Law of the People's Republic of China on the Protection of Personal Information (Draft)

Table of Contents

Chapter I: General Provisions

Chapter II: Rules for Handling Personal Information

Section 1: Ordinary Provisions

Section 2: Rules for Handling Sensitive Personal Information

Section 3: Special Provisions on the Handling of Personal Information by State Organs

Chapter III: Rules for Cross-border Provision of Personal Information

Chapter IV: Rights of Individuals in Personal Information Handling Activities

Chapter V: Obligations of Personal Information Handlers

Chapter VI: Departments Performing Duties to Protect Personal Information

Chapter VII: Legal Responsibility

Chapter VIII: Supplementary Provisions

Law of the People's Republic of China on the Protection of Personal Information (Draft)

Chapter I: General Provisions

Article 1: This law is formulated so as to protect the rights and interests in personal information, to regulate activities processing personal information, to ensure the orderly and free flow of personal information in accordance with the law, and promote the reasonable use of personal information.

Article 2: The personal information of natural persons is protected by law, and the personal information rights of natural persons must not be infringed upon by any organization or individual.

Article 3: This law applies to the activities of organizations and individuals processing the personal information of natural persons within the territory of the People's Republic of China.

This law is also applicable to activities outside the mainland PRC ["overseas"--ed.] that process the personal information of natural persons within the territory of the PRC, in any of the following circumstances:

(1) for the purpose of providing products or services to natural persons within the territory;

(2) to analyze and evaluate the conduct of natural persons in the territory;

(3) Other circumstances provided for by laws and administrative regulations.

Article 4: Personal information is any type of information that identifies or can identify natural persons recorded electronically or by other means, but does not include anonymized information.

The processing of personal information includes activities such as the collection, storage, use, processing, transmission, provision, and disclosure of personal information.

Article 5: Lawful and legitimate methods shall be adopted for the processing of personal information, follow the principle of good faith, and personal information must not be processed through fraud or other misleading methods.

Article 6: The processing of personal information shall have clear and reasonable purposes and shall be limited to the minimum scope to achieve the purposes of the processing, and personal information processing unrelated to the processing purposes must not be conducted.

Article 7: The processing of personal information shall comply with the principles of openness and transparency, and clarify rules for processing personal information.

Article 8: Personal information processed should be accurate and timely updated in order to achieve the purpose of processing.

Article 9: Personal information processors shall be responsible for their personal information processing activities and employ necessary measures to ensure the security of the personal information processed.

Article 10: Organizations and individuals must not process personal information in violation of laws and administrative regulations, and must not engage in personal information processing activities that endanger national security and public interests.

Article 11: The state is to establish and complete personal information protection systems to prevent and punish acts that infringe on rights and interests in personal information, to strengthen publicity and education on personal information protection, and to promote the formation of a positive environment for governments, enterprises, relevant industry organizations, and the public to participate in the protection of personal information.

Article 12: The state is to actively participate in the formulation of international rules for personal information protection, promote international exchanges and cooperation in personal information protection, and promote mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.

Chapter II: Rules for Handling Personal Information

Section 1: Ordinary Provisions

Article 13: Personal information processors can only process personal information if one of the following circumstances is met:

(1) The consent of the individual is obtained;

(2) As necessary for the conclusion or performance of a contract to which an individual is a party;

(3) As necessary for the performance of legally-prescribed duties or obligations;

(4) As necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property in an emergency;

(5) Processing personal information within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest;

(6) Other circumstances provided for by laws and administrative regulations.

Article 14: Consent to process personal information shall be expressed voluntarily and explicitly by individuals who are fully informed Where laws and administrative regulations provide that independent or written consent shall be obtained for the processing of personal information, follow those provisions.

Where there are changes to the purpose or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be newly obtained.

Article 15: Where personal information processor know or should know that the personal information they process is the personal information of minors under the age of fourteen, they shall obtain the consent of their guardians.

Article 16: Individuals have the right to withdraw their consent to personal information processing activities based on their consent.

Article 17: Personal information processors must not refuse to provide products or services on the grounds that individuals do not consent to the processing of their personal information or withdraw their consent to the processing of personal information; except where processing personal information is necessary to provide the products or services.

Article 18: Before processing personal information, personal information processors shall notify individuals of the following matters in a conspicuous fashion and in clear and understandable language:

(1) the identity and contact information of the person processing the personal information;

(2) the purpose and manner of processing personal information, the type of personal information processed, and the period of time it will be retained;

(3) the manner and procedures by which individuals are to exercise their rights under this Law;

(4) Other matters that laws and administrative regulations provide shall be announced.

