D A T A P R O T E C T I O N
China’s Draft ‘Personal
Information Protection Law’
General meaning of Personal Data
In daily lives we give our personal data which is also known as personal information to somewhere or the other. Personal
data is the data which identifies an individual who owns that data. For example while purchasing anything online, while
signing on the applications, while using online payment modes, etc.
Personal Data / information includes:
A name or surname
An email address
An ID card number [aadhar card number, PAN number, passport]
An IP address
Information held by a hospital, etc.
Personal data under the draft
Personal data is defined under the draft:
Individual data is a wide range of data recorded by electronic or different means identified with distinguished or
recognizable normal people, excluding data after anonymization taking care of.
Individual data dealing with incorporates individual data assortment, stockpiling, use, preparing, transmission,
arrangement, distribution, and other such exercises.
Personal information handling
Individual data controllers may just deal with individual data where they adjust to one of the accompanying condition:
• Getting people’s assent
• Where important to close or satisfy an agreement wherein the individual is an invested individual
• Where important to satisfy legal obligations and obligations or legal commitments
• Where important to react to unexpected general wellbeing episodes or ensure regular people’s lives and wellbeing, or the
security of their property , under crises conditions
• Taking care of individual data inside a sensible extension to execute news detailing, popular assessment oversight, and
other such exercises for the public interest
• Different conditions gave in laws and authoritative guidelines
Health concerning data
Religious opinion, etc
Types of sensitive personal data:
• Personal information
• Business information
• Classified information
Sensitive Personal data needs more protection because of its sensitive nature. It has to be processed differently from the
other data and there is a clear distinction between sensitive personal data and non-sensitive personal data made by GDPR.
General meaning of sensitive personal data
Sensitive personal data under the Draft
The expression “sensitive personal data” under the draft PIP law is characterized as individual data of which spillage or
unlawful use might prompt prejudicial therapy or genuine harm to individual or property wellbeing, including race,
nationality, strict convictions, individual biometrics, clinical wellbeing data, monetary records, and individual
location/whereabouts, and so forth.
The draft PIP law gives more limitations on the handling of delicate individual data. An individual data processor can
possibly deal with sensitive personal information on the off chance that it has explicit purposes and such preparing is
adequately fundamental, yet the draft PIP law doesn’t give further translation of what comprises “explicit purposes” and
Sensitive personal information handling
Individual data oversees might deal with delicate individual data just for explicit purposes and when adequately
When dealing with delicate individual data depends on individual assent, individual data oversees will get independent
assent from the person.
When individual data oversees handle sensitive personal data, aside from the prerequisites of article 18 of the law, they
will likewise tell the person about the need of sensitive personal data taking care of , as well as the impact on the person.
Where laws or authoritative guidelines give that significant regulatory licenses will be gotten or stricter limitation forced for
the treatment of delicate individual data, those arrangements are followed.
Scope and Applicability
The draft PIP just indicates responsibility and consistence necessities on “individual data processor” that refers to
associations or people that autonomously decide the reason, extension, scope, and strategies for preparing of individual
This law applies to state organs’ exercises of taking care of individual data; where this section contains explicit
arrangement, the arrangements of this part applies.
State organs taking care of individual’s data to satisfy their legal obligations and obligations will lead them as per the
forces and strategies gave parents in law and managerial guidelines; they may not surpass the extension or degree
important to satisfy their legal obligations and responsibilities.
Individual data took care by state bodies will be stored within the boundaries of the people’s republic of China; where it is
important to give it abroad, a danger appraisal will be led.
Application divisions might be needed to offer help, support and assistance for hazard evaluations.
Global organizations might be generally intrigued by the considered extraterritorial jurisdiction of the draft PIP law, which may
expand consistence hazard for unfamiliar organizations that have working subsidiaries in China or don’t have a legitimate
presence in China yet provide products or administrations to Chinese people.
The draft would apply to company overseas:
That interaction individual data of people in China to provide products or administrations to them;
Data or any information which is considered as personal data is protected under the draft. It is the sole responsibility
of the data user to safeguard and protect the personal data that they collect.
