Personal Information Protection Law of the PRC (2nd Deliberation Draft)

This is a Draft Law. The Final Version of this Law has Now been Adopted, and Can be Accessed Below:

Personal Information Protection Law

Personal Information Protection Law

中华人民共和国个人信息保护法（草案）（二次审议稿）

Table of Contents

Chapter I: General Provisions

Chapter II: Rules for Handling Personal Information

Chapter III: Rules for Cross-border Provision of Personal Information

Chapter IV: Rights of Individuals in Personal Information Handling Activities

Chapter V: Obligations of Personal Information Handlers

Chapter VI: Departments Performing Duties to Protect Personal Information

Chapter VII: Legal Responsibility

Chapter VIII: Supplementary Provisions

Chapter I: General Provisions

Article 1: This Law is drafted to protect rights and interests in personal information, to regulate activities handling personal information, and to promote the reasonable use of personal information.

Article 2: The personal information of natural persons is protected by law, and natural persons' rights and interests in personal information must not be infringed upon by any organization or individual.

Article 3: This law applies to the activities of organizations and individuals handling the personal information of natural persons within the [mainland] territory of the People's Republic of China.

This law is also applicable to activities outside the mainland PRC ["overseas"--ed.] that handle the personal information of natural persons within the territory of the PRC, in any of the following circumstances:

(1) for the purpose of providing products or services to natural persons within the territory;

(2) to analyze and assess the conduct of natural persons within the territory;

(3) Other situations provided for by law or administrative regulations.

Article 4: Personal information is any type of information that identifies or can identify natural persons recorded electronically or by other means, but does not include anonymized information.

Handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, etc., of personal information.

Article 5: Handling of personal information shall employ lawful and proper methods and respect the principle of good faith; and methods such as misdirection, fraud, or coercion must not be used in handling personal information.

Article 6: The handling of personal information shall have clear and reasonable purposes, and shall be limited to the minimum scope necessary to achieve the goals of the handling, employ the methods that least impact individuals' rights and interests; and handling of personal information that is unrelated to the goals of handling must not be conducted.

Article 7: The handling of personal information shall comply with the principles of openness and transparency, disclosing rules for handling personal information, clarifying the goals, methods, and scope of handling.

Article 8: The handling of personal information shall ensure the quality of the personal information to avoid causing a negative impact on individuals' rights and interests due to inaccurate or incomplete personal information.

Article 9: Personal information handlers shall be responsible for their personal information handling activities and employ necessary measures to ensure the security of the personal information handled.

Article 10: Organizations and individuals must not handle personal information in violation of laws and administrative regulations, and must not engage in personal information handling activities that endanger national security and public interests.

Article 11: The state is to establish and complete personal information protection systems to prevent and punish acts that infringe on rights and interests in personal information, to strengthen publicity and education on personal information protection, and to promote the formation of a positive environment for governments, enterprises, relevant industry organizations, and the public to participate in the protection of personal information.

Article 12: The state is to actively participate in the formulation of international rules for protecting personal information, promote international exchanges and cooperation on personal information protection, and promote mutual recognition of rules and standards for the protection of personal information with other countries, regions, and international organizations.

Chapter II: Rules for Handling Personal Information

Section 1: Ordinary Provisions

Article 13: Personal information handlers can only handle personal information where one of the following circumstances is met:

(1) The individual's consent is obtained;

(2) As necessary for the conclusion or performance of a contract to which an individual is a party;

(3) As necessary for the performance of legally-prescribed duties or obligations;

(4) As necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property in an emergency;

(5) For a reasonable scope of handling of personal information that has already been disclosed in accordance with this Law;

(6) Handling personal information within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest;

(7) Other situations provided by laws or administrative regulations.

Where the handling of personal information shall be upon obtaining the individual's consent in accordance with other provisions of this Law, but there are circumstances provided for in items 2-7 of the preceding paragraph, the individual's consent is not required to be obtained.

Article 14: Consent to handle personal information shall be given voluntarily and explicitly by individuals who are fully informed. Where laws and administrative regulations provide that independent or written consent shall be obtained for the handling of personal information, follow those provisions.

