This translation is part of the DigiChina Project, based at the Stanford University Cyber Policy Center and a joint effort with New America.

This translation is by Rogier Creemers, Mingli Shi, and Lauren Dudley, and it was edited by Graham Webster.

[Chinese-language original]

Personal Information Protection Law of the People’s Republic of China (Draft)

Table of Contents

Chapter I: General Provisions

Chapter II: Personal Information Handling Rules

Section I: Common Provisions

Section II: Rules for Handling Sensitive Personal Information

Section III: Specific Provisions on State Organs Handling Personal Information

Chapter III: Rules on the Cross-Border Provision of Personal Information

Chapter IV: Individuals’ Rights in Personal Information Handling Activities

Chapter V: Personal Information Handlers’ Duties

Chapter VI: Departments Fulfilling Personal Information Protection Duties and Responsibilities

Chapter VII: Legal Liability

Chapter VIII: Supplemental Provisions

Chapter I: General Provisions

Article 1: This Law is formulated in order to protect personal information rights and interests, standardize personal information handling activities, safeguard the lawful, orderly, and free flow of personal information, and stimulate the reasonable use of personal information.

Article 2: The personal information of natural persons receives legal protection; no organization or individual may infringe natural persons’ personal information rights and interests.

Article 3: This Law applies to organizations and individuals’ handling personal information activities of natural persons within the borders of the People’s Republic of China.

Where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well:

  1. Where the purpose is to provide products or services to natural persons inside the borders;
  2. Where conducting analysis or assessment of activities of natural persons inside the borders;
  3. Other circumstances provided in laws or administrative regulations.

Article 4: Personal information is all kinds of information recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization handling.

Personal information handling includes personal information collection, storage, use, processing, transmission, provision, publishing, and other such activities.

Article 5: Lawful and proper methods shall be adopted for personal information handling, and the principle of sincerity observed. It is prohibited to handle personal information in fraudulent, misleading, or other such ways.

Article 6: Personal information handling shall have a clear and reasonable purpose, and shall be limited to the smallest scope to realize the handling purpose. It is prohibited to conduct personal information handling unrelated to the handling purpose.

Article 7: The principles of openness and transparency shall be observed in the handling of personal information, and personal information handling rules indicated clearly.

Article 8: In order to realize the handling purpose, the handled personal information shall be accurate and updated in a timely manner.

Article 9: Personal information handlers shall bear responsibility for their personal information handling activities, and adopt the necessary measures to safeguard the security of the personal information they handle.

Article 10: No organization or individual may handle personal information in violation of the provisions of laws and administrative regulations, or engage in personal information handling activities harming national security or the public interest.

Article 11: The State establishes a personal information protection structure, to prevent and punish acts harming personal information rights and interests, strengthen personal information protection propaganda and education, and promote the creation of a good environment for personal information protection, with joint participation from government, enterprise, relevant sectoral organizations, and the general  public.

Article 12: The State vigorously participates in the formulation of international rules [or norms] for personal information protection, stimulates international exchange and cooperation in the area of personal information protection, and promotes mutual recognition of personal information protection rules [or norms], standards, etc., with other countries, regions, and international organizations.

Chapter II: Personal Information Handling Rules

Section 1: Common Provisions

Article 13: Personal information handlers may only handle personal information where they conform to one of the following circumstances:

  1. Obtaining individuals’ consent;
  2. Where necessary to conclude or fulfill a contract in which the individual is an interested party;
  3. Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
  4. Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
  5. Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
  6. Other circumstances provided in laws and administrative regulations.

Article 14: Consent for handling personal information shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement of wishes. Where laws or administrative regulations provide that specific consent or written consent shall be obtained to handle personal information, those provisions are followed.

Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the individual’s consent shall be obtained again.

Article 15: Where personal information handlers know or should know that the personal information they handle is the personal information of minors who have not reached 14 years of age, they shall obtain the consent of their guardian.

Article 16: Individuals have the right to rescind their consent to personal information handling activities conducted on the basis of individuals’ consent.

Article 17: Personal information handlers may not refuse to provide products or services on the basis that an individual does not consent to the handling of their personal information or rescinds their consent to handle personal information, except where handling personal information is necessary for the provision of products or services.

Article 18: Personal information handlers shall, before handling personal information, explicitly notify individuals of the following items using clear and easily understood language:

  1. The identity and contact method of the personal information handler;
  2. The purpose of personal information handling and handling methods, the categories of handled personal information, and retention period;
  3. Methods and procedures for individuals to exercise the rights provided in this Law;
  4. Other items that laws or administrative regulations provide shall be notified.

Where a change occurs in the matters provided in the previous paragraph, individuals shall be notified about the change.

Where personal information handlers notify the matters as provided in Paragraph I through the method of formulating personal information handling rules, the handling rules shall be public and convenient to read and store.

Article 19: Personal information handlers handling personal information are permitted not to notify individuals about the items provided in the previous Article under circumstances where laws or administrative regulations provide that secrecy shall be preserved or notification is not necessary

Under emergency circumstances, where it is impossible to notify individuals in a timely manner in order to protect natural persons’ lives, health, and the security of their property, personal information handlers shall notify them after the conclusion of the emergency circumstances.

Article 20: Personal information retention periods shall be the shortest period necessary to realize the purpose of the personal information handling. Where laws or administrative regulations provide otherwise concerning personal information retention periods, those provisions are followed.

Article 21: Where two or more personal information handlers jointly decide on a personal information handling purpose and handling method, they shall agree on the rights and obligations of each. However, said agreement does not influence an individual’s rights to demand any one personal information handler perform under this Law’s provisions.

Where personal information handlers jointly handling personal information harm personal information rights and interests, they bear joint liability according to the law.

Article 22:

Read The Full Article

Check Also

Privacy 2024 Recap – some significant decisions, slow progress for reform

The past year saw a few court decisions of note as well as halting progress toward privacy…