That investigate and evaluate the exercises of people in China through the assortment of individual data; or
For different purposes indicated by laws and regulatory guidelines.
Furthermore, the draft PIP law additionally looks like the GDPR arrangement and requires seaward processors that cycle
individual data of people in the PRC to build up an assigned office or delegate an agent in the PRC to be answerable for
individual data assurance in the PRC. Name and contact data of such office or agent ought to be submitted to the controllers.
This law will applies to associations and people’s taking care of individual data exercises of normal people inside the
boundaries of people’s Republic of China.
Where one of the accompanying conditions is available in taking care exercises outside the line of people’s republic of
China of personal data of regular people inside the lines of the people’s republic of China, this law applies too;
•Where the object id to give items or administrations to regular people inside the lines;
•Where directing examinations or evaluations of activities of normal or regular people inside the boundaries
•Other situations provides in law or administrative guidelines.
Repeating the GDPR abroad processors if individual data that fall inside the extraterritorial extent of the PIP law should build
up “uncommon foundation or assigned delegates” inside the territory of China to manage PIP law matters for the benefit of
the abroad element.
General meaning of consent
As we all know that there is a requirement of consent when we use something of someone. Consent means
giving people a real choice and control over how you use their data.
The consent which has no real choice, that does not considered as a free consent and it will be invalid.
A person is said to be given a free consent when he is not bound by anything or anyone and must be able to
withdraw consent easily anytime whenever he wants to.
It also means that consent should be boundless or unbundled from other terms and conditions.
Consent under the draft
If the data subject would like to use the data collected for some different purpose other than then that for which it is
collected, the data subject must obtain the prescribed consent of the person whom data they are using and the consent
must be free [voluntarily].
This means that the person has given their consent on their behalf.
If the data user is not able to give the consent, a person who is minor [that is below the age of 18] in that situation, parents
of that person is responsible for giving the consent on the behalf of that person.
Before a data user can use a data subject’s personal information or data for marketing purposes, the user must obtain
his/her consent. This consent must be given orally or in written form.
Consent for taking care of individual personal data will be given by people under the precondition of full information, and in a
deliberate, voluntary and explicit proclamation of wishes.
Where laws or managerial guidelines give that separate consent or written consent will be acquired to deal with individual
data, those arrangements are followed.
Where a change happens in the purpose of handling the personal data of an individual, the dealing with strategy, or the
classes took care of individual data, the person’s consent shall be acquired once more.
Without the consent of the individual data controller, and endowed party may not further depend individual data taking care of
to different people. Individual data controller will, where it is important to move individual data because of consolidation,
partitions, and other such reason, inform people about the accepting party’s personality and contact technique.
Where the receiving side changes the first taking care of direction or dealing with strategy, they will advise the individual
again as given in this law and acquire their consent. Where the reason at the time the individual data was distributed isn’t
clear, individual data collectors will deal with distributed personal data in a sensible and careful way; for activities using
distributed personal data affecting people, the individual will be told by the arrangements of the PIP law, and their consent
obtained. An individual also have the right to revoke or withdraw hid consent of individual data taking care of exercises
conducted based on person’s consent. Without the consent of the personal data handler, a dependent party may not further
entrust individual data handling of to another person. When the personal information handlers provide the information to third
party, they shall notify the individual about the identity of third party which includes their name, contact details, there data
receiving and handling method, ad obtain an individual consent for it.
In the case of processing sensitive personal data, the handler shall obtain separate consent from the individual. That too in
written form were provided by laws or administrative regulations. When state organs handles personal data for the purpose or
reason to fulfill statuary duties and responsibilities shall notify the data owner according to the provisions of this law and must
obtain their consent. When the personal data is provided by the personal data handlers outside the border of People’s
Republic of China, they should inform the individual about the data receiver outside and must obtain separate consent the
It is clearly mentioned in the draft that if the data handler rescinds his consent, personal data handlers shall, dependent on
individual’s request, delete personal information.