Where there are changes to the purpose or methods for handling information, or to the type of personal information to be handled, the individual's consent shall be newly obtained.

Article 15: Those handling the personal information of minors under the age of 14 shall obtain the consent of the minors' parents or other guardians.

Article 16: Individuals have the right to withdraw their consent to personal information handling activities that are based on their consent. Those handling personal information shall provide convenient and easy methods for withdrawing consent.

Individuals' withdrawal of consent does not impact the validity of personal information handling activities conducted before the consent was withdrawn.

Article 17: Those handling personal information must not refuse to provide products or services on the grounds that individuals do not consent to the handling of their personal information or withdraw their consent to the handling of personal information; except where handling personal information is necessary to provide the products or services.

Article 18: Before handling personal information, personal information handlers shall notify individuals of the following matters in a conspicuous fashion and in clear and understandable language:

(1) The identity and contact information of the personal information handlers;

(2) The purposes of handling the personal information, the methods of handling, and the type of personal information handled, and period it will be stored;

(3) the manner and procedures by which individuals are to exercise their rights under this Law;

(4) Other matters that laws and administrative regulations provide shall be announced.

Where there are changes in the matters provided for in the preceding paragraph, the individuals shall be notified of the parts changed. Where personal information handlers give notice of the matters provided for in the first paragraph of this article by formulating rules for handling personal information, the rules shall be made public and easy to read and save.

Article 19: When personal information handlers handle personal information, where there are circumstances that laws and administrative regulations provide shall be kept confidential or need not be announced, it is acceptable to not notify the individual of the matters provided in the preceding article.

In an emergency situation, where it is impossible to notify individuals in time to protect the security of natural persons' lives, health, and property, the personal information handlers shall promptly notify the individual after the emergency is eliminated.

Article 20: The period for retaining personal information shall be the shortest time necessary to achieve the purposes of the handling. Where laws and administrative regulations have other provisions on the retention period for personal information, those provisions shall prevail.

Article 21: Where two or more personal information handlers jointly decide on the purpose and method of handling personal information, they shall make an agreement on their respective rights and obligations. However, this agreement does not affect an individual's request to any of the personal information handlers to exercise the rights provided for in this Law.

Where personal information handlers jointly handle personal information and infringe on rights and interests in personal information, they shall bear joint liability in accordance with law.

Article 22: Where personal information handlers entrust the handling of personal information, they shall make an agreement with the entrusted party on the purposes and methods for the entrusted handling, the types of personal information to be handled, protection measures, and the rights and obligations of both parties, and oversee the entrusted party’s personal information handling activities.

The entrusted party shall handle personal information in accordance with agreements and must not exceed the purpose or methods of handling in the agreements to handle personal information; where the contract for the entrustment is not effective, is void, is withdrawn, or has ended, the entrusted party shall return the personal information to the personal information handler or delete it, and must not store it.

Without the consent of the personal information handlers, the entrusted party must not entrust others to handle personal information.

Article 23: Where as a result of mergers, divisions, and so forth, personal information handlers need to transfer personal information, they shall notify the individuals of the identity and contact information of the party receiving it. The recipient party shall continue to perform the obligations of the personal information handler. Where the recipient changes the purpose of the original handling or the methods of handling, they shall newly obtain the individuals' consent in accordance with this Law.

Article 24: Where personal information handlers provide the personal information they are handling to others, they shall notify the individuals of the identity and contact information of the recipient, the purposes of the handling, methods of handling, and the types of personal information, and are to obtain the independent consent of the individuals. The party receiving the personal information shall handle the personal information within the scope of the purposes and methods, and types of personal information provided above. Where the recipient changes the purpose of the original handling or the methods of handling, they shall newly obtain the individuals' consent in accordance with this Law.

Article 25: The use of personal information for automated decision-making shall ensure transparency in the decision-making and fairness and reasonableness in the results.

