China Introduces a Draft Comprehensive Data Protection Law

China has recently published and submitted for legislative review a draft of the country’s first comprehensive Data Protection Law.  The National People’s Congress of China further announced that citizens can submit public comments on the law until November 19, 2020.

Prior to the introduction of the Data Protection Law, China’s primary legislation regulating data, cybersecurity, and network management has been the 2017 Cybersecurity Law which requires network operators to store certain data in China and allows Chinese authorities to review companies’ network operations.

The Data Protection Law seeks to address three core priorities:  commercializing data, protecting consumer privacy, and national security interests.  Specifically, the Law covers topics such as personal information processing; cross-border transfers; data subject rights; obligations of data processors; legal liabilities; and governing authorities.

Like the other modern data protection legislation, the Law will apply extraterritorially. For example, the Law could be applicable outside of China to the extent necessary to protect the interests of data subjects in China, as well as in cases where the purpose of processing outside of China is to provide products or services to individuals in China or to analyze and make assessments about the behavior of individuals in China.

Notably, under the proposed Law, certain data transfers, such as where data processor is categorized as a critical information infrastructure operator or where the volume of data processed by the data processor exceeds a certain level, the transfer of personal information would need to undergo security assessments by the Chinese authorities.

Furthermore, the authorities would be permitted to blacklist overseas organizations or individuals which are found to damage Chinese citizens’ rights to private data or to be involved in personal data activities that harm national security and public interests.  According to some experts, these provisions could potentially target overseas social media platforms, including in the United States.

Given that China is one of the major economic players in the world, the Data Protection Law, whenever it is enacted, will have a significant impact on data transfers, operations, and compliance of companies across the world.  Furthermore, given its extraterritorial application, the law might directly affect the U.S. companies operating on the Chinese market or processing personal data of Chinese citizens.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653