Data Protection Report - Norton Rose Fulbright

China passed its Personal Information Protection Law (PIPL) on 20 August 2021.  The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet.

In addition, China published the Provisions on the Administration of Security of Automobile Data (For Trial Implementation) (Automobile Data Regulation) today, which will take effect on 1 October 2021.

With respect to the PIPL, it is reported that the final version will include some new rules on the processing of personal information, such as:

  • If information push or marketing services are conducted via automated decision making, users must be provided with a non-personalized option or a convenient way to refuse such services;
  • A separate consent must be obtained from data subjects when processing sensitive personal information such as biometric data, medical and health data, financial accounts, and personal whereabouts;
  • Mobile apps that illegally process personal information will be ordered to rectify their processes or will be banned.

Some other changes were also discussed, but it is unclear whether all these changes will be included in the finalized draft. These include:

  • personal information of minors under 14 should be regarded as “sensitive personal information”, and processors of such information must formulate separate processing rules and policies; and
  • data subjects should have a right to data portability and will be entitled to transfer their personal information to the processors they designate in accordance with the rules prescribed by the Cyberspace Administration of China.

We will provide a further update once the full text of the law becomes available.

As mentioned, the Automobile Data Regulation was also published (taking effect on 1 October). This is an implementation regulation issued under the umbrella of China’s new Data Security Law (DSL). It defines what constitutes “important data” – a core concept in China’s data and cybersecurity laws – in the automobile industry. The identified data includes:

  • Geographic information, flow of persons or vehicles, and other data of important sensitive areas such as military management zones, scientific, and industrial units for national defense, and Party and government agencies at or above the county level;
  • Data reflecting operational conditions of the economy, such as vehicle flow and logistics data;
  • Operating data of the vehicle charging networks;
  • Video and image data of the exterior of a vehicle containing facial information, license plate information, etc.;
  • Personal information involving more than 100,000 individuals; and
  • Other important data designated by the authorities.

This new regulation demonstrates how the broad concept of “important data” under the DSL will be delineated. It also sets forth various rules for the processing of personal information and important data in the automobile industry, which will affect the business operations of vehicle manufacturers, suppliers of automobile parts and components as well as software, dealers, vehicle maintenance, and travel service companies.

These developments follow the issuance of the Regulation on the Protection of Security of Critical Information Infrastructure earlier this week (effective 1 September 2021) in what has been a busy week in China data regulation development. Please click here to learn more.

Organizations with businesses in China must focus on how each of these new regulations will impact their operations and data processing activities, and take appropriate steps towards compliance as soon as possible. Please click here for a video-on-demand link to our recent webinar providing an overview of the data security and protection regime in China.