Law of the People"s Republic of China on Personal Information Protection (Draft)

Table of Contents

Chapter I General Provisions

Chapter II Rules on Personal Information Handling

Section 1 General Rules

Section 2 Rules on Handling of Sensitive Personal Information

Section 3 Special Provisions on Personal Information Handling by State Organs

Chapter III Rules on Cross-border Provision of Personal Information

Chapter IV Rights of Individuals in Personal Information Handling Activities

Chapter V Obligations of Personal Information Handlers

Chapter VI Authorities Performing Personal Information Protection Duties

Chapter VII Legal Liability

Chapter VIII Supplementary Provisions

Chapter I General Provisions

Article 1 This Law is formulated for the purpose of protecting personal information rights and interests, regulating personal information handling activities, safeguarding the orderly and free flow of personal information in accordance with the law, and promoting the rational utilization of personal information.

Article 2 The personal information of natural persons shall be protected by law. No organization or individual may infringe upon the personal information rights and interests of natural persons.

Article 3 This Law shall apply to activities conducted by organizations and individuals to handle the personal information of natural persons within the territory of the People"s Republic of China.

This Law shall also apply to activities outside territory of the People"s Republic of China to handle the personal information of natural persons within the territory of the People"s Republic of China under any of the following circumstances:

1. personal information handling is to serve the purpose of providing products or services for natural persons within the territory of the People"s Republic of China;

2. personal information handling is to serve the purpose of analyzing and evaluating the behaviors of natural persons within the territory of the People"s Republic of China; or

3. having other circumstances as stipulated by laws and administrative regulations.

Article 4 Personal information refers to all kinds of information related to identified or identifiable natural persons as recorded by electronic or other means, excluding information after anonymization treatment.

Personal information handling includes the collection, storage, use, processing, transmission, provision, disclosure and other activities of personal information.

Article 5 Personal information handling shall be conducted in a legal and legitimate manner and in line with the principle of good faith. Personal information shall not be handled in a fraudulent or misleading way.

Article 6 Personal information handling shall have a clear and reasonable purpose, and shall be limited to the minimum scope required for achieving the purpose of handling. Any personal information handling that is irrelevant to the purpose of handling shall not be conducted.

Article 7 Personal information handling shall be conducted in line with the principles of openness and transparency, and the rules on personal information handling shall be explicitly publicized.

Article 8 In order to achieve the purpose of handling, personal information to be handled shall be accurate and updated in a timely manner.

Article 9 Personal information handlers shall be responsible for their personal information handling activities and take necessary measures to safeguard the security of the personal information which they handle.

Article 10 No organization or individual may handle personal information in violation of the provisions of laws or administrative regulations, or engage in personal information handling activities that endanger national security or public interests.

Article 11 The State shall establish and improve a personal information protection system, prevent and punish any act of infringement of personal information rights and interests, strengthen publicity and education on the protection of personal information, and promote the creation of a favorable environment for the government, enterprises, relevant industrial organizations and the public to participate in the protection of personal information.

Article 12 The State shall actively participate in the formulation of international rules on the protection of personal information, promote international exchanges and cooperation in personal information protection, and promote mutual recognition of personal information protection rules and standards with other countries, regions and international organizations.

Chapter II Rules on Personal Information Handling

Section 1 General Rules

Article 13 A personal information handler may handle personal information only if it meets any of the following circumstances:

1. having obtained the consent of the person whose personal information is to be collected;

2. conducting personal information handling which is essential for entering into or performing a contract to which it is a contracting party;

3. conducting personal information handling which is essential for performing statutory responsibilities or obligations;

4. conducting personal information handling which is essential for responding to public health emergencies or for protecting the life, health or property safety of natural persons in emergency situations;

5. conducting personal information handling within the reasonable scope of implementing news reporting, public opinion supervision and other actions for the public interest; or

6. having other circumstances as stipulated by laws and administrative regulations.

Article 14 Any consent to personal information handling shall be expressed by individuals voluntarily and explicitly on the premise of full knowledge. If any law or administrative regulation stipulates that a separate or written consent shall be obtained from the individuals for handling personal information, such provisions shall prevail.

In case of any change in the handling purpose, method or type of personal information, personal consent shall be obtained once again.

Article 15 If a personal information handler knows or should know that the personal information it handles is the personal information of a minor under the age of 14, it shall obtain the consent of the guardian of the said minor.

Article 16 Individuals shall have the right to withdraw their consent to the personal information handling activities which are conducted based on their consent.

Article 17 Any personal information handler shall not refuse to provide products or services on the ground that an individual does not give consent to the handling of his or her personal information or withdraws his or her consent to such handling, except that the handling of personal information is essential for the provision of products or services.

Article 18 Prior to handling personal information, personal information handlers shall inform, in a conspicuous way and in clear and understandable language, the individuals of the following matters:

1. identity and contact information of the personal information handler;

2. purpose and method of personal information handling, and type and storage period of personal information to be handled;

3. ways and procedures for individuals to exercise their rights as prescribed in this Law; and

4. other matters that shall be informed in accordance with laws and administrative regulations.

In case of any change to the matters as specified in the preceding paragraph, individuals shall be informed of the changed part.

If a personal information handler informs the matters as specified in the first paragraph by formulating rules on personal information handling, such rules shall be made public and shall be easily accessible and convenient for keeping.

Article 19 When handling personal information, personal information handlers may not inform individuals of the matters as specified in the preceding article if there is any circumstance that should be kept confidential and is not required to be disclosed as stipulated by laws or administrative regulations.

In case of emergencies where it is impossible to promptly inform individuals as necessitated for the protection of the life, health or property safety of a natural person, personal information handlers shall inform individuals after the emergencies are eliminated.

Article 20 The storage period of personal information shall be the shortest time necessary for achieving the purpose of handling. If there are separate provisions on the storage period of personal information in laws and administrative regulations, such provisions shall prevail.

Article 21 If two or more personal information handlers jointly decide on the purpose and method of personal information handling, they shall provide for their respective rights and obligations, which, however, shall not affect the right of an individual to request any of the personal information handlers to exercise the provisions hereunder.

If personal information handlers jointly handle personal information and infringe upon the rights and interests thereof, they shall bear joint and several liabilities in accordance with the law.

Article 22 If a personal information handler entrusts a party to handle personal information, it shall conclude a contract with the entrusted party on the purpose for entrusted handling, the handling method, types of personal information, protection measures, as well as the rights and obligations of both parties, etc., and shall supervise the personal information handling activities of the entrusted party.

The entrusted party shall handle personal information as agreed on, and may not handle personal information in excess of the agreed handling purposes and handling method, and shall return the personal information to the entrusting personal information handler or delete it after the contract is performed and completed or the entrustment relationship is terminated.

Without the consent of the entrusting personal information handler, the entrusted party may not further entrust other persons to handle the personal information.

Article 23 If a personal information handler needs to transfer personal information due to merger, split or other reasons, it shall inform individuals of the identity and contact information of the receiving party. The receiving party shall continue to perform the obligations of the personal information handler. If the receiving party changes the original purpose or method of handling, it shall inform individuals and obtain their consent again in accordance with the provisions of this Law.

Article 24 If a personal information handler provides the personal information which it handles to a third party, it shall inform individuals of the third party"s identity, contact information, handling purpose, handling method, and types of personal information, and obtain the specific consent of the individual. The third party receiving the personal information shall handle it within the above-mentioned scope of handling purpose, handling method, types of personal information, etc. If the third party changes the original handling purpose or handling method, it shall inform the individuals and obtain their consent again in accordance with the provisions of this Law.

If a personal information handler provides anonymized information to a third party, the third party may not use technical or other means to re-identify individuals.

Article 25 When using personal information to conduct automated decision-making, personal information handlers shall guarantee the transparency of their decision-making and the fairness and reasonability of their handling results. If an individual considers that an automated decision-making has a material impact on his or her rights and interests, he or she has the right to require the relevant personal information handler to give an explanation and refuses the said personal information handler to make decisions only by means of automated decision-making.

When conducting business marketing and information push delivery through automated decision-making, personal information handlers shall simultaneously provide the option to not target personal characteristics of an individual.

Article 26 Personal information handlers may not publish the personal information which they handle, except with the specific consent of individuals or otherwise provided for by laws and administrative regulations.

Article 27 The installation of image collection and personal identity recognition devices in public places shall occur as required for safeguarding public security and comply with the relevant provisions of the State, and clear indicating signs shall be placed. The collected personal images and personal identity characteristic information can only be used for the purpose of safeguarding public security, and may not be made public or provided to other persons, except with the specific consent of individuals or otherwise provided for by laws and administrative regulations.

Article 28 When handling disclosed personal information, personal information handlers shall conform to the purposes for which such personal information is disclosed; if the handling thereof exceeds the reasonable scope related to the said purposes, personal information handlers shall inform the individuals and obtain their consent in accordance with the provisions of this Law.

If no clear purpose is specified when personal information is disclosed, personal information handlers shall handle the disclosed personal information reasonably and with discretion; to use any disclosed personal information for activities that have a material impact on individuals, personal information handlers shall inform the individuals concerned and obtain their consent in accordance with the provisions of this Law.

Section 2 Rules on Handling of Sensitive Personal Information

Article 29 Only when personal information handlers have specific purposes and sufficient necessity shall they be allowed to handle sensitive personal information.

Sensitive personal information refers to personal information that, once leaked or illegally used, may lead to personal discrimination or serious harm to personal and property safety, including race, nationality, religious belief, personal biological features, medical history, health, financial account, personal whereabouts and other information.

Article 30 Where the handling of sensitive personal information is subject to personal consent, personal information handlers shall obtain separate consent of the individuals. Where laws and administrative regulations stipulate that written consent shall be obtained for handling sensitive personal information, such provisions shall be followed.

Article 31 To handle sensitive personal information, personal information handlers shall, in addition to the matters specified in Article 18 hereof, inform the individuals of the necessity of handling such sensitive personal information and the impact on them.

Article 32 Where laws and administrative regulations stipulate that the handling of sensitive personal information shall be subject to relevant administrative license or more stringent restrictions, such provisions shall prevail.

Section 3 Special Provisions on Personal Information Handling by State Organs

Article 33 This Law shall apply to the personal information handling activities conducted by State organs; if there are special provisions in this section, such provisions shall apply.

Article 34 To handle personal information for the purpose of performing their statutory duties, State organs shall do so in accordance with the authorities and procedures prescribed by laws and administrative regulations, and shall not exceed the scope or limit necessary for the performance of their statutory duties.

Article 35 When handling personal information for the purpose of performing their statutory duties, State organs shall inform the individuals and obtain their consent in accordance with the provisions of this Law, except where confidentiality shall be kept as stipulated by laws and administrative regulations, or where giving notification or obtaining consent will hinder State organs from performing their statutory duties.

Article 36 State organs shall not disclose or provide to others the personal information they handle, unless otherwise provided for by laws or administrative regulations or with the consent of the individuals.

Article 37 Personal information handled by State organs shall be stored within the territory of the People"s Republic of China; where it is truly necessary to provide such information overseas, risk assessment shall be conducted. For such risk assessment, support and assistance may be requested from relevant authorities.

Chapter III Rules on Cross-border Provision of Personal Information

Article 38 If, for business needs, personal information handlers really need to provide personal information outside the territory of the People"s Republic of China, they shall meet at least one of the following conditions:

1. having passed the security assessment organized by the State cyberspace authorities in accordance with the provisions of Article 40 hereof;

2. having undertaken personal information protection certification conducted by professional agencies in accordance with the provisions of the State cyberspace authorities;

3. having signed a contract with the overseas receiving parties to stipulate the rights and obligations of both parties, and supervising their personal information handling activities to ensure that the personal information protection standards as stipulated in this Law are met; or

4. meeting other conditions stipulated by laws, administrative regulations or the State cyberspace authorities.