According to the PIP draft there are some there are some basic principles that must be followed for the processing and
functioning of personal data or information:
• The principle of legality and goof faith
Personal data or information of an individual should be processed in accordance with the criteria or principle of legality,
appropriateness, necessity, need and good faith. The PIPL underlines that personal data must not be handled through
deceiving, fake, fraudulent or coercive manner or strategies.
• Clear and reasonable purpose
Purpose that is both clear and reasonable. Personal data processing should have a clear, fair, sensible and reasonable
purpose that is directly connected to the processing purpose. The processing personal data should be prepared in a
manner that has a least impact on personal rights of an individual.
Personal information should be collected only to the that extent which is necessary for the intended purpose, and
unreasonable collection of data or information is not permitted under the draft.
• Transparency and openness
The processors of personal information must explicitly disclose or reveal the personal data processing rules, the
purpose of processing the information, the processing mechanism and the processing scope of the same.
• Quality assurance
To avoid any detrimental impact on personal rights and interest caused by inaccuracy and incompleteness of personal
information, the quality of personal information must be protected when it is processed.
Furthermore, the processors are responsible for taking precautions to protect the security and privacy of personal data
Unlawful acquisition, use, processing, and transfer of personal data, as well as the illegal sale, supply, and publishing
of personal information, are all banned for both entities and people.
Processing actions that jeopardise national security and the public interest are strictly banned.
The PIPL further refines the standards and principles and personal data processing rules to be followed in the security of
individual data, explains the limits of rights and obligations in processing activities of personal information and further
develops the framework and method or mechanism for personal data security and protection.
Where it is required to transmit personal data outside the borders of PRC (People’s Republic of Chins) for global legal help
or administrative law enforcement help, an application must be made with the appropriate competent agency for
permission, according to the legislation.
Regarding the PIPL, at the same time as government’s organs and its data protection authorities are getting ready to deal
with it. What actions are required by the PIPL one it enforced is the question. Answering that, there are some actions which
is required by PIP law such as:
• Creating internal management structure and rules within the organization to handle data and to manage the handling of
data within the organization.
• Adopting corresponding technical security measures that would include physical measures like safety but, of course also
cyber measures software limiting the access to data to on a need to known basis within the organization and encryption
• Determining operational limits for personal information handling.
• Regularly conducting security education and training within the organization for employees that have access to data.
• Formulating security incident response plans
In all over the world many countries still don’t have any law related to data protection. China has also started looking into
data related law which subsequently result with several legislations implemented or drafted for public consultation in the
last few years. Personal Information Protection (PIP) law just closed for public opinion and expected to be finalised in later
The government which is responsible for the enforcement of this law is CAC (Cyberspace Administration China)
Internal transfer of information
Under the draft, it is mentioned under Article 38 that if the data processor has to transmit personal data beyond of PRC
for business or any other purpose, the data processor must meet at least one of the following requirements:
• Passing a security assessment determined by the CAC (Cyberspace Administration China) which is the government
department that is responsible for the enforcement of this law
• CAC as per Article 40 of the draft of PIPL, which necessitates that administration of Critical Information Infrastructure
(CII) 1 and that move a specific volume of personal data of an individual (to be determined by CAC) should locally
store personal data collected and created in PRC and should go through a security assessment if the cross-border
transfer id necessary, except if such security evaluation is not needed by laws, administrative regulators and CAC
• Obtaining a certification provided by the CAC
• Establishing an agreement with the foreign receiving party (this is something that would be in the control of data
handler without the need of government approval)
• Other conditions provided in laws, administrative regulations, or by the CAC
The regulations governing cross-border information transmitting are a major source of worry for many international
corporations doing business in the PRC.
In general, the PIPL requires personal information processors to take the appropriate steps to ensure that the actions of
foreign receiver in processing personal data comply with the PIPL’s personal information protection requirements.
Besides the above general requirements, Critical Information Infrastructure Operators (CIIO) or personal information
processing companies that processes up to the amount authorized by the national cyberspace administration should keep
personal data within China in addition to the above general requirement.
