On November 18, 2020, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth provided the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China with its response on the Draft Personal Data Protection Act (“PIPL”).
In its response, CIPL highlights several possible changes to the PIPL that it believes the NPC should consider and adopt in its review, not only to ensure China’s standing in the international privacy space, but also to ensure the protection of citizens, businesses, and China’s government data .
The main recommendations of CIPL include:
- Legitimate interest: Adding a legitimate interest processing reason within the PIPL;
- Compatible processing: Clarification that organizations can process personal data for compatible purposes, relying on the original reason for the processing;
- Data for children: Enable a risk-based approach for organizations to determine whether they process minors’ personal data in the context of mixed-use websites and obtain guardian consent;
- Sensitive data processing: Enabling a risk-based approach to processing sensitive personal information rather than providing defined categories of pre-defined sensitive information;
- Categories of sensitive data: To the extent that pre-defined categories of sensitive information are retained in the PIPL, it clarifies that sensitive personal data can be processed on the basis of any legal grounds for processing.
- Consent to Transfers: Removing the requirement to obtain consent in addition to the other transfer requirements in the PIPL;
- Security assessment for transfers: Explain what it takes to pass the Cyberspace Administration security assessment for the transfer of personal data overseas;
- Certifications: Clarification of whether the certifications for the transfer of personal data referred to in Article 38 could enable China to participate in the APEC’s system of cross-border data protection regulations (CBPR) and work towards joining the CBPR system under Article 12 of the PIPL;
- Appointment of a representative: Adding exceptions to the obligation to appoint a representative in China under the provisions of other data protection laws such as the GDPR;
- Third party providers: Clarification of the role of third party providers in the PIPL;
- Serious Illegal Activity: Clarification of what constitutes a “serious” illegal act under the PIPL and when fines will be a fixed amount of money or a percentage of revenue, and clarification that the revenue in question relates to revenue in China; and
- Effective Date: Provide that organizations have two years from the date the PIPL is adopted to fully comply with the law.
For more information on the above recommendations, as well as any other CIPL recommendations, see the full answer (in English) or (in Mandarin).