Article 39 If a personal information handler provides personal information outside the territory of the People"s Republic of China, it shall inform the individuals of the identity and contact information of the overseas receiving party, the handling purpose and method, the type of personal information to be handled, as well as the way by which the individuals can exercise the rights and interests hereunder over the overseas receiving party, and obtain separate consent of the individuals.

Article 40 Critical information infrastructure operators and personal information handlers who handle personal information up to the amount as specified by the State cyberspace authorities shall store within the territory of the People"s Republic of China the personal information which they collect and generate within the territory of the People"s Republic of China. If it is really necessary to provide such information overseas, critical information infrastructure operators and personal information handlers shall pass security assessment organized by the State cyberspace authorities; if any law, administrative regulation or the State cyberspace authorities stipulate that security assessment may not be conducted, such provision shall prevail.

Article 41 Where it is necessary to provide personal information outside the territory of the People"s Republic of China as a result of international judicial assistance or administrative law enforcement assistance, an application shall be filed with the relevant competent authorities for approval according to the law.

Where the People"s Republic of China has concluded or participated in international treaties or agreements that contain provisions on providing personal information outside the territory of the People"s Republic of China, such provisions shall prevail.

Article 42 Where foreign organizations or individuals engage in personal information handling activities that harm the personal information rights and interests of citizens of the People"s Republic of China, or endanger the national security or public interests of the People"s Republic of China, the State cyberspace authorities may include them in a list which limits or prohibits the provision of personal information, make an announcement, take measures such as limiting or prohibiting the provision of personal information to them.

Article 43 Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People"s Republic of China in respect of personal information protection, the People"s Republic of China may take corresponding measures against the country or region in light of the actual situation.

Chapter IV Rights of Individuals in Personal Information Handling Activities

Article 44 Individuals have the right to know and decide on the handling of their personal information and have the right to restrict or refuse the handling of their personal information by others, unless otherwise provided by laws and administrative regulations.

Article 45 Individuals have the right to access and copy their personal information from personal information handlers, except in circumstances provided for in Paragraph 1 of Article 19 of this Law.

Where individuals request access to or the copying of their personal information, the personal information handlers shall provide it in a timely manner.

Article 46 Where individuals discover that their personal information is incorrect or incomplete, they have the right to request personal information handlers to correct or complete their personal information.

Where individuals request to correct or complete their personal information, the personal information handlers shall verify the personal information and correct or complete it in a timely manner.

Article 47 Personal information handlers shall, on their own initiative or at the request of individuals, delete personal information in any of the following circumstances:

1. the agreed retention period has expired, or the handling purpose has been achieved;

2. the personal information handlers cease to provide products or services;

3. the individuals withdraw their consent;

4. the personal information handlers violate laws, administrative regulations, or the agreements in handling personal information;

5. other circumstances provided by laws and administrative regulations.

Where the retention period provided in laws and administrative regulations has not expired, or it is technically difficult to delete personal information, the personal information handlers shall cease to handle the personal information.

Article 48 Individuals have the right to request personal information handlers to explain the rules on personal information handling.

Article 49 Personal information handlers shall establish an application acceptance and handling mechanism for individuals to exercise their rights. Where individuals" requests for the exercise of their rights are rejected, the reasons shall be explained.

Chapter V Obligations of Personal Information Handlers

Article 50 A personal information handler shall, on the basis of personal information handling purpose, handling method, personal information category, impact on individual and possible security risk, etc., take necessary measures as follows to ensure that its personal information handling activities comply with the provisions of laws and administrative regulations, and shall prevent unauthorized access to, leakage or theft, distortion, or deletion of personal information:

1. developing internal management systems and operating procedures;

2. implementing hierarchical and categorized management of personal information;

3. taking appropriate security technical measures such as encryption and de-identification;

4. reasonably determining the operating permission for personal information handling, and conducting security education and training for employees on a regular basis;

5. developing and organizing the implementation of emergency plans for personal information security incidents; and

6. taking other measures as prescribed by laws and administrative regulations.