Where there is a change in the matters specified in the preceding paragraph, the individuals shall be notified of the changes.

Where personal information processors give notice of the matters provided for in paragraph by formulating rules for processing personal information, the processing rules shall be made public and easy to read and save.

Article 19: When a personal information processor processes personal information, where there are circumstances that laws and administrative regulations provide shall be kept confidential or need not be announced, it is acceptable to not notify the individual of the matters provided in the preceding article

In an emergency situation, where it is impossible to notify individuals in time to protect the security of natural persons' lives, health, and property, the personal information processors shall notify the individual after the emergency is eliminated.

Article 20: The period for retaining personal information shall be the shortest time necessary to achieve the purposes of the handling. Where laws and administrative regulations have other provisions on the retention period for personal information, those provisions shall prevail.

Article 21: Where two or more personal information processors jointly decide on the purpose and method of processing personal information, they shall make an agreement on their respective rights and obligations. However, this agreement does not affect an individual's request to any of the personal information processors to exercise the rights provided for in this Law. Where personal information processors jointly process personal information and infringe on rights and interests in personal information, they shall bear joint liability in accordance with law.

Article 22: Where personal information processors entrust the processing of personal information, they shall make an agreement with the entrusted party on the purposes and methods of the entrusted processing, the types of personal information to be processed, protection measures, and the rights and obligations of both parties, and oversee the entrusted party’s personal information processing activities.

The entrusted party shall process personal information in accordance with the agreement, and must not process personal information exceeding the agreed-upon purposes, methods, and so forth, and shall return the personal information to the personal information processor or delete it after the contract is fulfilled or the entrustment relationship is terminated. Without the consent of the personal information processor, the entrusted party must not entrust others to process personal information.

Article 23: Where as a result of mergers, divisions, and so forth, personal information processors need to transfer personal information, they shall notify the individuals of the identity and contact information of the party receiving it. The recipient party shall continue to perform the obligations of the personal information handler. Where the recipient party changes the original purpose and method of processing, it shall newly notify the individuals and obtain their consent in accordance with the provisions of this law.

Article 24: Where personal information processors provide a third party with the personal information they process, they shall notify the individuals of the third party's identity, contact information, the purposes and methods of processing, and the type of personal information to be processed, and shall obtain independent consent from the individual. The third-party receiving the personal information shall process the personal information within the scope of the above-mentioned processing purposes, methods, and types of personal information. Where the third party changes the original purposes or methods of processing, they shall notify the individual anew and obtain their consent in accordance with the provisions of this law. Where personal information processors provide anonymized information to a third-party, the third-party must not use technology or other means to re-identify the individuals.

Article 25: The use of personal information for automated decision-making shall ensure transparency in the decision-making and fairness and reasonableness in the processing results. Where an individual believes that automated decision-making has a significant impact on their rights and interests, they have the right to request an explanation from the personal information processor and have the right to refuse the personal information processor's making decisions only through automated decision-making.

Where commercial marketing and information pushing are conducted through automated decision-making, options shall also be provided that do not target their specific personal characteristics.

Article 26: Personal information processors must not disclose the personal information they process; unless they have obtained independent consent or as otherwise provided for by laws and administrative regulations.

Article 27: The installation of image acquisition and personal identification equipment in public places shall be as necessary to preserve public safety, and shall comply with relevant national regulations, and have prominent alerts in place. The collected personal images and personal identification information can only be used for the purpose of preserving public safety, and must not be disclosed or provided to others; unless the individual's independent consent is obtained or laws and administrative regulations provide otherwise.

Article 28: The processing of personal information that has already been disclosed by personal information processors shall comply with the uses of the personal information when it was disclosed; where it exceeds the reasonable scope in relation to the purpose, the individuals shall be informed and their consent shall be acquired in accordance with this law.

Where the purpose of personal information is not clear when it is disclosed, the personal information processor shall process the disclosed personal information reasonably and cautiously; and when using the already disclosed personal information to engage in activities that have a significant impact on the individuals, shall notify them and obtain their consent as provided in this Law.

Section 2: Rules for Handling Sensitive Personal Information

Article 29: Only personal information processors with a specific purpose and sufficient need may process sensitive personal information.

Sensitive personal information is personal information that once leaked or illegally used may cause individuals to suffer discrimination or serious harm to their security in their persons and property, including information such as on their race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.