As a result, that applicant must pass the national cyberspace authority’s security assessment before they may provide
such information to an overseas recipient, if it is necessary.
Beyond the criteria, they urge that firms pay attention to any specific rues or advice that may be imposed by ralavent
Automobile data processors that hold critical data may only send data overseas if it is absolutely necessary and only after
passing a data outbound security assessment established by the national cyberspace authority.
Individuals and organizations are not permitted under Article 41 of the PIPL to transmit personal data held in China to
foreign law enforcement authorities without the prior consent of the appropriate Chinese authorities. It is unclear how data
“stored within China” is defined and how a “data processing” company may request for permission at this time; the actual
implementation of such provision would most likely depend on further precise laws or measures released by the
appropriate regulatory agencies.
Even if a processor is permitted to transfer personal information to an offshore party, it must notify individuals of at least the
following information: the offshore recipient's identity and contact information; the purposes and means of processing; the
categories of personal information to be transferred; and the means to exercise rights under this law against the offshore
Furthermore, for such cross-border transfers, the processor must seek individual consent from everyone.
Data breach is a security incident in which sensitive protected or confidential data is
copied, transmitted, viewed, stolen or used by an individual and unauthorized to do so.
In the incident of data breach it might involve the loss or damage of financial
information, social media account, band accounts, credit card or debit card details,
personal medical information, email address, passwords, necessary documents, and
other confidential information which is really private to an individual.
Many jurisdictions have past data breach notification laws requiring a company that
has been subject to a data breach to inform customers and take other steps to
remediate possible injuries, this may include incidents such as theft or loss of digital
media such as computer tapes, hard drives or laptop computers containing such media
upon which such information is stored unencrypted. Posting such information on the
world wide web or on a computer otherwise accessible from the internet without
proper information security precautions cause those damages.
Data breaches present position under PIPL
Proposed amendments regarding necessary breach notification
• Definition of “personal data breach”
• Notification threshold
• Notification timeframe
• Mode of notification
Lawful processing of personal data
A data user must have to collect data from a data subject for a lawful purpose. For which a data subject is giving his consent
to data user to use his personal data that processing must be lawful and trustworthy.
A data user may collect personal information of a data subject on if:
• The personal information on an individual is collected for a lawful purpose which is directly related to the event of exercise of
the data user who is to use the personal data.
• It should be mandatory that the collection of personal data is for and directly related to that purpose for which he has given
his voluntary consent.
• The personal data is sufficient or adequate, but not excessive in relation to that purpose.
• There must be a fair and reasonable processing of personal data of an individual.
• Personal data shall be processing to only that purpose which is clear, specific, direct and lawful.
• There must be a collection limitation which means that only necessary personal data must be collected, and the collection must
be limited to such data.
• Personal data may be processed, if necessary, situation occurred such as to respond to any medical emergency, to take
measure to provide health services to any individual an epidemic or pandemic, to ensure the safety on a personal during the
situation of any disaster or any breakdown of public order, necessary for the employment etc.
• Processing of sensitive personal data based on explicit content, for certain functions of the state, for any order of the court or
tribunal, for prompt action [medical emergency], processing of personal sensitive data of children, etc.
Moreover, if the personal data will be used or transferred for direct marketing
purposes or any other purpose which is not included in the original collection
purpose or a directly related purpose , consent is required for that. Data subject
have the right to ask a data user to stop using or transferring the personal
information for direct marketing purposes, and the data user must observe or
comply with such requests.
Companies that violate the PIPL are liable to administrative, civil, and criminal penalties, as described below. Administrative
penalties. In the case of a violation of the PIPL, personal information protection authorities may issue a rectification order or
a warning, and any unlawful gains may be confiscated. Services for the relevant apps may be suspended or terminated.
Companies and their accountable executives that refuse to correct violations may face extra penalties.
Serious violations may result in the suspension of business activities, the termination of a business certificate, and the
imposition of a fine of up to RMB 50,000,000 or 5% of annual revenue. Fines and bans from accepting management or
personal information protection responsibilities in other firms may be imposed on responsible executives. In line with the
applicable rules, PIPL breaches may also be made public and recorded in the social credit records of the relevant firms.
Civil liability. If the processing of personal information in violation of an individual's rights causes injury and the personal
information processor cannot demonstrate that it is not at fault, the processor may be held responsible for damages and
other civil penalties. If a substantial number of people are affected, designated consumer groups may file a lawsuit on their
behalf. Criminal Responsibility. Violations of the PIPL that constitute criminal crimes may result in criminal prosecution.
Individual rights under the PIP draft
Individual rights before data handling under the draft:
• To know that the data is being handled
• To decide, if the data id going to be handled
• To limit the purpose of handling the data
• To refuse to handle the data
Data subject’s rights one the data is handled:
• To access the data
• To copy the data
• To correct or complete the data, if required
• To delete the data and once it has been done there is also a right to be forgotten
Individual rights. When it comes to personal information processing activities, this law codifies the individual's rights such as
the right to know and to restrict or reject others' processing of personal information, as well as the right of inquiry and
request a copy of personal information from processors. Those that process personal data are required to provide persons
with a simple way to exercise the rights listed above.
Individuals also have the right to revoke their consent to personal information handling actions done with their consent.
They must agree on the rights and duties of each when two or more handlers of personal information make a joint decision
on a personal information handling purpose and method. As a result of this agreement, an individual is still free and clear to
demand that any personal information handler comply with all this Law's obligations. Personal information controllers are
jointly liable if they infringe on personal information rights and interests.
It is a person's right to ask personal information handlers to explain how automated decision making affects their rights and
interests, and it is also their right to reject that personal information handlers make choices exclusively based on automated
When talking about the regulations on the cross-border provisions of personal information one of them is that conclusion of
an agreement with a foreign receiving party, agreement on both parties' rights and duties, and supervision of their personal
information handling activities to ensure compliance with the personal information protection standards set out in this Law.
Where personal information handlers provide personal information outside of the borders of the People’s Republic of China,
they must inform individuals about the foreign receiving party's identity, contact method and handling purpose as well as
personal information categories, as well as how they can exercise their rights under this Law with the foreign receiving party.
They must set up procedures to accept and process requests from persons seeking to exercise their rights. If they deny a
person's request to exercise their rights, they must give a justification for doing so.
The right to make a complaint or report regarding unlawful personal information handling practises is available to any
organisation or individual.
The DPP5 requires data users to take all the reasonable measures to ensure that
their personal information policies and exercises regarding personal data
collecting, storing, transferring and using it.
In the PDPO, accountability principles and other privacy management measures
are not explicitly defined. In order to ensure compliance with the PDPO, the
PCPD recommends organizations adopt privacy management system.
The PCPD also recommends appointing data protection officers and conducting
privacy impact assessments for this purpose.
All feasible steps must be taken to safeguard personal data possessed by data
users against unauthorized access, use, processing, erasure, lost, theft or
Breach notification has no mandatory requirement, but it is recommended that
the PCPD (and the data subjects, where appropriate) be notified
If there is any kind of data breach and there is no proper mechanism that was
being followed, the organization shall be accountable for that.
The PDPO does not explicitly make certification or adherence to a code of prsctice
a legal basis for cross-border transfers.
Data protection authority
Privacy Commissioner for Personal Data (PCPD) is the authority which enforcing
the PDPO in Hong Kong. Furthermore, the PCPD has additionally developed a
number of codes of practice (available here) that provide practical guidance in
relation to the requirements under the PDPO.
If a data user breaches the code of practice, the presumption will apply to any
legal proceeding under the PDPO, unless the data user can demonstrate that the
requirement of the PDPO was actually complied within an alternative way.
Various guidance notes has published by PCPD which referred to as good practice
recommendations for protecting personal data in Hong Kong.
PCPD is an independent statutory body established to supervise the enforcement
As stated on its website, its main responsibility is to “ensure the protection of the
privacy of individuals in terms of personal data by promoting, monitoring and
supervising compliance with the PDPO.
