is the definition of sensitive information: a data is considered sensitive only if, once leaked or illegally used, is able to cause harm to a data subject’s dignity or to personal and property security. Thus such definition includes all the main points of GDPR and financial data (this, is interesting to note, is similar to what the new California Privacy Rights Act shall include). The minimum age is set at 14.
Territorial scope, representative obligation, legal basis and rights are fairly similar to GDPR. It is interesting to point out that the public disclosure of personal data is seen as sufficient enough to process them, within a reasonable scope. Another broad point is a semi-open clause to processing data according to other circumstances required by laws. Also, while the rights are the same of GDPR (with just some minor changes to data portability), a main difference is that the Chinese law allows lawsuit in relation to a refusal of a right execution and sets forth rules for the burden of proof in such cases. It will be interesting to see if China is going to follow the European practices or develop its own.
Regarding international transfer of data and data protection impact assessment, the GDPR experience has been taken into account, even if according to the peculiar political situation of China: in the first case, the law prescribes rules for localisation in China of a copy of data processed by critical information infrastructure. This is, on a certain extent, similar to the localisation required by the personal data law of Russia. Regarding the assessment, the situations that trigger such obligation are broader than those of GDPR (for example, it is required every time there is planned transfer overseas, although this reminds the new obligation under Schrems II).
Last, sanctions are substantially the same of GDPR. The limits are set at RMB 50M (around EUR 6.5M) or up to 5% of the annual turnover. However, two extremely relevant differences are that the violation may be recorded into the credit file under the controversial national social credit system (which regulates the life of a person in China in an extensive way) and, if a certain threshold is reached, the public prosecutor may start a public interest lawsuit.
Given the law, it is unlikely that it will receive an adequacy decision, however, it is surely a relevant step into the data protection shift that the world is seeing.