Article 51 A personal information handler who handles personal information up to the quantity provided for by the State cyberspace authorities shall appoint a person in charge of personal information protection to take the responsibility of supervising personal information handling activities and protection measures taken, etc.

The personal information handler shall disclose the name and contact information, etc., of such person in charge of personal information protection, and report the same to the authorities performing personal information protection duties.

Article 52 A personal information handler outside the territory of the People"s Republic of China as provided for in Paragraph 2 of Article 3 hereof shall set up a specialized agency or appoint a representative within the territory of the People"s Republic of China to take the responsibility of handling matters concerning personal information protection, and report the name of such agency or the name and contact information of the representative to the authorities performing personal information protection duties.

Article 53 A personal information handler shall, on a regular basis, conduct audits of whether its personal information handling activities and protection measures taken comply with the provisions of laws and administrative regulations. The authorities performing personal information protection duties shall be entitled to require the personal information handler to entrust a professional institution with such audit.

Article 54 A personal information handler shall conduct a risk assessment of the following personal information handling activities in advance, and record the handling status:

1. handling sensitive personal information;

2. using personal information for automated decision-making;

3. entrusting any other person with personal information handling, providing personal information to any third party, or disclosing personal information;

4. providing personal information abroad; and

5. other personal information handling activities with a significant impact on individuals.

The content of a risk assessment shall include:

1. whether the personal information handling purpose, handling method, etc., are legitimate, proper and necessary;

2. impact on individuals and risk level; and

3.whether the security protection measures taken are legitimate, effective and commensurate with the risk level.

Relevant risk assessment reports and handling status records shall be preserved for at least three years.

Article 55 A personal information handler who identifies any leakage of personal information shall immediately take remedial measures, and notify the authorities performing personal information protection duties and individuals. The notification shall involve the following items:

1. reason for the leakage of personal information;

2. category of personal information leaked and hazard that may be caused;

3. remedial measures already taken;

4. measures available for an individual to mitigate the hazard; and

5. contact information of the personal information handler.

A personal information handler who can take measures to effectively avoid damage caused by leakage of information may be not required to notify relevant individual thereof. However, if the authorities performing personal information protection duties believe that the leakage of personal information may cause damage to relevant individual, it shall be entitled to require the personal information handler to notify the individual thereof.

Chapter VI Authorities Performing Personal Information Protection Duties

Article 56 The State cyberspace authorities are responsible for the overall planning and coordination of personal information protection and related supervision and regulation. Relevant authorities under the State Council are responsible for personal information protection and the supervision and regulation thereof within their respective scope of duties according to the provisions of this Law and relevant laws and administrative regulations.

The duties for personal information protection and the supervision and management thereof to be performed by relevant authorities of people"s governments at the county level or above shall be determined according to relevant State regulations.

Authorities specified in the preceding two paragraphs shall be collectively referred to as authorities performing personal information protection duties.

Article 57 Authorities performing personal information protection duties shall perform the following personal information protection duties.

1. conducting awareness and education activities for personal information protection, and guiding and supervising personal information handlers in conducting personal information protection;

2. accepting and handling personal information protection-related complaints and reports;

3. investigating and handling unlawful personal information handling activities; and

4. other duties as specified in laws or administrative regulations.

Article 58 The State cybersecurity authorities and relevant authorities under the State Council shall, according to their respective duties and powers, organize the development of personal information protection-related rules and standards, advance the building of a socialized service system for personal information protection, and support relevant institutions in conducting personal information protection assessment and certification services.

Article 59 Authorities performing personal information protection duties may adopt the following measures when performing their personal information protection duties:

1. interviewing any relevant concerned party to investigate any circumstance related to a personal information handling activity;

2. consulting and copying any contract, record, receipt or any other relevant material of a concerned party that is related to a personal information handling activity;

3. conducting on-site inspections to investigate any suspected unlawful personal information handling activity;

4. inspecting any equipment or item related to a personal information handling activity, which may be seized or confiscated if there is evidence to prove that it is involved in an unlawful personal information activity.

