USCBC Comments on the Draft Personal Information Protection Law

On behalf of the more than 220 members of the US-China Business Council (USCBC), we appreciate the opportunity to submit comments on the draft Personal Information Protection Law of the People’s Republic of China (hereafter referred to as “the Draft”) to the National People’s Congress (NPC).

USCBC received comments on the Draft from companies across multiple industries, including information and communications technology (ICT), energy, manufacturing, and financial services.

The Draft serves as an important pillar of China’s cybersecurity regime and defines the individual rights of persons over the processing of their personal information. Our membership is supportive of the Chinese government’s objective to protect the privacy and security of persons within China, however, members have expressed concerns about provisions in the following areas:

  1. Extraterritoriality: Article 3 states that the Draft applies to personal information processors outside of mainland China where analysis is being conducted on natural persons within China, or when the purpose of processing activities is to provide products or services to natural persons inside China. However, the terminology used to describe the scope of these activities is vague, making it challenging for companies to assess their compliance burden. This is exacerbated by a catch-all provision, which applies the extraterritorial elements of the Draft to “other circumstances provided in laws or administrative regulations.”
  2. Unclear oversight: Article 56 identifies the national-level Cyberspace Administration of China (CAC) as the leading regulator for personal information protection work, but also lists a multitude of unspecified regulators and government authorities who will have a role in enforcing the law. This unnecessarily increases the compliance burden for companies as they must work to identify appropriate authorities for reporting, and may have to send multiple incident reports to various authorities in the case of a data breach because it is unclear who is in charge.
  3. Undefined thresholds: The Draft employs personal data volume thresholds to determine whether companies will be subject to cross-border data security reviews or whether they need to register as designated data protection managers with relevant authorities. However, volume by itself is not a meaningful indicator of risk, given that companies collect many different types of personal information, which carry different levels of risk. Furthermore, the Draft does not define these thresholds, leaving companies unable to accurately assess their compliance requirements.
  4. Data localization: Article 40 of the Draft mandates that critical information infrastructure (CII) operators and non-CII operators who process an unspecified volume of personal information will be subject to data localization requirements. This contradicts the Cybersecurity Law, which only mandates data localization for CII operators. Data localization makes data less secure by preventing it from being diffused along a global network. Localized data may be destroyed or made inaccessible in the event of an outage, limiting companies’ ability to recover. Data localization may even be lead to a situation where companies located in the China are subject to more cyberattacks as attackers will be aware that they will gain access to massive amounts of localized data if they are successful. Most importantly, it is impractical and costly to require companies that offer services on a global scale to store and process their data locally. Localization requirements will ultimately discourage investment in the China market.
  5. Personal information collection rules: The Draft does not explicitly allow the collection and processing of personal information on the basis of the “legitimate interests” of corporate entities. While Article 13 expands the legal bases for personal information collection beyond consent, there are no explicit exceptions to consent-based processing for employee personal data, which will prove unnecessarily onerous to companies as they try to manage employee training or access employee information from other jurisdictions.

We appreciate this opportunity to raise our suggestions, and have provided article-specific recommendations in detail below. The Draft’s English translation is provided by New America.

Find the full comment letter in English and Chinese below: