Rome was not built in a day – It’s never too early to review your personal data protection practice in China!

06 January 2021, Intellectual Property, Legal Alert by Dora Si, Andy Yu

Did you know?

The long-awaited draft of the Personal Data Protection Law (PDPL) was released for public consultation in October 2020. If enacted, it will be the first comprehensive law setting out the overall legal framework, as well as the obligations of different stakeholders throughout the entire lifecycle of personal data in China.

Why does this matter to you?

The data protection regime in China has developed rapidly in recent years and is stricter than one might think. Businesses should review their practices and take proactive steps to manage the increasing compliance risks, sooner rather than later.  Here is a checklist of certain key issues that you should consider:-

  • Are your privacy policy and the manner of obtaining consent from your customers to collect and use their personal data compliant with the China-specific requirements?
  • Do you have any guidelines and mechanisms in place setting out the internal governance framework for personal data protection, for instance, who and how to handle your customers’ enquiries and complaints, the Chinese authorities’ requests, data breach incidents, etc.?
  • Are sufficient contractual obligations imposed on your employees, service providers and business partners to protect personal data that has been collected?
  • Are you required to appoint a data protection officer and set up a task force?
  • Are your data processing records properly maintained and regularly audited?
  • Have you conducted any personal data impact assessments for your data processing activities?
  • If you intend to transfer personal data collected from within China to other jurisdictions, have you made any compliance preparations?
  • Are your technical and security measures sufficient to protect personal data that you collect and are they compliant with the China-specific requirements?

The proposed maximum administrative penalties under the draft PDPL for serious violation of personal data protection obligations include a fine of RMB 50 million or 5% of a business’ preceding year’s revenue, forfeiture of illegal gain and revocation of its business licence.

If you have any questions regarding the above, please contact us at ip@deacons.com.