Comments Sought on the Personal Information Protection Law (Draft)

By Todd KuhnsLast Updated on Oct 21, 2020
Comments Sought on the Personal Information Protection Law (Draft)

Release Date: 10-21-2020 (draft, seeking input)

Source: PRC State Council Website (Full text of draft law)

Chinese Title: 个人信息保护法(草案)征求意见

The 22nd Session of the Standing Committee of the 13th National People’s Congress of the People’s Republic of China has deliberated on the Personal Information Protection Law of the People ‘s Republic of China (Draft). The public may directly visit the website of the National People’s Congress (www.npc.gov.cn) to give their comments, or send their comments by post to the Legislative Affairs Commission of the Standing Committee of the National People’s Congress (No.1 Qianmen West Street, Xicheng District, Beijing, zip code: 100805. Please clearly indicate words “comments sought on the Personal Information Protection Law (Draft)” on the envelope. The deadline for soliciting comments is 19 November 2020.

Personal Information Protection Law of the People’s Republic of China (Draft)

Table of Contents

  Chapter I General Provisions

  Chapter II Rules for Processing Personal Information

    Section 1 General Provisions

    Section 2 Rules for Processing Sensitive Personal Information

    Section 3 Special Provisions on Processing Personal Information by State Organs

  Chapter III Rules for Cross-border Provision of Personal Information

  Chapter IV Rights of Individuals in Activities of Processing Personal Information

  Chapter V Obligations of Personal Information Processors

  Chapter VI Departments Performing the Duties of Personal Information Protection

  Chapter VII Legal Liability

  Chapter VIII Supplementary Provisions

Chapter I General Provisions

Article 1 This Law is enacted in order to protect the personal information rights and interests, regulate the processing of personal information, ensure the orderly and free flow of personal information in accordance with the law and promote the reasonable use of personal information.

Article 2 The personal information of any natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of any natural person.

Article 3 This Law shall apply to the activities carried out by organizations and individuals in processing the personal information of natural persons within the territory of the People’s Republic of China.This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:

(I) where the purpose is to provide products or services to domestic natural persons;

(II) where the purpose is to analyze and evaluate the activities of domestic natural persons; and

(III) other circumstances provided by laws and administrative regulations.

Article 4 Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.Processing of personal information includes the collection, storage, use, processing, transmission, provision and publication of personal information.

Article 5 Personal information shall be processed in a lawful and proper manner and in accordance with the principle of good faith. Personal information shall not be processed by fraud, misleading or other means.

Article 6 Processing of personal information shall be for a definite and reasonable purpose and shall be limited to the minimum scope for achieving the purpose of processing. Personal information shall not be processed for any purpose irrelevant to the purpose of processing.

Article 7 Processing of personal information shall follow the principles of openness and transparency and expressly indicate the rules for processing personal information.

Article 8 To achieve the purpose of processing, the personal information processed shall be accurate and updated in a timely manner.

Article 9 Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed.

Article 10 No organization or individual may process personal information in violation of laws and administrative regulations or engage in the processing of personal information that endangers the national security or public interests.

Article 11 The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant industrial organizations and the public to jointly participate in personal information protection.

Article 12 The State actively participates in the formulation of international rules for personal information protection, promote the international exchange and cooperation in personal information protection, and drive the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations.

Chapter II Rules for Processing Personal Information

Section 1 General Provisions

Article 13 Only under any of the following circumstances may a personal information processor process personal information:

(I) where the consent of the individual concerned is obtained;

(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party;

(III) where it is necessary for the performance of statutory duties or statutory obligations;

(IV) where it is necessary for coping with public health emergencies or for the protection of the life, health and property safety of a natural person; and

(V) where processing personal information within a reasonable scope is to carry out such activities as news reporting and supervision by public opinions for the public interest; and

(VI) other circumstances provided by laws and administrative regulations.

Article 14 The consent to process personal information of an individual shall be a clear and voluntary declaration of intent under the premise of full knowledge of the individual. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.

Article 15 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s guardian.

Article 16 An individual has the right to withdraw his/her consent to the processing of personal information based on his/her consent.

Article 17 A personal information processor shall not refuse to provide products or services on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent to process personal information, unless the processing of personal information is necessary for providing products or services.

Article 18 Prior to processing personal information, a personal information processor shall inform the individual of the following matters in an eye-catching manner and with clear and understandable language:

(I) the identity and contact information of the personal information processor;

(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;

(III) the method and procedure for the individual to exercise the rights provided herein; and

(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.

If a personal information processor notifies the matters provided in Paragraph 1 by formulating rules for processing personal information, such rules shall be open to the public for easy access and storage.

Article 19 When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept or it is not necessary to notify the individual of the matters provided for in the preceding article.In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.

Article 20 The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing. Where the retention period of personal information is otherwise provided for in laws and administrative regulations, such provisions shall prevail.

