China’s Draft Privacy Law Adds Platform Self-Governance, Solidifies CAC’s Role

China’s National People’s Congress (NPC) Standing Committee this week released for public comment a second draft of its premier data privacy law, the “Personal Information Protection Law” (PIPL, translated by DigiChina). A closely related piece of legislation, the Data Security Law (DSL), was also released in second-draft form at the same time.

As China’s government pursues technological advancement, data protection, and national security goals, its regulatory regime for data, cybersecurity, and digital technology has been defined by centralized efforts at policy coordination and persistent divergences over practical trade-offs and bureaucratic turf. Ever since the Cybersecurity Law was finalized in 2016, the details of its rules governing data use have been in flux, and sometimes in conflict.

Now, the PIPL has taken shape as the lead instrument protecting information about individuals, particularly in the digital sphere and the platform economy, but also in certain forms of data use by government departments. (See “How will China’s privacy law apply to the Chinese state?“) In setting out a regime to protect people from harms arising from malicious abuse, poor security practices, or unauthorized commercial exploitation of personal data, the PIPL exhibits considerable alignment with international trends in personal data protection, especially the European Union’s General Data Protection Regulation (GDPR) and associated trends, and it has major implications for businesses at home and abroad. (See “Personal Data, Global Effects: China’s Draft Privacy Law in the International Context.”) The PIPL represents a major unifying moment in China’s long history of piecemeal data privacy policymaking. (See “China’s Draft Privacy Law Both Builds On and Complicates Its Data Governance.”)

The law’s advancement through the NPC alongside the DSL underlines the continuing bureaucratic contest in Chinese technology policy, with the Cyberspace Administration of China (CAC) taking lead on personal information protection, and the Ministry of Public Security (MPS) leading broader data security efforts alongside its older Multi-Level Protection System apparatus, which imposes differing requirements on information systems based on a graded assessment of their national security sensitivity. Ultimately, the two laws, which many expect to be finalized this year, will be read together. They will each also be supplemented by more detailed binding regulations and influential if not always binding standards. In recent weeks, authorities have released draft standards and regulations for facial recognition data, data de-identification, personal information in mobile apps, government-held data on transportation, and data collection by connected vehicles.

Below, DigiChina briefly outlines four notable developments since the first draft was published in December 2020. The Chinese government is accepting comments on the present draft until May 28.

I. Self-Regulatory Obligations and Outside Supervisory Bodies for Platforms Like App Stores

The new draft PIPL establishes novel obligations for online platforms used by other product or service providers—app stores or cloud platforms, for example—to police the personal data practices across their platforms. This continues a trend of self-regulatory pressure on large tech companies and may ease the mounting supervisory burden for key bureaucracies such as the CAC.

Article 57: Personal information handlers providing basic Internet platform services, who have a large number of users, and whose business models are complex shall fulfill the following obligations:     1. Establish an independent body composed mainly of outside members to supervise personal information handling activities;     2. Stop providing services to products or service providers on the platform that seriously violate laws or administrative regulations in handling personal information;     3. Regularly release personal information protection social responsibility reports, and accept society’s supervision.

The particular mode of self-regulation represented in Article 57 Paragraph 1 of the current draft—establishing mostly independent bodies to watch over data practices—parallels the proliferation of antitrust investigations into China’s most dominant tech companies, in which regulators increasingly seek to check the autonomy of so-called “gatekeeper” companies. Chinese Academy of Social Sciences Professor Zhou Hanhua, an influential figure in developing the PIPL, reportedly supports this move as a way to provide outside scrutiny of companies whose algorithms and practices lack transparency. 

The draft PIPL’s new requirements also trace new EU developments for platform companies in the Digital Market Act and Digital Services Act (DMA/DSA). In particular, the three responsibilities identified for big platform companies here resonate with the “gatekeeper” concept for online intermediaries in Europe, and a requirement for public social responsibility reports echoes the DMA/DSA mandate to provide access to platform data by academic researchers and others. The new groups could also be compared with Facebook’s nominally independent Oversight Board, which the company established to review content moderation decisions.

II. New Penalties for Providing Data to Foreign Authorities Without Permission

The new drafts of both the PIPL and the DSL added language toughening requirements for Chinese government approval before data holders in China cooperate with foreign judicial or law enforcement requests for data, making failure to gain permission a clear violation punishable by financial penalties up to 1 million RMB. 

Article 41: When a judicial or law enforcement organization from outside the mainland territory of the People’s Republic of China requests the provision of personal information stored within the territory, it shall not be provided without the approval of the organ in charge. Where an international treaty or agreement concluded or participated in by the People’s Republic of China provides, those provisions may be carried out.

