A Closer Look at China's (First Draft) Personal Data Protection Law

Because privacy laws like EU GDPR (General Data Protection Regulation) have become fashionable recently, China has published its (first draft) personal data protection law. Although china already has national cyber security laws and regulations related to cyber protection in place that cover the protection of personal information, but until recently there was no dedicated personal protection law.

China's PDPL (Personal Data protection Law) consists of eight chapters and seventy articles and has following principles like other privacy laws more specifically GDPR (General Data Protection Regulation).

1. Consent
2. Processing of Personal information
3. International data transfer / Cross border
4. Rights of individual ( PDPL refer their citizen as individual )
5. Personal data protection
6. Liabilities / Penalties

Consent

Consent means taking a written permission from the citizens of china. Like GDPR (General Data Protection Regulation), in PDPL (Personal Data protection Law) consent is required for processing , handling and international transfers for example in chapter II section I under article 13. “ Obtaining individual consent is mandatory while handling personal information“ .

The consent was discussed on many articles of PDPL (Personal Data protection Law) such as article 13,14,15,16,17,22,23,24,26,27,28,30,35,36,39,47.

Cross borders / International Transfers

Article 38 to 43 discuss the cross border requirements like:

1. Taking written consent is mandatory.
2. Informing the individual about the nature of processing and transfer.
3. Passing through a security assessment organized by the state cyber security authority and information department to article 40 of PDPL (Personal Data protection Law).

Following condition can restrict the international transfer

1. If any international organization failed in providing the proper security to personal information and non - conformity with any state regulation

Processing of personal information

PDPL (Personal Data protection Law) ensuring the protection of individuals under the article 44, 45. According to article 45, individuals have the right to know and right to take decisions on his/her personal information even if he/she refuses the handling/processing unless any state law or administration regulation is processing his/her personal information.

Protection of personal information :

According to the PDPL (Personal Data protection Law) personal information is protected no individual or organization can misuse the PI , rights and interest.

Liabilities / Penalties

Where personal information is handled in violation of this Law or personal information is handled without adopting necessary security protection measures in accordance with regulations, the departments fulfilling personal information protection duties and responsibilities orders correction, confiscate unlawful income, and issue a warning; where correction is refused, a fine of not more than 1 million Yuan is additionally imposed; the directly responsible person in charge and other directly responsible personnel are fined between 10,000 and 100,000 Yuan.

Conclusion

There are many angles to the  PDPL (Personal Data protection Law) which we need to explore because this is a new law and it's still in draft mode. We have wait on what kind of changes the Chinese government will make in final version of  PDPL.