This year is likely to see the most significant changes in the regulation of data privacy in China since the Cyber Security Law (CSL) came into effect in 2017. Whereas the CSL sets up a framework for the comprehensive administrative regulation of personal data collected or stored electronically, in 2021 China is expected to adopt for the first time a single omnibus approach for the protection of personal data in all situations - in a new Personal Information Protection Law (PIPL) - that will also provide for directly enforceable individual rights.

Several new measures either have been or are being introduced:

  • The new PRC Civil Code took effect on 1 January 2021 and contains a chapter on the protection of personal data that enshrines an individual’s right to the protection of personal data - for essentially the first time under Chinese law. The Civil Code establishes foundational principles of data minimisation, transparency of communication, purpose limitation and fair treatment. It also enacts individual rights to access and request rectification of errors in the personal data held about them, and to erase data that has been processed in contravention of law.
  • The draft PIPL was released on 21 October 2020. The PIPL will be the first comprehensive regulation of personal data applicable to all situations of data collection and use. The PIPL will give effect to the individual privacy rights adopted in the PRC Civil Code and may lead in turn to increased levels of private litigation in the data protection space.
  • An updated version of the Personal Information Security Specification (the PI Security Specification) took effect on 1 October 2020. The PI Security Specification lays down a baseline for compliance with the full pyramid of implementing regulations and measures enacted under the CSL. Pending the introduction of the PIPL, the PI Security Specification will assume ever greater importance as a sighter for organisations looking to ramp up their standard of privacy compliance to meet the requirements of the new law.
  • The draft Data Security Law (DSL) was submitted by the Standing Committee of the National People’s Congress on 2 July 2020. The final version of the DSL is expected to be released and come into effect sometime during 2021. The law sets out several data security protection and related governance obligations applicable to organisations conducting any form of data activities in China. It will also introduce a tiered system of data security obligations. The draft DSL separately contains various provisions that address the sui generis category of ‘important data’ that first appeared in the CSL but which has yet to be followed through into enforceable law.

For further detail on the new Personal Information Protection Law and the draft Data Security Law please click below: