Consistent with international practice, the draft PRC Personal Information Protection Law ("Draft PI Protection Law") contains a comprehensive set of individual rights. In Part 3 of our four part series, we will explore some of these rights and where relevant compare them against their counterparts in the GDPR.
The Draft PI Protection Law provides that certain information must be provided to the relevant individual before his personal information can be processed. The mandatory information includes:
A PI processor is also required to provide additional information in certain circumstances:
For China businesses that have been following the requirements set out in the PRC Cybersecurity Law and the updated and revised PI National Standard on Information Security Technology – Personal Information Security Specification (the revised version of latter became effective on 1 October 2020, ("PI National Standard")), as well as sector-specific regulations, their existing privacy policies are likely to have already included the information required. There is therefore no surprise here.
There are nevertheless certain marked differences between the Draft PI Protection Law and, for example, the GDPR, on notification requirements. For example, the legal bases for processing personal information, although set out in Article 13 of the Draft PI Protection Law, are not required to be expressly spelt out in a privacy policy (unlike GDPR).
Other example includes: the Draft PI Protection Law requires a PI processor to specify expressly the retention period. Unlike Article 13(2)(a) of the GDPR which allows a data controller to specify the criteria used to determine the retention period if it is not possible to pre-determine the retention period, there is no such equivalent provision in the Draft PI Protection Law. As noted in Part 2, the Draft PI Protection Law does contain a general data protection principle (Article 20) limiting the retention period to one that is necessary to achieve the purpose for which the data is collected. This data protection retention period nevertheless can be overridden by other (more often longer) statutory retention periods – this obligation (or right) is expressly preserved in the Draft PI Protection Law.
Although the PRC Cybersecurity Law does specifically provide certain data access rights, the provisions are short and lack the level of details to enable a PI processor to facilitate such rights properly (see Article 43). In contrast, the Draft PI Protection Law contains a set of more elaborative requirements:
Although there appears to be no separate right to object, as discussed in Part 2, the "right to object" is embedded in the obligation of the PI processor to obtain consent from the individuals, with consent being a key legal basis for processing personal information in China.
An individual is given the right to object the use of automated decision-making by a PI processor in making decisions which are going to have a significant impact on the individual's rights and benefits. The individual also has the right to require the PI processor to provide explanations. If automated decision-making is being used for marketing, the Draft PI Protection Law requires a PI processor to provide a choice to the individual for such marketing to be conducted without individual profiling. The right relating to automated decision-making under the Draft PI Protection Law in this regard is not identical to the counterpart provided under the GDPR.
The Draft PI Protection Law also sets out rights to individuals to request explanations from a PI processor on the data processing rules set by it. If a PI processor refuses any access request by an individual, the individual also has the right to request for an explanation.
One individual right which is noticeably missing from the Draft PI Data Protection Law is the right to data portability, i.e. the right to have his personal information in a format which can be transferred from one PI processor to another. This right, in a limited form, can be found in the PI National Standard. paragraph 8.6 which provides that if an individual so requires and if technically permissible, a data controller should transfer certain personal information requested directly to the third party designated by such individual.
Other noticeable omissions include: (i) detailed obligations of the PI processor on how to facilitate the above rights (particularly all the new access rights). Article 49 of the Draft PI Data Protection Law currently only imposes a general obligation on the PI processor; and (ii) circumstances under which a PI processor may lawfully refuse to comply with the requests from an individual. The PI National Standard itself contains a fairly comprehensive set of provisions (see paragraph. 8.7) covering these two omissions.
It would be interesting to see if following the consultation more details will be incorporated into the rights provided in the draft law and if the right to data portability will be included.
Missed our previous newsletters? Click here for the Overview of China’s Draft Personal Information Protection Law and Part 1 & Part 2 of our four part Deep Dive series.