Any concerned party shall assist or cooperate with, and may not deny or obstruct the performance of their duties according to the law by authorities performing personal information protection duties.

Article 60 For any considerable risk existing in a personal information handling activity or any personal information security incident discovered by authorities performing personal information protection duties in the course of performing their duties, the authorities may, according to their powers and procedures as prescribed, conduct a talk with the legal representative or main responsible person(s) of the personal information handler concerned. The personal information handler shall adopt measures as required to rectify and eliminate any hazard discovered.

Article 61 Any organization or individual shall have the right to file a complaint or report about any unlawful personal information handling activity with authorities performing personal information protection duties. Authorities receiving a complaint or report shall handle it promptly and according to the law, and notify the person filing the complaint or report of the handling outcome.

Authorities performing personal information protection duties shall make their contact information publicly available to accept complaints and reports.

Chapter VII Legal Liability

Article 62 Where personal information is handled in violation of this Law or personal information is handled without any necessary security protection measure in compliance with regulations, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and issue a warning; and, if correction is not made, a fine of up to CNY1 million shall be imposed on the personal information handler if it is an organization; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY10,000 and CNY100,000.

If the unlawful act mentioned in the preceding paragraph is grave, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and impose a fine of up to CNY50 million, or 5% of last year"s annual revenue, and may also order the suspension of related business operations or suspension of business for rectification, and/or report to relevant competent authorities for the cancellation of the related business permit or cancellation of the business license; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY100,000 and CNY1 million.

Article 63 Any unlawful act as stipulated in this Law shall be entered into credit files as required by relevant laws or administrative regulations, and be disclosed to the public.

Article 64 If a State organ fails to perform its personal information protection duties as prescribed in this Law, its superior agency or authorities performing personal information protection duties shall order it to make a correction; and disciplinary actions shall be taken according to the law against any directly liable person-in-charge or any other directly liable individual.

Article 65 The liability for damages for an infringement of personal information rights and interests by a personal information handling activity shall be based on the losses sustained by the infringed individual due to such infringement or the gains derived by the infringing personal information handler from such infringement; and if it is difficult to ascertain the losses sustained by the individual or the gains derived by the personal information handler, a people"s court shall determine the amount of damages based on the actual situation. A personal information handler that is able to prove that it or he or she is not at fault may be relieved or exempted from liability.

Article 66 An organization as confirmed by the people"s procuratorate, authorities performing personal information protection duties or State cyberspace authorities may file a suit with a people"s court according to the law against a personal information handler whose handling of personal information in violation of this Law infringes the rights and interests of multiple individuals.

Article 67 Any violation of this Law that constitutes a violation of public security administration shall be subject to penalty under public security administration rules according to the law; and any such violation that constitutes a criminal offense shall be investigated according to the law for criminal liability.

Chapter VIII Supplementary Provisions

Article 68 This Law does not apply to personal information handling conducted by a natural person for personal or family affairs.

Where there are any provisions on personal information handling during statistical or archival management activities organized or conducted by a people"s government at any level or a relevant department thereof in any law, such provisions shall prevail.

Article 69 For the purposes of this Law, the following terms are defined as follows:

1. "Personal information handler" refers to any organization or individual that autonomously determines the handling purpose, handling method or any other matter relating to the handling of any personal information.

2."Automated decision-making" refers to the activity of making any analysis, assessment and decision automatically through a company program, on the behaviors and habits, interests and hobbies or the financial, health or credit status or any other situation of an individual using the individual"s personal information.

3."De-identification" refers to the process of handling any personal information to make it unable to identify a specific natural person without the help of additional information.

4."Anonymization" refers to the process of handling any personal information to make it unable to identify a specific natural person and unable to be restored to its original state.

Article 70 This Law shall come into force on [day, month, year].

注:本文由律商联讯公司翻译。

声明:本文来自律商视点,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。