China has announced a law called “Personal Information Protection Law” (PIPL) on 20th August 2021, coming into effect on 1st November 2021.
The PIPL is having 74 articles divided into 8 chapters as follows:
- General Provisions;
- Personal Information Processing Rules;
- Rules for Cross-Border Provision of Personal Information;
- Individuals’ Rights in Personal Information Processing Activities;
- Obligations of Personal Information Processors;
- Departments Performing Personal Information Protection Functions;
- Legal Liabilities; and
- Miscellaneous Provisions.
Considering the general Governance system in China which is a dictatorial regime, the stakeholders would be concerned about the penalty provisions and the extra territorial implications.
Knowing the political nature of Chinese Governance and its reputation as the biggest global surveillance state, China talking of “Privacy” is like the Satan quoting the Bible.
However, the global privacy community is going through the motions of hailing the “Strict Data protection Laws in China”.
There is a possibility that China may continue its “Surveillance Culture” and cyber warfare and use the law to protect its own companies engaged in secret activities to ensure that international demand on any information related to issues such as the Covid Virus related research etc cannot be demanded by US or the UNO.
There are many Indian companies who have foolishly placed their assets in China and will have to live with working with the dictatorial regime and its inconsistent policy formulations. Just as the Indians in Afghanistan who are today struggling to be physically evacuated, many of the top industrialists of India who have built up assets in China will some day be running for evacuation of their data out of China.
Naavi.org has to keep on record its total distrust on China and the expectation that PIPL being used as an instrument of protecting Chinese dictatorial interests more than protecting the “Right of Privacy” of the citizens of China.
However, from the professional view point, we can continue to study the text of the PIPL assuming that the Government of China will be honest and reliable.
If we look at the extra territorial impact of the PIPL, the law is applicable when a company outside China conducts processing activities of information of natural persons who are within China
- for the purpose of providing products or services to natural persons in China;
- to analyze/evaluate the behavior of natural persons in China; or
- other circumstances prescribed by laws and administrative regulations.
Naturally, Companies having processing activities within China of personal information of natural persons would be liable.
Hence all Indian companies who are having establishments within China will have to put up with the strict Chinese regulations if they have any physical presence in China.
Like in GDPR, the PIPL will require a representative to be appointed in China if a foreign company is engaged in the collection of personal information from China.
The legal basis for processing is covered by the following:
- consent by data subjects;
- necessity for concluding or performing contracts to which the data subject is a party, or necessity for implementation of human resources management in accordance with legally-adopted labor rules and systems and legally-concluded collective contracts;
- necessity for performing legal duties or legal obligations;
- to respond to public health emergencies, or necessity for protection of natural persons’ life, health, and property safety under emergency circumstances;
- processing, within the reasonable scope, of personal information for conducting news reports, public opinion supervision, and other acts for the public interest;
- processing, within the reasonable scope and in accordance with the PIPL, of personal information that has been made public by data subjects or through other lawful means; and
- other circumstances as stipulated by laws and administrative regulations.
Since one of the permitted legal basis is “Performance of legal duties and legal obligations” , India should consider introducing a clause in our law (May be in out Cyber Security law such as ITA 2000) to the effect that
“All organizations established in India including organizations which have managerial and financial control of organizations constituted under laws of other countries shall be liable to provide access to data related to their activities outside India for purposes such as National Security,..etc”.
All personal information collected and generated in China by Critical information infrastructure operators (“CIIOs”) and organizations processing personal information reaching a certain amount designated by the authority are required to store such information in China.
As regards the cross border transfer, PIPL states that apart from the consent Cross-border transfers of personal information can only be made for legitimate purposes such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL.
The law does include “Rights” of data subjects just like GDPR though the credibility of such provisions may be questioned.
The rights include
- Right to know and to decide relating to their personal information;
- Right to restrict or prohibit the processing of their personal information;
- Right to consult and copy their personal information from the processors;
- Right to portability of their personal information;
- Right to correct and delete their personal information; and
- Rright to request the processors to explain the processing rules.
It is interesting to note that there is a provision that the close relatives of a natural person can exercise these rights for their own legitimate and justifiable interests after the natural person is deceased, unless the deceased has made other arrangements when she or he were alive.
It is understood that the processor’s obligations include appropriate internal management systems and security measures for compliance but appointment of DPO may not be mandatory except for organizations involved in large scale processing.
Violations of the PIPL may lead to an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the last year (it is unclear if this is local or global).
Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.
If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the People’s Procuratorate (i.e., the authority responsible for criminal prosecution), consumer protection organizations or other organization designated by the cyberspace administration.
(P.S: We await the English version of the draft for detailed study.)