On the morning of November 17, the third lecture of this year’s “IP Rights Lecture Series for Chinese Employees of Japanese Enterprises” was successfully held in the conference room on the 21_st Floor of Shanghai International Trade Center. The lecture, jointly held by Watson & Band and JETRO’s Shanghai Office, was entitled “Insights on Corporate Data Compliance under the (Draft) Personal Information Protection Law” and given by Watson & Band’s Partner, Ms. Cathy Wu, along with her team member, Mr. Juexin Huang.

The lecture included three sections: (1) background of the Draft; (2) overall structure; and (3) key issues to note for corporate data compliance.

In Section 1 Mr. Huang started from leakage of personal information occurring in daily life and summarized the actions that were accomplished in recent two years by the special governance and rectification work group established by four authorities. Said actions were aimed at illegal activities of APPs involving collection of personal data. Combining the Measures for Identification of Illegal Collection and Use of Personal Information by APPs, Mr. Huang further elaborated on eights major problems. According to Mr. Huang, the (Draft) Personal Information Protection Law, as the first law providing for personal information protection in China, will form the “troika” together with the Cyber Security Law and the Data Security Law for China’s cyber security and data protection legislations.

In Section 2 Mr. Huang first had a quick review of the overall structure of the Draft and interpreted the protection object and application scope of the Personal Information Protection Law. In terms of the former, he cited a “Tik Tok (domestic version)” case and a “WeChat Reading” case and analyzed the definition of “personal information rights and interests” and compared the similarities and differences between said rights and the privacy rights; also, he listed items of personal information stipulated under the Personal Information Security Regulations. Talking about the application scope, Mr. Huang pointed out that in addition to enterprises that should pay great attention to the Personal Information Protection Law, for example, Internet enterprises directly facing C-end users and financial, medical care and educational enterprises involving sensitive personal information, other enterprises within traditional or emerging industries should also pay close attention to personal information protection in their employee recruitment and management and their provision of products or services.

In Section 3 Ms. Wu selected some key points under the Personal Information Protection Law and provided guidance for corporate data compliance practices. First, she summarized the principles for data processing under the Draft, including legality and legitimacy, definite purpose, necessity and transparency; by citing some negative examples, she also explained the meaning of “minimum necessity”. She pointed out that one spotlight under the Draft is the legality basis for personal information processing by enterprises has been broadened, following which she explained in detail how to obtain effective consent from personal information owners and how to fulfill the obligation of disclosure. In terms of data processing by third parties, Ms. Wu compared the differences between engaged processing and provision to third parties with respect to their natures and compliance requirements, and reminded the attendees of the joint and several liability on the part of joint processors. Talking about cross-border transmission of personal information, Ms. Wu pointed that the Draft actually loosened the conditions upon departure of personal information – in addition to security assessment by national cyber security authorities, compliance requirements can also be met by personal information protection authentication or contracts with overseas information recipients. From the perspective of enterprises, Ms. Wu summarized the rights of knowledge, review and duplication, corrosion and supplementation, and deletion, etc. of personal information owners, along with the obligations that must be borne by enterprises processing personal information, including setting up a mechanism for individual exercise of rights, formulating internal rules and regulations, conducting compliance auditing and pre-event risk evaluation, etc.