The PCPD has upheld since 2014 for hierarchical data users to execute a Privacy
management programme (PMP), in order to accept personal data assurance as a
component of their corporate administration obligations and apply them as a basic
all through the association.
Recently, the PCPD reexamined and distributed its Privacy Management Program:
a best practice guide (the PMP guide), which prescribes association to shape PMPs
with three segment, specifically:
Continues evaluation and update
To oversee the compliance with the PDPO and implementation of the PMP, the
PMP guide encourages organizations to appoint a designated officer (i.e. a DPO).
The DPO should either the owner of a small organization or a senior executive of a
The main responsibilities of a DPO is:
setting up and executing the PMP program controls, specifically tracking
the association’s very own personal data, starting the beginning of occasional
danger evaluation to all divisions, organizing and observing the treatment of
data breach incidents.
auditing the adequacy of the PMP, for example setting up an oversight and
survey plan for the PMP and overhauling the program controls where it is
if any problem is occurred, reporting it to the top management periodically
on the organization’s compliance issues, problem encountered, and
complaints received in relation to personal data privacy.
The PCPD has power to find relevant data users when it receives a complaint or
has reasonable reasons to believe that an activity has contravened the relevant
needs the PDPO.
The PCPD also has the authority to review any personal data system used by a data
user in order to obtain information that will assist the PCPD in making
recommendations for compliance with the PDPO. The PCPD has to inform the
respective data user in advance in writing of its intention to inspect or conduct an
investigation, unless there are reasonable assumptions that this harm the
purposes of the investigation.
For investigation or inspection purposes, the PCPD may enter may enter into any
premises with a court order or prior written notice.
If the investigation confirms that the data user has violated a PDPO requirement,
the PDPO can send the data user an enforcement notice to instruct him to take
necessary steps to remedy the violation and to take reasonable legal steps.
Compliance with an enforcement order is a criminal offence.
Moreover, if a data subject is harmed as a result of a breach under the PDPO, the
PCPD may provide legal assistance to bring a claim against the relevant data user.
In an investigation the PCPD will also try to resolve the issue in a less formal way
through mediation or conciliation.
Data users may not transfer personal data to third party without informing the
data subject of the following at the time their personal data was collected or
before it or before it was collected:
That their personal data or information could be transferred
The types of people the data could be transferred
There are presently no restrictions on the transfer of personal data outside of
Hong Kong, as the cross-border transfer restrictions outlined in the ordinance
have yet to take effect.
In the event that these restrictions come into force as right now drafted, they
will have a critical affect upon outsourcing courses of action, intragroup
information sharing courses of action, compliance with oversees reporting
commitments and other exercises that include cross-border data exchange.
All things considered, non-binding best practice guidance distributed by the PCPD
energizes compliance with the cross-border transfer restrictions in the ordinance,
which disallow the exchange of personal information to outside Hong Kong unless,
certain situations are met [counting a white list of jurisdictions; separate and
intentional consent obtained from the information subject; and an enforceable
information exchange understanding for which the PCPD gives proposed model
Anonymised data means data which removes all identifiers irreversibly and that
data subject is no longer identifiable in any manner.
It is an information which may be a sort of data sanitization in which
information anonymization devices scramble or expel actually identifiable data
from data sets from the reason of protecting a data subject’s privacy.
This decreases the chance of unintended disclosure amid the exchange of data
over boundaries and encourages assessment analytics post-anonymization.
There is no such concept of anonymization within the PDPO.
However, the PCPD distributes the guidance note titled Direction on Individual
Eradication and anonymization which gives the information which is
anonymised, to the degree that the data user will not be able to specifically of
indirectly identify the individual concerned, will not be considered as [personal
data] under the PDPO.
Anonymising data is therefore an alternative for taking care of an individual’s
information which is not required for the purpose for which it was collected or
stored, other than total erasure.
Concluding that, anonymized data is not considered as “personal data” under
Personal Data Privacy Ordinance PDPO.
Data localization means information localization or information residency law
requires information around a nation’s citizens or inhabitants to be collected,
handled, stored and/or put inside the nation, frequently some time before
being transferred internationally.