Where commercial marketing and information pushing are conducted through automated decision-making, options shall also be provided that do not target specific personal characteristics or for individuals to refuse. Where decisions with a major impact on individuals' rights and interests are made through automated decision-making, the individuals have the right to request that personal information handlers explain it and have the right to refuse to have the personal information handler's making decisions solely through automated decision-making.

Article 26: Personal information handlers must not disclose the personal information they handle; unless they have obtained independent consent or as otherwise provided for by laws and administrative regulations.

Article 27: The installation of image acquisition and personal identification equipment in public places shall be as necessary to preserve public safety, and shall comply with relevant national regulations, and have prominent alerts in place. The collected personal images and personal identification information can only be used for the purpose of preserving public safety, and must not be disclosed or provided to others; unless the individual's independent consent is obtained.

Article 28: Personal information handlers who are are handling personal information that has already been disclosed shall comply with the uses of the personal information when it was disclosed. Where they exceed the reasonable scope in relation to the purpose, the individuals shall be informed and their consent shall be acquired in accordance with this law.

When the use of the personal information when it was disclosed is unclear, the personal information handlers shall reasonably and prudently handle the previously disclosed personal information. When using the already disclosed personal information to engage in activities that have a significant impact on the individuals their consent shall be obtained as provided in this Law.

Section 2: Rules for Handling Sensitive Personal Information

Article 29: Only personal information handlers with a specific purpose and sufficient need may handle sensitive personal information.

Sensitive personal information is personal information that once leaked or illegally used might cause individuals to suffer discrimination or serious harm to their security in their persons and property, including information such as on their race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.

Article 30: Where handling sensitive personal information based on individuals' consent, the personal information handler shall obtain the individuals' independent consent. Where laws and administrative regulations provide that written consent shall be obtained for the handling of sensitive personal information, follow those provisions.

Article 31: When handling sensitive personal information, personal information handlers shall, in addition to the matters specified in Article 18 of this Law, also notify individuals of the necessity of handling the sensitive personal information and the impact on the individuals.

Article 32: Where laws and administrative regulations provide that those handling sensitive personal information shall obtain related administrative licenses or impose other restrictions, follow those provisions.

Section 3: Special Provisions on the Handling of Personal Information by State Organs

Article 33: This law applies to the handling of personal information by state organs; and where there are special provisions in this section, the provisions of this section apply.

Article 34: State organs handling personal information in order to perform their legally-prescribed duties shall do so in accordance with the authority and procedures provided by laws and administrative regulations, and must not exceed the scope and limits necessary for performing their legally-prescribed duties.

Article 35: State organs handling personal information in order to perform their legally-prescribed duties shall notify the individuals and obtain their consent as provided in this Law, except where laws and administrative regulations provide it shall be confidential or where giving notice and obtaining consent would impede the performance of the state organs' legally-prescribed duties.

Article 36: Personal information handled by state organs shall be stored within the territory of the People's Republic of China; and where it is truly necessary to provide it overseas, a risk assessment shall be conducted. Support and assistance may be requested from relevant departments for risk assessments.

Article 37: The provisions of this Law on state organs' handling of personal information apply to the handling of personal information by organizations authorized by laws or regulations to have public affairs management duties in order to perform their legally-prescribed duties.

Chapter III: Rules for Cross-border Provision of Personal Information

Article 38: Where personal information handlers truly need to provide personal information overseas due to business requirements, they shall meet at least one of the following requirements:

(1) passing a safety assessment organized by the state internet information departments in accordance with the provisions of Article 40 of this Law;

(2) Having a professional body conduct personal information protection certification in accordance with provisions of the State Internet Information Departments;

(3) Contracts concluded with the overseas recipient parties agree upon the rights and obligations of both parties, and oversight of personal information handling activities comply with the personal information protection standards provided for in this Law;

(4) Other conditions provided for by laws, administrative regulations, or provisions of the state internet information department.

Article 39: Where personal information handlers provide personal information overseas, they shall notify the individuals of matters such as the identity and contact methods of the overseas recipient, the purposes and methods of the handling, the types of personal information to be handled, and the methods for individuals to exercise the rights provided for in this Law, and obtain the individuals' independent consent.

