On May 25, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted its response (in English and in Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated version of the Draft Personal Information Protection Law (“PIPL”).
As we previously reported, CIPL provided comments to the NPC on the initial draft of the PIPL in November 2020. Many of the comments that CIPL put forward in its initial response are still relevant and applicable to the updated PIPL. CIPL reiterates many of its previous recommendations in the current response and highlights several new considerations that the NPC should take into account as it continues to work on the PIPL.
Key recommendations from the response include:
- Providing further clarity on when consent is required under the PIPL. The NPC has stated in the updated version of the PIPL that consent is not required for circumstances stipulated under Articles 13(2)-13(7) of the draft law (i.e., the other legal bases for processing). CIPL recommends that the NPC cross reference this assertion in other provisions of the PIPL that require consent for specific processing operations.
- Providing further clarity on the impact of withdrawing consent. CIPL appreciates that the NPC has clarified that where an individual withdraws consent to processing, such withdrawal shall not affect processing activities that have taken place prior to the withdrawal. CIPL recommends that the NPC further clarify that withdrawal of consent does not affect certain ongoing forms of processing that rely on the integrity of datasets, and to which an individual initially provided consent (e.g., processing data for medical research that has already commenced).
- Adding a legitimate interest processing ground to the PIPL. Given its increasing use in data protection laws globally and its utility in ensuring that many forms of processing operations not covered by other legal grounds can still take place, CIPL recommends that the NPC include a legitimate interest ground for processing in the next version of the PIPL.
- Enabling a risk-based approach to determining whether an organization is processing the personal information of minors in the context of mixed audience websites. CIPL recommends that the NPC enable personal information processors to make a contextual determination based on a number of factors to determine whether they are processing the personal information of minors in order to meet the requirements of Article 15 of the PIPL for mixed audience websites and services.
- Revising some aspects of the international data transfers provisions. CIPL restates several of the recommendations it has previously made with respect to international transfers, including removing the requirement to obtain consent in addition to using cross-border transfer mechanisms listed under the PIPL. CIPL further recommends in the current response that the NPC reinstate the general goal of safeguarding the orderly and free flow of personal information under Article 1 of the PIPL, and consider existing model contractual clauses in other jurisdictions in formulating any model contracts for transfers under the PIPL (e.g., ASEAN Model Contractual Clauses for Cross-Border Data Flows).
- Providing clarity on which types of personal information processors are required to set up an external independent body to supervise processing and publish social responsibility reports. CIPL recommends that the NPC clarify: the parameters that trigger the requirements of Article 57 of the PIPL, who exactly the provision applies to and how the requirements apply to online platform services that do not have insight into certain activities undertaken on their platforms.
- Approaching anonymization from a risk-management perspective, and not as a technique or end state. CIPL recommends that the NPC revise the definition of anonymization to reflect the more realistic standard of reasonable anonymization coupled with procedural, legal and administrative safeguards.
To read about the above recommendations in detail, along with all of CIPL’s other recommendations, please see the full response (in English or in Mandarin).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code