China issues the second version of the personal data protection bill for public comment
On April 29, 2021, China released a second version of the Draft Personal Data Protection Act (“Draft PIPL”). The PIPL draft can be publicly commented on until May 28, 2021.
While the scope of this version of the PIPL draft is the same as the previous version published on October 21, 2020, we summarize the main changes in the second version of the PIPL draft below.
Legal basis for the processing of personal data
Article 13 adds a legal basis for the processing of personal data. The data processor is not obliged to obtain the consent of the data subjects to the processing of publicly available personal data to a reasonable extent in accordance with the PIPL draft.
Personal information from minors
Article 15 provides a higher standard for the processing of personal data of a minor. Regardless of whether the data processor knows or should know that they are processing personal data of a person under the age of 14, they must obtain the consent of the minor’s parents or another legal guardian.
Withdrawal of consent
According to Article 16, the data processor must provide data subjects with a convenient way of withdrawing their consent. The withdrawal of consent has no effect on the processing activity that took place before the consent was withdrawn.
Data processing by third parties
Article 22 contains further conditions for data processing by third parties. If the data processing agreement with a third party becomes ineffective or invalid, revoked or terminated, the third party may not retain the personal data and return it to the data processor or delete it.
Standard contractual clauses for cross-border data transfer
Pursuant to Article 38, the Cyberspace Administration of China will provide data processors with a standard contract for reference and guidance in entering into contracts with recipients outside of China that may enable them to transfer relevant personal data to recipients outside of China.
Personal information of the deceased
Article 49 adds provisions on the protection of personal data of the deceased, whose rights under the draft PIPL can be exercised by close relatives on behalf of the deceased.
Specific data processor
Article 57 imposes specific obligations on data processors who provide basic online platform services to a “large” number of users and who have complex types of business. These include obligations to (1) establish an external independent body to monitor the processing of personal data; (2) discontinue servicing the products or service providers who have seriously violated laws and regulations; and (3) publish regular social responsibility reports. However, the second version of the draft PIPL does not illustrate the specific standard for identifying the data processors covered, for example by determining how many users represent “a large number of users”.
Reversal of the burden of proof
According to Article 68, in the event of a violation of interests related to personal data, the data processor is liable for a tort and the corresponding compensation if he could not prove that he was not at fault.