Article 40: Critical information infrastructure operators and personal information handlers that handle personal information at the volume provided for by the state internet information departments shall store the personal information they collect or generate within the territory of the People's Republic of China. Where it is truly necessary to provide it overseas, it shall pass a security assessment organized by the state internet information department; but where laws, administrative regulations, and provisions of the state internet information department provide that it is acceptable to not conduct a security assessment, follow those provisions.

Article 41: Where judicial or law enforcement bodies outside the [mainland] territory of the PRC request the provision of personal information stored within the [mainland] PRC, it must not be provided without the approval of the competent PRC state organs; but where treaties or agreements concluded or participated in by the PRC have relevant provisions, those provisions may be implemented.

Article 42: Where organizations or individuals outside the [mainland] PRC engage in personal information handling activities that harm PRC citizens' rights and interests in personal information or endanger the PRC's national security or public interest, the state internet information departments may enter them on the list of those restricted or limited in provision of personal information, make a public announcement, and employ measures to restrict or stop the provision of personal information to them.

Article 43: Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the PRC in terms of personal information protection, the PRC may employ equal measures against that country or region based on the actual conditions.

Chapter IV: Rights of Individuals in Personal Information Handling Activities

Article 44: Individuals enjoy the right to know and make decisions about the handling of their personal information, and have the right to limit or refuse the handling of their personal information by others, except as otherwise provided by laws and administrative regulations.

Article 45: Individuals have the right to access and reproduce their personal information from personal information handlers, except in the circumstances provided for in the first paragraph of Article 19 of this Law.

Where individuals request to access or reproduce their personal information, the personal information handlers shall provide it in a timely manner.

Article 46: Where individuals discover that their personal information is inaccurate or incomplete, they have the right to request that the personal information handler correct or supplement it.

Where individuals request correction or supplementation of their personal information, the personal information handler shall verify their personal information and make corrections and supplements in a timely manner.

Article 47: In any of the following circumstances, personal information handlers shall proactively delete personal information, and where personal information handlers fail to delete it, the individuals have the right to request its deletion:

(1) The purpose of the handling has already been realized or it is no longer necessary for the realization of the purpose of handling;

(2) The personal information handler stops providing products or services, or the period for retention is complete;

(3) The individual withdraws consent;

(4) The personal information handler violates laws, administrative regulations, or agreements in the handling of personal information;

(5) Other situations provided by laws or administrative regulations.

Where the retention period provided for by laws and administrative regulations is not yet complete or it is technically difficult to delete personal information, the personal information handlers shall stop handling other than storage and employing security protection measures.

Article 48: Individuals have the right to request that personal information handlers explain their personal information handling rules.

Article 49: Where natural persons die, their rights in personal information handling activities provided for in this chapter are to be exercised by their close family.

Article 50: Personal information handlers shall establish mechanisms for accepting and addressing requests from individuals to exercise their rights. Where an individual's request to exercise their rights is rejected, the reasons shall be explained.

Chapter V: Obligations of Personal Information Handlers

Article 51: Based on the purposes and methods of handling, the types of information to be handled, the impact and potential risks to individuals, and so forth, personal information handlers shall take necessary measures to ensure that personal information handling activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information:

(1) formulate internal security management systems and operating procedures;

(2) Implement categorical management of personal information;

(3) Employ related technical security measures such as encryption and de-identification;

(4) Reasonably determine the operational authority of personal information handlers, and periodically conduct security education and training for workers;

(5) Formulate and organize the implementation of emergency plans for personal information security incidents;

(6) other measures provided for by laws and administrative regulations.

Article 52: Personal information handlers that handle personal information at a volume specified by the state internet information department shall designate a person in charge of personal information protection to be responsible for overseeing personal information handling activities and any protective measures taken.

Personal information handlers shall disclose the name and contact information of the person in charge of personal information protection, and submit their names, contact information, and so forth to the departments performing duties on personal information protection.

Article 53: Overseas personal information handlers as provided for in the second paragraph of Article 3 of this Law shall establish special institutions or designated representatives within the territory of the PRC responsible for handling matters related to the protection of personal information, and report the name, contact information, and other information to the departments performing personal information protection duties.

