Since the launch in 2016 of the GDPR, Europe has set the tone on personal data protection. Geopolitical considerations aside, it cannot be denied that the old continent is, at least on privacy, trying to push its cultural view. Is Europe succeeding in this privacy imperialism? It seems so, now that China is stepping in.
After Europe, first the United States and Canada
Despite the great interest in controlling the personal data of American consumers, the United States has not yet joined the EU in passing national legislation that takes into account the technological impact on everyday life.
However, in the absence of federal action, California has taken an important first step towards greater privacy protection with the passage of the California Consumer Privacy Act (CCPA), which has been in effect since 1 January 2020. The CCPA is a turning point in US privacy law and was the first law in the United States to include rights which are clearly inspired by the GDPR.
In rivalry with Europe and California, a proposed Consumer Privacy Protection Act (CPPA) was launched in Canada that same year. As Canadian lawmakers consider changes and proposals in this CPPA to align with the GDPR, it seems very likely that companies will also be faced with new or expanded consumer rights and additional obligations regarding how personal information may be processed. GDPR next level, so to speak.
China’s diffuse reality
Privacy activists are horrified by China: 1.4 billion individuals all being monitored from the control room of the one party that makes policy – surely this is not in line with our European standards.
Anyone who knows China a little must make a few observations. To the outside world, China often appears to be a monolith, with edicts from Beijing ruthlessly implemented by the rest of the system. This is also the image that the Chinese government likes to present.
Daily life, however, shows a much messier reality. Although China has tools that many other governments normally do not have at their disposal, the state’s ability to access personal data is sometimes limited. Coordination between different parts of the public sector is often sporadic and marred by bureaucratic rivalries. Many private sector companies are cautious of alienating middle-class customers whose lives now revolve around a series of apps on their smartphones. Big players like Alibaba and Tencent are therefore reluctant to hand over data.
Draft “Personal Information Protection Law” in China
However, privacy is indeed a concern within Chinese society – although culturally, the Chinese may look at it a little different than we do in the West.
A number of older small initiatives have therefore finally led to the publication on 21 October 2020 of the draft Personal Information Protection Law of the People’s Republic of China. The draft is now scheduled for further deliberation in the 2021 Standing Committee meetings, so that it can be promulgated as soon as possible (read the original version here – read a Dutch translation here).
Article 3 of the draft expressly provides that the draft shall apply not only to the processing of personal data of natural persons within China, but also to the processing of personal data of natural persons outside China where:
- such activities are aimed at providing products or services to natural persons within China;
- such activities are operations carried out for the purpose of analysing or assessing natural persons within China; or
- there are other legal circumstances.
The draft is thus very similar to the broad scope of the GDPR and thus gives a broad extraterritorial application to the protection of personal data.
Tightening the rules on the processing of personal data
The draft specifies six principles that must be observed when processing personal data:
- – the principle of good faith (Article 5),
- – the principle of clear and reasonable purposes (Article 6),
- – the principle of minimum necessity (Article 6)
- the principle of openness and transparency (Article 7)
- the principle of accurate information (Article 8), and
- the principle of accountability of information processing (Article 9).
The draft extends the legal basis for the processing of personal data. Under Article 13 of the draft, personal data may be processed if one of the following conditions is met:
- the consent of the data subject has been obtained
- processing is necessary for the conclusion or performance of a contract to which the data subject is party;
- processing is necessary in order to fulfil legal obligations;
- processing is necessary in order to respond to a public health emergency or to protect the life, health or property of a natural person in an emergency situation;
- the personal data is processed within a reasonable period of time for the purposes of news reporting, public opinion monitoring and other actions in the public interest; or
- there are other legal grounds.
In addition, many circumstances are specified in which separate consent must be obtained:
- the transmission of personal data to third parties (art. 24),
- the disclosure of personal data (art. 26),
- the processing for purposes other than public order of visual material collected in public places (art. 27),
- the processing of sensitive data (Art. 30), and
- transfer of personal data outside China (art. 39).
Rights and Obligations
Important clarifications on the rights of data subjects can be found in Chapter IV of the draft:
- the right to be informed and to decide (Art. 44)
- the right of access and of copies (Article 45), the right of rectification and supplementation (Article 46)
- the right to erasure (Article 47)
- the right to request explanations and clarifications (Article 48)
- and the right to obtain reasoned feedback from the processor (Article 49).
Chapter V of the draft specifies the obligations of the controller, such as prior risk assessment (Article 54), technical and organisational measures (Article 50) and a data breach procedure (Article 55).
Strict legal liability
Article 62 of the draft stipulates that illegal processing of personal data is punishable by “a fine of up to 50 million RMB or up to 5% of the previous year’s revenue”. In addition, the offender may be required to suspend the activities in question, and risks having his business licences revoked.
While the nominal ceiling amount may be lower than we are used to in Europe, the persistent offender also risks prosecution.
It is clear that the GDPR sets the global direction for personal data protection: the basic privacy principles we are familiar with in Europe are being picked up in all continents.
The fact that China also embraces these principles may be a good thing. Critics could argue that the Chinese draft, as it currently stands, primarily regulates private relations and does not offer a solution to government surveillance. However, in doing so they overlook the fact that Chinese citizens look at their government in a very different – pragmatic – way. As Europeans, we sometimes see central government as a threat to and restriction of our individual rights and freedoms; Chinese citizens see their government system more as an opportunity for rapid economic development and stability.
In any case, it is certain that entrepreneurs who are active on the Chinese market will also have to prepare themselves thoroughly and take into account the growing privacy awareness of Chinese consumers. Through our network, we can always assist you in this regard – all you need to do is contact us at firstname.lastname@example.org.
Written by Kris Seyen, Partner theJurists