China: China's GDPR Is Coming: Are You Ready? ——Exploring The Upcoming China's Draft Personal Information Protection Law
Topic Two - Lawful Basis For Processing Personal Information

Prior to the Draft, China adopts a consent principle in determining the lawfulness of processing personal information, which means that, unless otherwise provided by law and administrative regulation, processing of personal information should be subject to the personal information subject's informed consent. Besides, the widely referenced national standard Personal Information Security Specification (GB/T 35273-2020, whose revised version was implemented on October 1, 2020) demonstrates some circumstances under which processing could be justified without consent, however, as such national standard has no legal force, they may not qualify effective defence in disputes.

In light of the limitation of the consent principle as well as the increasingly complex processing scenarios, the PIPL takes an approach similar to the GDPR, which provides multiple lawful basis for processing personal information in addition to consent.

I. Consent

Generally, the most commonly used lawful basis for processing is consent. In practice, consent should be obtained in different ways in consideration of the type of data as well as the specific processing actitivies. The Draft presents new requirements for obtaining consent and also clarifies personal information subject's right to withdraw consent.

A. Separate Consent and Written Consent

The Draft puts forward two new concepts of "separate consent" and "written consent". Specifically, under the following conditions, separate consent should be obtained for processing: (1) providing personal information to a third party; (2) publicizing personal information processed; (3) processing sensitive personal information; (4) using personal information which is collected for public security for any other purpose, and (5) transferring personal information outside China. Meanwhile, the Draft requires that, if otherwise provided by law or administrative regulation, written consent shall be obtained when processing sensitive personal information.

Literally, separate consent requires consent to be obtained separately for a specific matter, and a package consent covering all the processing purposes is not allowed; written consent means that consent shall be obtained in written form, rather than orally. However, further guidance in this regard is expected to be provided by the final version or the supplementary rules of the law in the future.

B. Explicit Consent and Implied Consent

From the perspective of implementation, in practice, consent can be divided into explicit consent and implied consent. In most of the cases, explicit consent has to be obtained when collecting and processing personal information. That means, consent should be made proactively by the personal information subject (or the guardian of a child, the same below) through written/oral statement or other autonomously affirmative actions, such as clicking a "consent" button.

Parallelly, implied consent is made by negative behaviours, therefore applies to very limited circumstances where it is hard to obtain explicit consent. For example, in general, if an individual has not left the surveillance area after seeing the video surveillance reminder sign, he/she can be deemed to agree to be monitored.

C. Withdraw Consent and Re-obtain consent

The Draft for the first time makes it clear from the level of law that, an individual has the right to withdraw consent to the processing of personal information based on his/her consent. In this regard, consent as a lawful basis may no longer be the first choice for processing, as an individual can withdraw his/her consent at any time.

Besides, the Draft provides that consent shall be re-obtained when the initial purpose or method of processing personal information or the type of personal information processed changes.

II. Other Lawful Basis

As afore-mentioned, under the Draft, in addition to consent, processing of personal information could also be based on other lawful basis, which is quite similar to the GDPR.

Specifically, the Draft stipulates that, personal information could be processed (without consent) where the processing is necessary (1) for the conclusion or performance of a contract with the individual; (2) for the performance of statutory duties or for compliance with legal obligations; or (3) for coping with public health emergencies or for the protection of the life, health and property safety of an individual. Meanwhile, to carry out such activities as news reporting for the purpose of public interests, personal information processor¹ could process personal information within a reasonable scope. Besides, the Draft also provides the catch-all clause that personal information could be processed if otherwise specified by law and administrative regulation.

Notably, similar to the GDPR, according to the Draft, no matter which lawful basis the processing is based on, before processing personal information, the personal information processor shall inform the individual of the following matters: (1) the identity and contact information of the processor; (2) the purpose and method of processing personal information, and the type and retention period of the processed personal information; (3) the method and procedure for the individual to exercise the rights; and (4) other matters provided by law and administrative regulation.

III. Other Observations

Compared with the GDPR, the PIPL does not provide the basis of "for the purpose of legitimate interests pursued by the controller", while it introduces that of "for coping with public health emergencies" against the background of COVID-19 outbreak. As for the former, it is understood that since such "legitimate interests" under the GDPR like direct marketing, fraud prevention and network security are sometimes difficult to justify and shall be balanced with the data subject's rights and interests, introduction of this lawful basis may increase the difficulty in enforcing such proposed regulation.

Notwithstanding, the Draft largely expands the current lawful basis for processing personal information, and tends to be in line with international practice, therefore to some extent, it will facilitate multinationals' localization of global compliance systems pursuant to the PIPL in the future.

Next Topic: Personal Information Processor under the PIPL.

Footnote

1. Personal information processor under the Draft refers to "any organization or individual that independently determines the purpose and method of processing and other personal information processing matters", which is similar to "data controller" under the GDPR. We will further discuss this in the next topic.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.