These provisions, which are more explicit than in the previous drafts, reflect long-standing Chinese concerns about the ability of foreign governments to access Chinese citizen data through U.S. firms operating in China. Chinese scholars and officials have argued that the U.S. CLOUD Act, combined with the global reach of U.S. companies, enables the U.S. government to extend its “long-arm” jurisdiction around the world. 

If China prohibits unauthorized disclosures to foreign law enforcement, and U.S. law requires them, the effect may be to further entrench a pattern in which, as the Chinese data governance scholar Hong Yanqing has written, “China can further ensure that foreign-funded organizations or individuals cannot become data controllers in the first place.” Already, joint venture structures that are either required or convenient for foreign firms operating in China help blunt U.S. law enforcement’s reach. 

Meanwhile, Beijing Normal University Professor Wu Shenkuo has argued that other countries have similar restrictions, meaning the dilemma is not only a U.S.-China one. For example, the GDPR’s Article 48 addresses law enforcement orders issued by non-EU states and blocks personal data transfers to third countries pursuant to a judgment by a foreign court or body, unless the transfer is authorized by an international agreement such as a mutual legal assistance treaty. While Article 41 of the draft PIPL specifies that international treaties may be followed, foreign law enforcement authorities are likely to encounter different setbacks or delays for accessing Chinese citizens data compared with EU data. 

III.  A Leading Data Privacy Role for the Cyberspace Administration of China

The new draft added an article designating the State cybersecurity and informatization department, also known as the CAC, as the lead agency in developing the more detailed regulations and technical standards that will be crucial to determining how the PIPL is implemented in reality. As usual in the Chinese system, this top-level law provides a framework and broad principles, while implementing regulations and standards will provide the detailed, more concrete rules personal data handlers will be responsible for following.

Article 61:The State cybersecurity and informatization department coordinates overall the following personal information protection work by the relevant departments:     1. Formulate concrete personal information protection rules and standards;     2. Formulate specialized personal information protection rules and standards for new technologies and new applications regarding sensitive personal information, facial recognition, artificial intelligence, etc.;     3. Support the research and development of secure and convenient electronic identity authentication technology;     4. Advance the construction of service systems to socialize personal information protection, and support relevant organizations to launch personal information protection evaluation and certification services.

This newly specified authority and responsibility for the CAC comes at a time the interagency group may face a shrinking regulatory remit as it has become clear that the Ministry of Public Security will administer Cybersecurity Law rules around “critical information infrastructure” alongside its preexisting Multi-Level Protection System.

Still, personal data is an expansive field, and CAC and the standards-setting body TC260, which is led by CAC Deputy Director Zhao Zeliang, will have major responsibilities. Rules around personal data are crucial in artificial intelligence fields such as facial recognition, cross-border business of all kinds, and many other areas. How any new Chinese privacy standards or regulations align with or diverge from existing technical standards at home or in the lively global privacy discourse will help determine the interoperability of the digital economy.

Meanwhile, electronic identity authentication technology, which CAC would be charged with supporting under Article 61 Paragraph 3, is a nascent field worthy of attention moving forward. With widespread online fraud and misuse of personal information in China, strong digital identity authentication technology could be a part of a solution. The private sector, however, has long employed a range of authentication methods and generally is required to establish real-name identities for users, so the scope of this initiative remains unclear.

IV: Post-Mortem Privacy

The new PIPL draft adds an article to address post-mortem privacy rights, a relatively new concept that is rarely seen in other privacy laws today but has received growing public and academic attention.

Article 49: When a natural person is deceased, the rights of the individual as to personal information handling activities according to the provisions of this Chapter shall be exercised by the next of kin.

China’s new draft provision, in Article 49, approaches this issue differently from an early comparative example in France, which requires that people be informed of their rights and allows them to give general or specific guidance related to their personal data after their death. The PIPL’s approach, on the other hand, directly authorizes the close relatives of a deceased data subject to exercise their rights. 

In the past few years, China has seen a few fraud cases relating to exploiting the personal data of deceased individuals. China’s Civil Code, effective January 2021, addresses this novel issue by allowing a spouse, children, parents, and—if lacking such survivors—other close relatives to enforce certain personality rights including the privacy right of the deceased (see Article 994). Similarly, the new PIPL draft would assign the next of kin rights regarding the deceased’s personal information. Article 49 here may need to be further revised or supplemented, for example to provide an order of prioritization for the relatives who would exercise the rights. This potentially complex provision, if passed, may add additional compliance burdens for data handlers newly charged with verifying family relationships.