CIPL provides comments on China’s updated personal data protection bill
On May 25, 2021, the Center for Information Policy Leadership (“CIPL”) of Hunton Andrews Kurth LLP submitted its response (in English and Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated Version of the draft law on the protection of personal data (“PIPL”).
As we previously reported, CIPL submitted comments to the NPC on the first draft of the PIPL in November 2020. Many of the comments CIPL made in its first reply are still relevant and apply to the updated PIPL. CIPL reiterates many of its previous recommendations in the current response and highlights several new considerations for the NPC to take into account in its further work on the PIPL.
The main recommendations from the answer include:
- Creation of further clarity about when consent is required under the PIPL. The NPC has stated in the updated version of the PIPL that no consent is required for circumstances provided for in Articles 13 (2) -13 (7) of the draft law (I.e., the other legal bases for the processing). CIPL recommends that the NPC refer to this assertion in other provisions of the PIPL that require consent for certain processing operations.
- Create further clarity about the effects of withdrawing consent. CIPL acknowledges that the NPC has made it clear that revoking a person’s consent to processing will not affect processing activities that took place prior to revocation. CIPL recommends that the NPC further clarify that the withdrawal of consent has no effect on certain ongoing forms of processing that are based on the integrity of data sets and to which a person originally consented (e.B. Processing of data for medical research already started).
- Adding a legitimate interest processing base to the PIPL. Given its increasing use in data protection laws worldwide and its usefulness to ensure that many types of processing operations that are not covered by other legal bases can continue to take place, CIPL recommends that the NPC have a legitimate interest in the processing in the next version of the PIPL records.
- Enabling a risk-based approach to determining whether an organization is processing personal data of minors in the context of mixed-use websites. CIPL recommends that the NPC allow personal data processors to make a contextual decision based on a number of factors to determine whether they are processing minors’ personal data in order to meet the requirements of Article 15 of the PIPL for mixed-audience websites and services fulfill.
- Revision of some aspects of the international data transfer regulations. CIPL reiterates several of the recommendations previously made in relation to international transfers, including removing the consent requirement in addition to using the cross-border transfer mechanisms listed in the PIPL. In its current answer, CIPL further recommends that the NPC resume the general objective of ensuring the orderly and free flow of personal data in accordance with Article 1 of the PIPL and take into account existing model contractual clauses in other legal systems when formulating model contracts for transfers according to the PIPL (e.B. ASEAN model contractual clauses for cross-border data flows).
- Provide clarity on the types of personal data processors required to set up an external independent body to monitor processing and publish social responsibility reports. CIPL recommends that the NPC clarify: the parameters that trigger the requirements of Article 57 of the PIPL, who exactly the provision applies to, and how the requirements apply to online platform services that have no insight into certain activities taking place on their platforms be performed.
- Approach anonymization from a risk management perspective rather than a technique or end-state. CIPL recommends that the NPC revise the definition of anonymization to reflect the more realistic standard of adequate anonymization in conjunction with procedural, legal and administrative safeguards.
To read in detail the above recommendations, as well as any other CIPL recommendations, please read the full answer (in English or Mandarin).