Article 30: Where processing sensitive personal information based on individuals' consent, the personal information processor shall obtain the individuals' independent consent. Where laws and administrative regulations provide that written consent shall be obtained for the processing of sensitive personal information, follow those provisions.

Article 31: When processing sensitive personal information, personal information processors shall, in addition to the matters specified in Article 18 of this Law, also notify individuals of the necessity of processing sensitive personal information and the impact on the individuals.

Article 32: Where laws and administrative regulations provide that those processing sensitive personal information shall obtain related administrative licenses or imposes stricter restrictions, follow those provisions.

Section 3: Special Provisions on the Handling of Personal Information by State Organs

Article 33: This law applies to the processing of personal information by state organs; and where there are special provisions in this section, the provisions of this section apply.

Article 34: State organs processing personal information in order to perform their legally-prescribed duties shall so so in accordance with the authority and procedures provided by laws and administrative regulations, and must not exceed the scope and limits necessary for performing their legally-prescribed duties.

Article 35: State organs processing personal information in order to perform their legally-prescribed duties shall notify the individuals and obtain their consent as provided in this Law, except where laws and administrative regulations provide it shall be confidential or where giving notice and obtaining consent would impede the performance of the state organs' legally-prescribed duties.

Article 36: State agencies must not disclose or provide others with personal information they process, except as otherwise provided by laws and administrative regulations or where obtaining the individual's consent.

Article 37: Personal information processed by state organs shall be stored within the territory of the People's Republic of China; and where it is truly necessary to provide it overseas, a risk assessment shall be conducted. Support and assistance may be requested from relevant departments for risk assessments.

Chapter III: Rules for Cross-border Provision of Personal Information

Article 38: Where personal information processors truly need to provide personal information overseas due to business requirements, they shall meet at least one of the following requirements:

(1) passing a safety assessment organized by the state internet information departments in accordance with the provisions of Article 40 of this Law;

(2) Having a professional body conduct personal information protection certification in accordance with provisions of the State Internet Information Departments;

(3) Contracts concluded with the overseas recipient parties agree upon the rights and obligations of both parties, and oversight of personal information processing activities comply with the personal information protection standards provided for in this Law;

(4) Other conditions provided for by laws, administrative regulations, or provisions of the State Internet information departments.

Article 39: Where personal information processors provide personal information overseas, they shall notify the individuals of matters such as the identity and contact methods of the overseas recipient, the purposes and methods of processing, the types of personal information to be processed, and the methods for individuals to exercise the rights provided for in this Law, and obtain the individuals' independent consent.

Article 40: Critical information infrastructure operators and personal information processors that process personal information at the volume provided for by the state internet information departments shall store the personal information they collect or generate within the territory of the People's Republic of China. Where it is truly necessary to provide it overseas, it shall pass a security assessment organized by the state internet information department; but where laws, administrative regulations, and provisions of the state internet information department provide that it is acceptable to not conduct a security assessment, follow their provisions.

Article 41: Where it is necessary to provide personal information overseas for international judicial assistance or administrative law enforcement assistance, an application for approvals shall be made to the relevant regulatory departments in accordance with law.

Where the international treaties and agreements concluded by or participated in by the PRC have provisions on the provision of personal information overseas, follow those provisions.

Article 42: Where overseas organizations and individuals engage in personal information processing activities that harm the rights and interests of the citizens of the PRC, or endanger the PRC's national security and public interests, the state internet information department may include them in a list of restrictions or prohibitions for the provision of personal information, make an announcement, and emply measures to restrict or prohibit the provision of personal information to them.

Article 43: Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the PRC in terms of personal information protection, the PRC may take corresponding measures against that country or region based on the actual conditions.

Chapter IV: Rights of Individuals in Personal Information Handling Activities

Article 44: Individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except as otherwise provided by laws and administrative regulations.

Article 45: Individuals have the right to access and reproduce their personal information from personal information processors, except in the circumstances provided for in the first paragraph of Article 19 of this Law.

Where individuals request to access or reproduce their personal information, the personal information processor shall provide it in a timely manner.

Article 46: Where individuals discover that their personal information is inaccurate or incomplete, they have the right to request that the personal information processor correct or supplement it.

Where individuals request correction or supplementation of their personal information, the personal information processor shall verify their personal information and make corrections and supplements in a timely manner.

