On April 29, 2021, the National People’s Congress Standing Committee published the second draft of the Personal Information Protection Law of the People’s Republic of China, calling for public comments. Compared with the first draft, the second draft revised some provisions and added new ones, based on the feedback received during the first round of public comments. The most significant changes are summarized below:

 

  • Reinforce the cross-border provision of personal information requirements. In the second draft, one of the basic premises for cross-border personal information was changed from “signing contracts with overseas recipient” to “signing contracts with overseas recipient in accordance with the standard contract formulated by the Cyberspace Administration of China“. The objective is to prevent potential security problems arising when enterprises draft relevant contracts by themselves.

 

  • Strengthen the supervision over the personal information given to overseas judicial or law enforcement agencies. In the second draft, the statement “for the purpose of international judicial assistance or administrative law enforcement assistance, individuals who need to provide personal information abroad shall apply for the approval of the competent authorities according to law” was changed to “individuals whose personal information stored in China is required to be provided to overseas judicial or law enforcement agencies, shall not do so without the approval of the competent authorities“. On the one hand, this provision was adjusted to become a prohibition. On the other hand, it expanded the scope of the supervision on personal information: it is no longer confined to “international judicial assistance or administrative law enforcement assistance” only. As long as the overseas judicial or law enforcement agencies requires personal information stored within China, the provision shall be applied. It is aiming at countering the long arm jurisdiction of foreign institutions.

 

  • Specific personal information protection obligation requirements for super large Internet platforms were added. For instance, Article 57 added a provision that “entities processing personal information, which provide basic Internet platform services with a large number of users and complex business types, shall fulfill the following obligations: (i) set up an independent organization composed mainly of external members, to supervise personal information processing activities; (ii) stop providing services to the products or service providers on the platforms that deal with personal information in violation with the law and administrative regulations; (iii) regularly release social responsibility reports on personal information protection, and accept social supervision”. This provision explicitly proposes the legal requirements to strengthen the obligation of personal information protection on super-large Internet platforms.

 

  • Clarify the authority of the State Cyberspace Administration for overall coordination. Article 61 points out that “the Cyberspace Administration of China makes overall plans and coordinates with relevant departments to promote the following work in the field of personal information protection: (i) formulate specific rules and standards for personal information protection; (ii) formulate special personal information protection rules and standards for sensitive personal information, new technologies and applications – such as face recognition and artificial intelligence; (iii) support the research and development of secure and convenient electronic identity authentication technology; (iv) promote the construction of a socialized service system for personal information protection. In addition, the State Cyberspace Administration will also support relevant institutions in carrying out evaluation and certification services for personal information protection“.