The Structure and Mechanism of the Personal Information Protection Law 

On April 29, 2021, the National People’s Congress released a second draft of the Personal Information Protection Law. The Centre for Chinese Law at the University of Hong Kong has launched a series on the law to gain an understanding of its significance. Our series was held in conjunction with the Digital Economy and Legal Innovation Research Center at the University of International Business and Economics.

In the first lecture in our Personal Information Protection Law series, Xu Ke, Associate professor from the University of International Business and Economics and Executive Director of the Digital Economy and Legal Innovation Research Center was invited to discuss the structure and mechanism of the draft law.

Professor Xu gave a broad overview of the structure and system of the Personal Information Protection Law. He focused on three issues, namely the historical development, the formal structure and the substantive content of the Personal Information Protection Law. Mr. Fang Yu, director of the Internet Law Research Centre at the China Academy of Information and Communications Technology commented and identified problems around enforcement.  Dr. Angela Zhang, director of the Centre for Chinese Law, raised questions around Internet company compliance and future law enforcement measures. 

Professor Xu noted that legal experts from the State Council first began working on the law in 2005 to address the inevitable privacy challenges brought in by the advent of the digital age. Since 2005 however, data privacy protection laws in China had developed in a piecemeal fashion. While specific provisions aimed at protecting data privacy exist within several different laws, the recent drafting of the Personal Information Protection Law represents the first time a comprehensive overarching framework on data privacy will be established. 

Professor Xu identified a growing need for personal information protection which began in the early 2000s when the Chinese internet was just beginning to gain a foothold. Since those days, anxieties around data privacy issues including serious breaches have continued to vex users and regulators alike. Moreover, Professor Xu explained that as Art. 38 of the PRC constitution guarantees personal dignity, the draft law serves to elucidate that guarantee in line with the data privacy concerns of modern day Chinese citizens. 

Article 13 of the draft law governs the scenarios in which a personal information handler may obtain a user’s data. Similar to data privacy laws in other jurisdictions, Art. 13 places great importance on user consent, a concept frequently referenced in the draft law. However, the law contains a number of notable exceptions to this requirement including the collection of information in accordance with the public interest, in emergency situations, activities conducted in accordance with statutory obligations and exceptions established by other laws and administrative regulations. 

Professor Xu also identified the law’s status as a “mixed law”, in that it covers a broad area and comprises several functions. For instance, the law covers both criminal offenses and civil offenses. It also establishes a range of rights and obligations on both private entities as well as public organs.    The law’s breadth also extends to the jurisdiction it covers which is both domestic and extraterritorial.

During our discussion, questions were raised about the law’s enforcement, which is to be largely handled by central authorities.

 

Professor Xu explained that enforcement at the central level is usually relatively active, where issues that are easier to judge, such as compliance issues around the collection and processing of information have a greater focus. Local-level market supervision bureaus and local public security bureaus also engage in enforcement but to a lesser extent.

 

The underlying issues, such as whether the use of personal information is misused or in line with its collected purpose, has not yet been touched. Thus, how the Personal Information Protection Law will be enforced remains to be seen. Although the capacity for personal information protection has yet to be built, Professor Xu explained that the law contains softer enforcement measures such as administrative interviews to ease these capacity constraints.

 

Dr Zhang asked about Ant Group’s divestment to illustrate how the law may work in practice. As it has been reported that Ant Group will have to transfer the data of its user base to a collected joint venture, such an undertaking would be done in accordance with statutory requirements. As Art.13 provides an exception for such activities, this would appear to exempt Ant from the requirement to obtain user consent during the transfer. However, Professor Xu explained that this only exempts the duty to obtain authorization from the user, but the group is still obliged to tell its users about the data transfer and users may still choose to “opt out” after the consolidation, a mechanism provided by Art. 23. 

 

In answering a separate question, Professor Xu noted that when a company’s governance structure changes, the opt out mechanism should be used. However, with respect to the transfer of personal information in an asset purchase, users must be asked to authorize the use of their data, essentially opting-in.

 

While the law does not intrinsically provide for an administrative review mechanism, Fang Yu, the discussant, explained that review mechanisms already exist within the Administrative Reconsideration Law and the Administrative Penalty Law.

    

The draft Personal Information Protection Law has emerged as a response to the excesses of China’s rapidly growing digital economy. Drafters of the law have benefited from the existence of other such regulations including the EU’s General Data Protection Regulations which have similar aims. How the law will work in practice, especially given the many constraints on enforcement, will nevertheless herald a new era in Chinese data privacy protection.

 

To learn more about the Personal Information Protection Law, join the rest of the events in our series.