On November 18, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the Draft Personal Information Protection Law (“PIPL”).
In its response, CIPL highlights several possible modifications of the PIPL, which it believes the NPC should consider and adopt during its review, not only to ensure China’s standing in the international data protection space but also to ensure the protection of China’s citizens, businesses and government data.
CIPL’s key recommendations include:
- Legitimate Interest: Adding a legitimate interest processing ground within the PIPL;
- Compatible Processing: Clarifying that organizations can process personal information for compatible purposes in reliance on the original ground for processing;
- Children’s Data: Enabling a risk-based approach for organizations to determine whether they are processing personal information of minors in the context of mixed audience websites and obtaining consent from a guardian;
- Sensitive Data Processing: Enabling a risk-based approach for processing sensitive personal information rather than providing set categories of pre-defined sensitive information;
- Categories of Sensitive Data: To the extent that pre-defined categories of sensitive information are retained in the PIPL, clarifying that sensitive personal information can be processed on the basis of all legal grounds for processing;
- Consent for Transfers: Removing the requirement to obtain consent on top of the other transfer requirements in the PIPL;
- Security Assessment for Transfers: Explaining what is required to pass the Cyberspace Administration’s security assessment to transfer personal information overseas;
- Certifications: Clarifying whether the certifications referenced in Article 38 for the transfer of personal information could enable China’s participation in the APEC Cross-border Privacy Rules (“CBPR”) system and to work towards joining the CBPR system in line with Article 12 of the PIPL;
- Appointing a Representative: Adding exemptions to the requirement to appoint a representative in China in line with those found in other privacy laws, such as the GDPR;
- Third-Party Service Providers: Clarifying the role of third-party service providers under the PIPL;
- Grave Unlawful Acts: Clarifying what constitutes a “grave” unlawful act under the PIPL and when fines will be a set monetary amount or a percentage of revenue, and clarifying that the revenue in question relates to revenue in China; and
- Effective Date: Specifying that organizations will have two years from the date the PIPL is passed to be fully compliant with the law.