Article 47: In any of the following circumstances, the personal information processor shall delete personal information proactively or upon the individual's request:

(1) The agreed-upon period for retention is complete, or the purposes of processing are realized;

(2) The personal information processor stops providing products or services;

(iii) The withdrawal of consent by an individual;

(4) The personal information processor processes personal information in violation of laws, administrative regulations, or agreements;

(5) Other circumstances provided by laws and administrative regulations.

Where the retention period prescribed by laws and administrative regulations has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop processing the personal information.

Article 48: Individuals have the right to request that personal information handlers explain their personal information handling rules.

Article 49: Personal information handlers shall establish mechanisms for accepting and addressing requests from individuals to exercise their rights. Where an individual's request to exercise their rights is rejected, the reasons shall be explained.

Chapter V: Obligations of Personal Information Handlers

Article 50: Based on the purposes and methods of processing, the types of information to be processed, the impact and potential risks to individuals, and so forth, personal information processors shall take necessary measures to ensure that personal information processing activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information:

(1) develop internal management systems and operating procedures;

(2) Implement hierarchical and categorical management of personal information;

(3) Employ related technical security measures such as encryption and de-identification;

(4) Reasonably determine the operating authority of personal information processing, and periodically carry out security education and training for employees;

(5) Formulate and organize the implementation of emergency plans for personal information security incidents;

(6) Other measures provided by laws and administrative regulations.

Article 51: Personal information processors that process personal information at the volume specified by the state internet information department shall designate a person in charge of personal information protections to be responsible for overseeing personal information processing activities and any protection measures taken. Personal information processors shall disclose the name and contact information of the person in charge of personal information protections, and submit it to the departments performing duties on personal information protection.

Article 52: Overseas personal information processors as provided for in the second paragraph of Article 3 of this Law shall establish special institutions or designated representatives within the territory of the PRC responsible for handling matters related to the protection of personal information, and report the name, contact information and other information to the departments performing personal information protection duties.

Article 53: Personal information processors shall conduct periodic audits of whether their personal information processing activities and protective measures are in compliance with laws and administrative regulations. Departments performing personal information protection duties have the right to require personal information processors to retain professional organizations to conduct audits.

Article 54: Personal information processors shall conduct risk assessments in advance for the following personal information processing activities and make a record of the processing situation:

(1) processing sensitive personal information;

(2) Using personal information to conduct automated decision-making;

(3) entrusting the processing of personal information, providing personal information to third-parties, or disclosing personal information;

(4) Providing personal information abroad;

(5) Other personal information processing activities that have a major impact on individuals.

The risk assessment shall include:

(1) whether the purpose and methods of processing personal information are lawful, legitimate, and necessary;

(2) the impact on individuals and the degree of risk;

(3) Whether the security protection measures employed are legal, effective, and correspond to the degree of risk.

Risk assessment reports and handling records shall be retained for at least three years.

Article 55: Where personal information processors discover that personal information has been leaked, they shall immediately take remedial measures and notify the departments and individuals that perform personal information protection duties.

The notice shall include the following matters:

(1) the reasons for the leak of personal information;

(2) the type of personal information leaked and the possible harms caused;

(3) Remedial measures that have been taken;

(4) Measures that individuals may take to reduce the harm;

(5) Contact methods for the personal information processor.

Where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals; but where the departments performing personal information protection duties believe that the personal information leakage might cause harm to the individual, they have the right to request that the personal information processors notify the individuals.

Chapter VI: Departments Performing Duties to Protect Personal Information

Article 56: The State internet information department is responsible for the overall planning and coordination of personal information protection efforts and related oversight and management. The relevant departments of the State Council are responsible for personal information protection, oversight, and management within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations. The personal information protection, oversight, and management responsibilities of the relevant departments of local people's governments at the county level or above are to be determined in accordance with the relevant state provisions.

The departments provided for in the preceding two paragraphs are collectively referred to as the 'departments performing personal information protection duties'.

Article 57: Departments performing personal information protection duties are to perform the following personal information protection duties:

(1) Carrying out publicity and education on the protection of personal information, guiding and overseeing personal information protection work carried out by personal information processors.

(2) accepting and addressing complaints and reports related to the protection of personal information;

(3) Investigating and handling illegal personal information processing activities;

(4) Other duties provided for by laws and administrative regulations.

Article 58: In accordance with their duties and authority, the state internet information department and the relevant departments of the State Council are to organize the drafting of relevant rules and standards on personal information protection, to promote the construction of a system of socialized personal information protection services, and support relevant institutions in carrying out personal information protection assessment and certification services.