Article 54: Personal information handlers shall conduct periodic audits of whether their personal information handling activities and protective measures are in compliance with laws and administrative regulations.

Article 55: Personal information handlers shall conduct risk assessments in advance for the following personal information handling activities and make a record of the handling situation:

(1) Handling sensitive personal information;

(2) using of personal information for automated decision-making;

(3) entrusting the handling of personal information, providing personal information to others, or disclosing personal information;

(4) Providing personal information abroad;

(5) Other personal information handling activities that have a major impact on individuals. The risk assessment shall include:

(1) the purpose and manner of handling personal information, the type of personal information handled, and the period of time it will be retained;

(2) the impact on individuals and the degree of risk;

(3) Whether the security protection measures employed are legal, effective, and correspond to the degree of risk.

Risk assessment reports and handling records shall be retained for at least three years.

Article 56: Where personal information handlers discover that personal information has been leaked, they shall immediately take remedial measures and notify the departments and individuals that perform personal information protection duties. The notice shall include the following matters:

(1) the reasons for the leak of personal information;

(2) the type of personal information leaked and the possible harms caused;

(3) Remedial measures that have been taken;

(4) Measures that individuals might take to reduce the dangers;

(5) Contact methods for the personal information handler.

Where personal information handlers take measures that can effectively avoid the harm caused by the information leakage, the personal information handlers are allowed to not notify the individuals; but where the departments performing personal information protection duties believe that the personal information leakage might cause harm to the individual, they have the right to request that the personal information handlers notify the individuals.

Article 57: Personal information handlers that provide foundational internet platforms, have a huge number of users or a complex operational model shall perform the following obligations:

(1) Establish an independent body comprised mainly of external personnel to conduct oversight of personal information handling activities;

(2) Stop providing services to products or service providers on the platform that handle personal information in serious violation of laws and administrative regulations;

(3) Periodically public social responsibility reports on the protection of personal information, and accept societal oversight.

Article 58: Parties entrusted to handle personal information shall perform the obligations provided for in this Chapter, employing necessary measures to ensure the security of the personal information they handle.

Chapter VI: Departments Performing Duties to Protect Personal Information

Article 59: The State internet information department is responsible for the overall planning and coordination of personal information protection efforts and related oversight and management. The relevant departments of the State Council are responsible for personal information protection, oversight, and management within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

The personal information protection, oversight, and management responsibilities of the relevant departments of local people's governments at the county level or above are to be determined in accordance with the relevant state provisions.

The departments provided for in the preceding two paragraphs are collectively referred to as the 'departments performing personal information protection duties'.

Article 60: Departments performing personal information protection duties are to perform the following personal information protection duties:

(1) Carrying out publicity and education on the protection of personal information, guiding and overseeing personal information protection work carried out by personal information handlers;

(2) Accepting and addressing complaints and reports related to the protection of personal information;

(3)Investigating and addressing illegal personal information handling activities;

(4) Other duties provided by laws and administrative regulations.

Article 61: State internet information departments are to plan and coordinate relevant departments in advancing the following efforts to protect personal information based on this law:

(1) Draft specific rules and standards for the protection of personal information;

(2) Draft specialized rules and standards for the protection of personal information in regards to sensitive personal information and new technologies and applications such as facial recognition and artificial intelligence;

(3) supports research and development of secure and convenient electronic identity confirmation technologies;

(4) Advance the construction of a system of socialized personal information protection services, and support relevant institutions in carrying out personal information protection assessment and certification services.

Article 62: Departments that perform personal information protection duties may employ the following measures in performing personal information protection duties:

(1) questioning the relevant parties, and investigating circumstances related to personal information handling activities;

(2) Accessing and reproducing contracts, records, account book, and other materials related to the parties and personal information handling activities;

(3) Conducting on-site inspections and investigating suspected illegal personal information handling activities;

(4) Inspecting equipment and items related to the personal information handling activities, and for equipment and items that there is evidence showing were involved in illegal personal information handling activities, make a written report to the principal responsible person of the department, and upon approval, they may be sealed or seized.