Article 21 Where two or more personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.Where personal information processors jointly processing personal information infringe upon personal information rights and interests, they shall bear joint and several liabilities in accordance with the law.

Article 22 Where a personal information processor entrusts others to process personal information, it shall agree with the entrusted party on the purpose and method of entrusted processing, type and protection measures of personal information as well as the rights and obligations of both parties, and supervise the personal information processing activities of the entrusted party.The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing and shall return personal information to the processor or delete personal information after the contract is performed or the entrustment relationship is rescinded.

Without the consent of the personal information processor, the entrusted party shall not re-entrust others to process personal information.

Article 23 Where a personal information processor needs to transfer personal information due to merger, division or other reasons, it shall inform the individual of the identity and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall inform the individual and obtain the individual’s consent anew in accordance with this Law.

Article 24 Where a personal information processor provides a third party with the personal information it processes, it shall inform the individual of the identity and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The third party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the third party changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.Where a personal information processor provides anonymous information to a third party, the third party shall not re-identify the individual by such means as technology.

Article 25 Where personal information is used to make automatic decision, the transparency of decision-making and the fairness and reasonableness of processing results shall be ensured. Where an individual believes that automatic decision -making has a significant impact on his/her rights and interests, he/she has the right to require the personal information processor to give an explanation, and to reject the decision made by the personal information processor only through automatic decision -making.Where business marketing and information push are carried out through automatic decision -making, options not based on his/her personal characteristics shall be provided at the same time.

Article 26 A personal information processor shall not publicize the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.

Article 27 Image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the State, and conspicuous prompting signs shall be installed. Personal images and personal identity feature information collected may only be used for the purpose of maintaining public security, and may not be publicized or provided to others, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.

Article 28 The processing of any disclosed personal information by a personal information processor shall conform to the purposes for which such personal information is disclosed; where such processing is beyond the reasonable scope relating to the purposes, the personal information processor shall inform the individual concerned and obtain his/her consent in accordance with this Law.Where the purposes for which personal information is disclosed are not clear, the personal information processor shall process the disclosed personal information in a reasonable and prudent manner; where such personal information is used to engage in the activities that have great impact on the individual concerned, the personal information processor shall inform the individual and obtain his/her consent in accordance with this Law.

Section 2 Rules for Processing Sensitive Personal Information

Article 29 A personal information processor may not process sensitive personal information unless it has a specific purpose and sufficient necessity.Sensitive personal information refers to the personal information that may lead to discrimination or serious harm to personal or property safety once disclosed or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts and personal whereabouts.

Article 30 Where the processing of sensitive personal information of an individual is subject to the individual’s consent, the personal information processor shall obtain the individual’s consent. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.

Article 31 For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual, in addition to the matters prescribed in Article 18 hereof.

Article 32 Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or stricter restriction, such provisions shall prevail.

Section 3 Special Provisions on Processing Personal Information by State Organs

Article 33 This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply.

Article 34 The processing of personal information by a State organ for the purpose of performing its statutory duties shall be under the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for performing its statutory duties.

Article 35 A State organ processing personal information for the purpose of performing its statutory duties shall inform the individual concerned and obtain his/her consent in accordance with this Law, unless laws and administrative regulations provide that confidentiality shall be maintained, or the notification and obtaining of consent will hinder the State organ from performing its statutory duties.

Article 36 No State organ may publicize or provide others with the personal information it processes, unless laws and administrative regulations otherwise provide or the consent of the individual is obtained.

Article 37 The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a risk assessment shall be conducted. Relevant departments may be required to provide support and assistance for risk assessment.

Chapter III Rules for Cross-border Provision of Personal Information

Article 38 Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall at least meet any of the following conditions:

(I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;

(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;

(III) where it has concluded a contract with an overseas recipient specifying the rights and obligations of both parties and has supervised the recipient’s processing of personal information to ensure that the recipient’s processing meets the standards for protection of personal information as prescribed herein; or

(IV) where it has satisfied other conditions prescribed by laws, administrative regulations or the State cyberspace administration.

Article 39 Where a personal information processor provides personal information of an individual to a party outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the identity of the overseas recipient, contact information, purpose and method of processing, type of personal information and the way for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent.

Article 40 Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.

Article 41 Where it is necessary to provide personal information outside the territory of the People’s Republic of China due to international judicial assistance or administrative enforcement assistance, an application shall be filed with the competent authority for approval in accordance with the law.Where the international treaties or agreements concluded or acceded to by the People’s Republic of China contain provisions on the provision of personal information outside the territory of the People’s Republic of China, such provisions shall prevail.

Article 42 For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting provision of personal information to such overseas organization or individual.

Article 43 Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take corresponding measures against such country or region.

Chapter IV Rights of Individuals in Activities of Processing Personal Information

Article 44 An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations.

Article 45 An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 19 herein.Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.

Article 46 Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.