Article 59: Departments that perform personal information protection duties may employ the following measures in performing personal information protection duties:

(1) questioning the relevant parties, and investigating circumstances related to personal information processing activities;

(2) Accessing and reproducing contracts, records, account book, and other materials related to the parties and personal information processing activities;

(3) Conducting on-site inspections and investigating suspected illegal personal information processing activities;

(4) Checking the equipment and items related to personal information processing activities; equipment and articles that are proved by evidence to be illegal personal information processing activities may be sealed or seized.

Where departments that perform personal information protection duties are lawfully performing their duties, the parties shall provide assistance and cooperate, and must not refuse or obstruct.

Article 60: Where in the performance of their duties, departments performing personal information protection duties find that personal information processing activities have a relatively large risk or that personal information security incidents have occurred, they may interview the principal responsible person for the personal information processor in accordance with the authority and procedures provided. Personal information processors shall take measures in accordance with the requirements, carry out rectification, and eliminate latent threats.

Article 61: All organizations and individuals have the right to complain or report to the departments performing personal information protection duties regarding illegal personal information handling activities. The departments that receive the complaint or report shall handle them in a timely manner in accordance with the law, and notify the complaint or reporter of the outcome of the handling. Departments performing personal information protection duties shall publish the contact information for accepting complaints and reports.

Chapter VII: Legal Responsibility

Article 62: Where personal information is processed in violation of the provisions of this law, or the necessary security protection measures are not adopted in the processing of personal information as provided, the departments performing personal information protection duties shall order corrections, confiscate illegal gains, or give warnings; and where corrections are refused, a fine of up to 1,000,000 RMB is to be given; the directly responsible management and other directly responsible personnel are to be given a fine of between 10,000 and100,000 RMB. If the circumstances of the illegal conduct described in the preceding paragraph are serious, the department performing personal information protection duties is to order corrections, confiscate the illegal gains, and impose a fine of up to 50 million RMB or 5% of the previous year's annual business volume, and may order them to suspend relevant operations, suspend business for rectification, notify relevant regulatory authorities to revoke relevant business permits or business licenses; and directly responsible managers and other directly responsible persons are to be given a fine of between 100,000 and 1,000,000 million RMB.

Article 63: Where there is an illegal act as provided for by this law, it is to be recorded in the credit files in accordance with the relevant laws and administrative regulations, with an announcement made.

Article 64: Where state organs fail to perform their obligations to protect personal information under this law, the organ at the level above or the departments performing personal information protection duties shall order corrections; and the directly responsible managers and other directly responsible persons are to be punished according to law.

Article 65: Where personal information processing activities infringe on rights and interests in personal information, liability for compensation is to be based on the losses suffered by the individual or on the benefits obtained by the personal information processors; where it is difficult to determine the losses suffered by the individual or the benefits obtained by the personal information processors, the people's courts are to determine the amount of compensation based on the actual situation. Where personal information processor can prove that they have no fault, they can reduce or avoid responsibility.

Article 66: Where personal information processors process personal information in violation of the provisions of this law and infringe on the rights and interests of a large number of individuals, the People's Procuratorate, the departments that perform personal information protection duties, and organizations designated by the State internet information departments may file a lawsuit in the people's court.

Article 67: Where violations of this law constitute a violation of public security administration, it is to be given a public security administration punishment in accordance with law; and where a crime is constituted, criminal responsibility is to be investigated in accordance with law.

Chapter VIII: Supplementary Provisions

Article 68: This law does not apply to natural persons processing personal information for personal or family affairs.

Where the law has provisions on the processing of personal information for statistics and archives management activities organized and implemented by the people's governments at all levels and their relevant departments, those provisions are to be applied.

Article 69: The meanings of the following terms in this law:

(1) "Personal information processors" refers to organizations or individuals that independently make decisions on personal information processing matters such as the purpose and measures of processing.

(2) "Automated decision-making", refers to the use of through computer programs to automatically analyze, evaluate, and make decisions on personal information on personal behavior habits, hobbies or economic, health, credit status, and so forth.

(3) De-identification refers to the process in which personal information is processed so that it cannot be used to identify a specific natural person without additional information.

(4) Anonymization refers to the process in which personal information is processed so that it cannot be used to identify a specific natural person and cannot be recovered after being processed.

Article 70: This Law takes is to take effect on __, ___.