On 29 April 2021, the second drafts of China's Personal Information Protection Law (Second Draft PIPL)1 and the Data Security Law (Second Draft DSL) were released. Once passed, the Second Draft PIPL will become China's first comprehensive law that protects personal information, and the Second Draft DSL will further regulate data processing activities that could impact national security, particularly "important data".

While the Second Draft PIPL and the Second Draft DSL do not substantially amend the first drafts issued in October 2020 and July 2020, respectively, some further obligations and clarifications have been added. We summarise some of these key changes below.

Second Draft PIPL

DATA PROCESSORS

In a major departure from the previous draft, the Second Draft PIPL expands the obligations imposed on third parties entrusted to handle personal information (i.e., the equivalent of a data processor under the GDPR (the EU General Data Protection Regulation)).

Under the first draft, data processors were not directly regulated. Instead, they were only required to process the personal information in accordance with the relevant data processing agreement with the data controller (referred to as the "personal information processor" under the Second Draft PIPL), to delete or return the personal information once the agreement is fulfilled or terminated and to not further sub-contract the processing of the personal information, unless it obtains the data controller's consent.

Under the new Article 58, data processors must perform the relevant obligations under Chapter V of the Second Draft PIPL and adopt necessary measures to ensure the personal information is kept secure. In particular, this may mean that overseas data processors that process personal information to provide goods or services or analyse or assess the behaviour of data subjects in China (or under any other circumstances prescribed under the laws or regulations), will need to appoint a local representative or establish an office in China2 . This may have major implications for foreign companies that have no onshore operations, but which are providing services to data controllers handling personal information collected in China.

In addition to establishing a local presence, data processors will also now need (among other things) to conduct regular audits to verify that their processing activities are compliant with China's laws and regulations; carry our risk assessments prior to processing sensitive personal information, using automated decision-making, disclosing any personal information or making any cross-border transfers; comply with breach notification obligations; and comply with the new obligations imposed on large internet platform service providers (discussed below).

OBLIGATIONS ON LARGE INTERNET PLATFORM SERVICE PROVIDERS

Another significant amendment proposed by the Second Draft PIPL are the additional obligations on data controllers which provide basic online platform services to a substantial number of users and which operate complex business models3 . Such data controllers would be required to:

(1) Establish an independent body, mainly consisting of external personnel, to oversee the data controller's processing activities;

(2) Stop providing services to those who are offering products or services via the data controller's online platform, who are in serious violation of the data processing requirements under the relevant laws and regulations; and

(3) Regularly publish corporate social responsibility reports in relation to personal information protection.

It is likely that further measures or interpretations will be issued to provide clarity on the application of the above requirements. In particular, clarification will be welcomed in respect of what would constitute a substantial number of users or complex business models, what would amount to a serious violation of the laws and regulations, and what needs to be included in the social responsibility reports.

It is important to remember that as with the original draft, the Second Draft PIPL is intended to have extra-territorial effect. Article 3 provides that the Second Draft PIPL shall apply to any processing of personal information that occurs outside China, if the purpose of processing is to provide products or services to individuals in China, to analyse and evaluate the behaviour of individuals in China, or any other circumstances specified by the laws or regulations. The effect of this article is that online platform service providers based overseas, may need to comply with the above requirements even if they do not have an onshore presence, and/or will have to establish an office or appoint a legal representative in China4.

Downloads – Download Document 

Footnotes

1 See our article regarding the first draft of the PIPL: https://www.mayerbrown.com/en/perspectives-events/publications/2020/12/asia-ip-tmt-quarterly-review-fourth-quarter-2020

2 Article 53and 58 of the Second Draft PIPL.

3 Pursuant to Article 58 of the Second Draft PIPL, these obligations may also apply to data processors.

4 Article 53 and 58 of the Second Draft PIPL.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

.