A proposed law issued by the People’s Republic of China (PRC) on October 21, 2020, the draft Personal Information Protection Law, seeks to impose restrictions on entities and individuals, including those operating outside of China, that collect and process personal data and sensitive information on subjects in China. The proposed law also provides for penalties up to RMB 50,000,000 ($7.4 million) or up to 5 percent of the entity’s or individual’s preceding year’s revenue. The draft law marks China’s first comprehensive system for the protection of personal information and sets forth general rules for the processing and transferring of personal information across China’s borders.

The draft law, which contains eight chapters and 70 articles covering cross-border data transfers, the rights of personal information subjects, the responsibilities of personal information processors, and penalties, sets forth strict requirements for the collection and maintenance of sensitive personal information. Under the proposed law, “personal data processors” must demonstrate a specific purpose and necessity for the collection of sensitive personal information. The law also includes consent requirements. U.S. companies may be most interested in the contemplated extraterritorial jurisdiction of some provisions in the draft law, which could create additional risk for companies operating in China or providing goods and services to those in China. The proposed law would apply to companies overseas (1) that process personal data of subjects in China in order to provide products or services to them, (2) that analyze and assess the activities of subjects in China through the collection of personal information, or (3) in other circumstances as provided by Chinese laws and regulations. Companies engaging in such activities also would be required to provide a point of contact within China to government authorities.

The Standing Committee of China’s National People’s Congress is accepting comments on the proposed law until November 19, 2020. If approved, the law will complement China’s existing Cybersecurity Law, which requires that certain data are stored within China and that organizations and network operators submit to government security checks, and the draft Data Privacy Law, which would regulate data transfers, including cross-border transfers that could have China national security implications. Crowell & Moring and Crowell & Moring International (CMI) have extensive experience assisting companies navigate these laws, including:

  • Retailers and other companies that collect and analyze Chinese consumer data
  • Companies with technology hubs or development centers that rely on cross-border data transfers
  • Technology companies deploying software or applications intended to collect, store and analyze Chinese individual and corporate consumer and operational data.

We stand ready to assist any companies that elect to submit comments directly or through trade associations (please note that many trade associations request comments the week of November 3rd). Please contact any of the individuals listed below if you or your company would like to learn more about the proposed law or the process of submitting comments.