June 2, 2021

China set to increase personal data protections and restrictions on data transfer

On April 26, 2021, revisions to existing data privacy and security legislation were submitted to the standing committee for review of legislation of the Chinese National People’s Congress.  The revisions to the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) would introduce a data classification system based on the level of economic and social importance of the data and would mandate the establishment of independent oversight bodies by internet platforms, composed largely of people from outside those companies, to supervise their processing, use and disposal of personal data.  Importantly, the proposed DSL revisions would allow the imposition of monetary penalties on both companies and individuals for transmitting domestically stored data to foreign investigative or enforcement authorities without the consent of Chinese government authorities.  Companies could be fined up to CNY 1 million (approximately US $157,000) and individuals could be fined up to CNY 200,000 (approximately US $31,000) for violating the law.  The revisions, as drafted, would require companies to refuse to provide information to law enforcement agencies outside of China, absent approval from Chinese authorities, irrespective of whether the data at issue pertains to Chinese or non-Chinese businesses and individuals. Under the revised PIPL, companies can be fined 5% of annual turnover or up to CNY 50 million (approximately US $7.8 million).

The draft legislation, first introduced in June 2020, has been available for public comment.  It will now proceed to the legislative affairs commission of the standing committee of the National People’s Congress for consideration of the public comments and final revision.  It will take effect upon passage by the full standing committee and signature by President Xi Jinping.