China Draft Personal Information Protection Law: Deep Dive (3): Individual Rights

1. Rights to be informed (information notice)

The Draft PI Protection Law provides that certain information must be provided to the relevant individual before his personal information can be processed. The mandatory information includes:

1. identity of the PI processor and its contact details
2. purposes for processing
3. means at which the personal information will be processed
4. types of personal information to be processed
5. retention period
6. how individual's rights may be exercised

A PI processor is also required to provide additional information in certain circumstances:

• if personal information will be provided to a third party, the information of (a) to (d) above insofar as it relates to the transfer and the third party transferee; and
  
  
• if the transfer is necessary due to mergers, the identity and contact details of the recipient.

For China businesses that have been following the requirements set out in the PRC Cybersecurity Law and the updated and revised PI National Standard on Information Security Technology – Personal Information Security Specification (the revised version of latter became effective on 1 October 2020, ("PI National Standard")), as well as sector-specific regulations, their existing privacy policies are likely to have already included the information required. There is therefore no surprise here.

There are nevertheless certain marked differences between the Draft PI Protection Law and, for example, the GDPR, on notification requirements. For example, the legal bases for processing personal information, although set out in Article 13 of the Draft PI Protection Law, are not required to be expressly spelt out in a privacy policy (unlike GDPR).

Other example includes: the Draft PI Protection Law requires a PI processor to specify expressly the retention period. Unlike Article 13(2)(a) of the GDPR which allows a data controller to specify the criteria used to determine the retention period if it is not possible to pre-determine the retention period, there is no such equivalent provision in the Draft PI Protection Law. As noted in Part 2, the Draft PI Protection Law does contain a general data protection principle (Article 20) limiting the retention period to one that is necessary to achieve the purpose for which the data is collected. This data protection retention period nevertheless can be overridden by other (more often longer) statutory retention periods – this obligation (or right) is expressly preserved in the Draft PI Protection Law.

2. Rights to Access, Rectify & Erasure

Although the PRC Cybersecurity Law does specifically provide certain data access rights, the provisions are short and lack the level of details to enable a PI processor to facilitate such rights properly (see Article 43). In contrast, the Draft PI Protection Law contains a set of more elaborative requirements:

1. Right to access (Article 45)
   
   An individual has the right to access and request copies of his personal information from the PI processor. Unlike the PI National Standard or GDPR, the provisions do not go into any further details on the type of information which the PI processor is required to provide to the individual.
   
   
2. Right to rectify (Article 46)
   
   An individual has the right to request a PI processor to rectify any inaccurate personal information and supplement incomplete personal information which the PI processor holds.
   
   
3. Right to erasure (Article 47)
   
   The Draft PI Protection has specified the circumstances under which an individual can request a PI processor to erase his personal information. These circumstances include: (i) the purposes for the personal information have been achieved or the agreed retention period has expired; (ii) the PI processor ceases providing goods and services; (iii) the consent has been revoked; and (iv) the PI processor is processing the data contrary to law or the agreed purposes. There is also a catch-all provision: other circumstances provided under laws and regulations.
   
   The erasure obligation is not however absolute. A PI processor does not have to erase the personal information if technically it is not possible for it to do so or if the statutory retention period has not yet expired. The PI processor however must stop processing the personal information.
   
   The right to erasure is also presented in the Draft PI Data Protection Law as an obligation on the PI processor. This means that if any of the circumstances mentioned above occurs, the PI processor is expected to erase the relevant personal information.

Although there appears to be no separate right to object, as discussed in Part 2, the "right to object" is embedded in the obligation of the PI processor to obtain consent from the individuals, with consent being a key legal basis for processing personal information in China.

3. Right relating to automated decision-making

An individual is given the right to object the use of automated decision-making by a PI processor in making decisions which are going to have a significant impact on the individual's rights and benefits. The individual also has the right to require the PI processor to provide explanations. If automated decision-making is being used for marketing, the Draft PI Protection Law requires a PI processor to provide a choice to the individual for such marketing to be conducted without individual profiling. The right relating to automated decision-making under the Draft PI Protection Law in this regard is not identical to the counterpart provided under the GDPR.

4. Right to explanation and reason

The Draft PI Protection Law also sets out rights to individuals to request explanations from a PI processor on the data processing rules set by it. If a PI processor refuses any access request by an individual, the individual also has the right to request for an explanation.

Observations

One individual right which is noticeably missing from the Draft PI Data Protection Law is the right to data portability, i.e. the right to have his personal information in a format which can be transferred from one PI processor to another. This right, in a limited form, can be found in the PI National Standard. paragraph 8.6 which provides that if an individual so requires and if technically permissible, a data controller should transfer certain personal information requested directly to the third party designated by such individual.

Other noticeable omissions include: (i) detailed obligations of the PI processor on how to facilitate the above rights (particularly all the new access rights). Article 49 of the Draft PI Data Protection Law currently only imposes a general obligation on the PI processor; and (ii) circumstances under which a PI processor may lawfully refuse to comply with the requests from an individual. The PI National Standard itself contains a fairly comprehensive set of provisions (see paragraph. 8.7) covering these two omissions.

It would be interesting to see if following the consultation more details will be incorporated into the rights provided in the draft law and if the right to data portability will be included.

Missed our previous newsletters? Click here for the Overview of China’s Draft Personal Information Protection Law and Part 1 & Part 2 of our four part Deep Dive series.