Article 47 Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative or at the request of the individual concerned:

(I) where the agreed storage period has expired or the purpose of processing the personal information has been achieved;

(II) where the personal information processor stops providing products or services;

(III) where the individual withdraws his/her consent;

(IV) where the personal information processor processes personal information in violation of laws, administrative regulations or the agreement; or

(V) any other circumstance as prescribed by laws and administrative regulations.Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information.

Article 48 An individual is entitled to request the personal information processor to explain the rules on processing of personal information.

Article 49 A personal information processor shall establish a mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated.

Chapter V Obligations of Personal Information Processors

Article 50 A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on personal information and possible security risk, etc., take necessary measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, theft, falsification and deletion of personal information:

(I) formulating internal management system and operational procedures;

(II) managing personal information by hierarchical classification;

(III) taking corresponding technical security measures such as encryption and de-identification;

(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;

(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and

(VI) other measures as prescribed by laws and administrative regulations.

Article 51 Where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.A personal information processor shall make public the name and contact information of the person in charge of personal information protection and submit the same to the department performing duties of personal information protection.

Article 52 Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection.

Article 53 A personal information processor shall regularly audit whether its processing of personal information and the adopted protection measures are in compliance with provisions of laws and administrative regulations. The department performing duties of personal information protection is entitled to require any personal information processor to entrust a specialized agency to conduct audit.

Article 54 A personal information processor shall assess the risks of the following personal information processing activities in advance and keep a record of the processing:

(I) processing sensitive personal information;

(II) making use of personal information to make automatic decision;

(III) entrusting others to process personal information, providing third parties with personal information and publicizing personal information;

(IV) providing personal information to overseas parties; and

(V) other personal information processing activities that have significant impact on individuals.The risk assessment shall include:

(I) whether the purpose and method of processing personal information are legitimate, justifiable and necessary;

(II) impact on individuals and the degree of risks; and

(III) whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks.

The risk assessment report and processing record shall be kept for at least three years.

Article 55 Any personal information processor finding that personal information is leaked shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:

(I) reasons for the disclosure of personal information;

(II) types of personal information leaked and possible harm;

(III) remedial measures taken;

(IV) measures that can be taken by the individuals to mitigate harm; and

(V) contact information of the personal information processor.If the personal information processor has taken measures to effectively avoid damage caused by information leakage, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes that the leakage of personal information may cause damage to the individuals, it may require the personal information processor to notify the individuals thereof.

Chapter VI Departments Performing Duties of personal information protection

Article 56 The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering personal information shall be determined in accordance with relevant provisions of the State.

The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.

Article 57 Departments performing duties of personal information protection shall perform the following duties of personal information protection:

(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;

(II) accepting and processing complaints and reports relating to personal information protection;

(III) investigating and processing illegal personal information processing activities; and

(IV) other duties stipulated by laws and administrative regulations.

Article 58 The state cyberspace administration and relevant departments under the State Council shall, according to their duties and authorities, organize the formulation of relevant rules and standards for protecting personal information, promote the development of a socialized service system for protecting personal information, and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.

Article 59 Departments performing duties of personal information protection may take the following measures when performing the duties of personal information protection:

(I) inquiry of the parties concerned, and investigation of the circumstances relating to personal information processing activities;

(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information processing activities of the parties concerned;

(III) carrying out on-site inspection and investigation activities relating to processing personal information suspected of violating laws; and

(IV) checking the equipment and articles relating to personal information processing activities and may sealing up or seizing the equipment and articles that are proved to be illegal personal information processing activities.When departments performing duties of personal information protection perform duties in accordance with the law, the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct such performance.

Article 60 Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required.

Article 61 Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results.The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports.

Chapter VII Legal Liability

Article 62 Where personal information is processed in violation of the provisions hereof, or necessary security protection measures are not taken in processing personal information, the departments performing duties of personal information protection shall order the processor to make rectification, confiscate its illegal gains and give a warning to the processor; if rectification is refused, a fine of not more than 1 million yuan shall be imposed concurrently on the processor; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge of the processor and other directly liable persons.Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the persons directly in charge and other directly liable persons.

Article 63 Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public.

Article 64 Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.

Article 65 Where the rights and interests of personal information are infringed upon due to personal information processing, the compensation liability shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances. If the personal information processor can prove that it is not at fault, its liability may be mitigated or exempted.

Article 66 Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the department performing the duties of personal information protection and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law.

Article 67 Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Chapter VIII Supplementary Provisions

Article 68 This Law shall not be applicable to the processing of personal information by a natural person by virtue of his/her personal or family affairs.Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.

Article 69 For the purposes of this Law, the following terms are defined as follows:

(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing and other personal information processing matters.

(II) An automatic decision -making refers to an activity in which personal information is used to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.

(III) De-identification refers to the process in which the personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.

(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.

This Law shall come into force as of MM/DD/YY.