Where departments that perform personal information protection duties are lawfully performing their duties, the parties shall provide assistance and cooperate, and must not refuse or obstruct.

Article 63: Where in the performance of their duties, departments performing personal information protection duties find that personal information handling activities have a relatively large risk or that personal information security incidents have occurred, they may give a talking to the legal representative or principal responsible person for the personal information handler in accordance with the authority and procedures provided, or require the personal information handler to retain a professional establishment to conduct a compliance audit of their personal information handling activities. Personal information handlers shall take measures as required, carry out rectification, and eliminate threats.

Article 64: All organizations and individuals have the right to complain or report to the departments performing personal information protection duties regarding illegal personal information handling activities. Departments receiving complaints or reports shall promptly handle them in accordance with law and notify the complainant or informant of the outcome.

Departments performing personal information protection duties shall publish the contact information for accepting complaints and reports.

Chapter VII: Legal Responsibility

Article 65: Where personal information is handled in violation of this law, or where necessary security protection measures are not employed as provided, the departments performing personal information protection duties are to order corrections, give warnings, and confiscate unlawful gains; where the corrections are refused, a concurrent fine of up to 1,000,00 RMB is to be given; the directly responsible managers and other directly responsible personnel are to be given a fine of between 10,000 and 100,00 RMB

Where the circumstances of the illegal activities provided for in the preceding paragraph are serious, the departments performing personal information protection duties are to order corrections, confiscate unlawful gains, and give a concurrent fine of up to 50,000,000 RMB or up to 5% of the preceding year's business income, and may order that operation be suspended, suspend operations for rectification, or report to relevant regulatory departments for the cancellation of business permits or licenses; and a fine of between 100,000 and 1,000,000 RMB is to be given to the directly responsible managers and other directly responsible personnel.

Article 66: Where there is conduct violating the provisions of this law, record it in the credit archives and make it public in accordance with relevant laws and administrative regulations.

Article 67: Where state organs fail to perform their obligations to protect personal information under this law, the organ at the level above or the departments performing personal information protection duties shall order corrections; and the directly responsible managers and other directly responsible persons are to be punished according to law.

Article 68: Where rights and interests in personal information are infringed as a result of personal information handling activities, and the personal information handlers cannot prove that they are not at fault, they shall bear tort liability to compensate losses.

The liability for compensation in the preceding paragraph is to be based on the losses suffered by the individual or on the benefits obtained by the personal information handlers; where it is difficult to determine the losses suffered by the individual or the benefits obtained by the personal information handlers, determine the amount of compensation in light of actual circumstances.

Article 69: Where personal information handlers violate the provisions of this law in the handling of personal information and infringe on the rights and interests of a large number of individuals, the People's Procuratorate, the departments that perform personal information protection duties, and organizations designated by the State internet information departments may file a lawsuit in the people's court.

Article 70: Where provisions of this Law are violated, constituting a violation of public security management, public security administrative sanctions are given in accordance with law; where a crime is constituted, criminal responsibility is pursued in accordance with law.

Chapter VIII: Supplemental Provisions

Article 71: This law does not apply to natural persons handling personal information for personal or family affairs.

Where the law has provisions on the handling of personal information for statistics and archives management activities organized and implemented by the people's governments at all levels and their relevant departments, those provisions are to be applied.

Article 72: The meanings of the following terms in this law:

(1) "Personal information handlers" refers to organizations or individuals that independently make decisions on personal information handling matters such as the purpose and methods of handling personal information.

(2) "Automated decision-making", refers to the use of computer programs to automatically analyze, evaluate, and make decisions on personal information on personal behavior habits, hobbies or economic, health, credit status, and so forth.

(3) "De-identification" refers to the process of handling personal information to make it impossible to identify a specific natural person without the help of additional information.

(4) "Anonymization" refers to the process in which personal information is handled so that it cannot be used to identify a specific natural person and cannot be restored after being so handled.

Article 73: This Law shall take effect on xx-xx-xxxx.