August 12, 2022


Let'S Talk Law

Facts processors and the draft data defense regulation

On 30 April 2021, the Legislative Affairs Fee of the Nationwide People’s Congress Standing Committee introduced the second evaluation draft of the Personal Data Protection Regulation for public session. The draft marks the advancement and advancement of China’s authorized procedure for personal facts safety. It handles restrictions on crucial troubles this sort of as face recognition, so-identified as “cyber manhunts”, automatic conclusion-creating, desensitisation and cross-border transfer of knowledge, and sets increased prerequisites for net enterprises’ compliance and authorities regulation.

Chen Yuxuan
Yuanhe Companions

Provided that a handful of problems are however open up to discussion, such as the identification of topics of legal responsibility, enterprises must keep an eye on these concerns and alter their enterprise procedures appropriately.

As opposed to the Chinese draft, the EU’s Normal Facts Safety Regulation (GDPR) and the UK’s Data Defense Act (DPA) divide subjects of legal responsibility into info controllers and data processors.

Report 72 of China’s draft provides the definition for particular data processors. The relevant provisions only tackle facts processing functions and info processors, without having reference to knowledge controllers and data command action. Report 65 only supplies for the lawful liabilities for “processing” personalized data in violation of the provisions of this law.

The draft adopts an overarching regulatory framework to simplify the guidelines and employs broader ideas to dovetail with the concept of 3rd events in the Civil Code. Even so, provided the distinctive nature of individual information processing and security, this intentional generalisation may give increase to a selection of issues.

In accordance to article 4(7) of the GDPR, “a controller is a normal person, lawful entity, community system, agency or other organisation that can decide, individually or jointly, the reason and fashion of processing individual data”. And write-up 4(8) stipulates that processors are the previously mentioned-outlined subjects who method personal knowledge for controllers. The GDPR distinguishes controllers from processors dependent on regardless of whether the matter of details processing has autonomy. A matter with an independent will to establish the reason and manner of information processing is an information controller, when an facts processor is only the topic liable for certain information processing.

田晨光, Tian Chenguang, Counsel, Yuanhe Partners
Tian Chenguang
Yuanhe Associates

However, report 72 of the draft stipulates that “a processor of own facts is an organisation or unique who independently makes a determination on the goal and fashion of processing private information”, and these kinds of a stipulation is the definition of facts controller below the GDPR. The draft also stipulates that the processing of personal details incorporates the assortment, storage, use, processing, transmission, provision and disclosure of own facts.

Evidently, these acts can’t be equated with autonomous dedication of the purpose and way of details processing, and therefore do not replicate the articles of the functions that really should comply with the definition of accountable subject. As a result, the draft does not outline a private information and facts processor evidently and might give increase to controversies.

The difference concerning data controllers and facts processors underneath the GDPR and DPA is of practical importance because facts controllers are often independent of knowledge processors in the class of own info processing, specially in situations where governmental public sectors assign their info to info processing support suppliers for processing.

All of the higher than-talked about procedures have enumerative provisions on the functions of information processing, and as a result the status of a topic engaged in a selected act can be decided. A matter liable for precise processing careers is usually considered as a facts processor, while a facts controller is dependable for offering for and interpreting the objective of info processing.

In principle, when disclosure of particular knowledge or other infringements are brought about by violation of applicable regulations, the information controller should really presume the legal liabilities that arise from that.

Absolute controllers and processors are somewhat intense principles. If one particular get together decides how particular information is processed and delivers specific processing directions for the other bash to abide by, and the other celebration is strictly restricted by these kinds of guidelines, the social gathering giving instructions is a knowledge controller. The other bash is an data processor.

An case in point of this would be wherever a general public individual data collector obtains a large volume of personalized data, and then hands the details over to an IT support company which suppliers and kinds the data out for it, and wherever the objective and fashion of info use and period of time of storage is controlled by the collector. Nevertheless the IT support service provider has the suitable to make a decision a safe way to retail store and entry the information by virtue of its qualified ability, the appropriate to make your mind up the objective and system of details processing is in the hands of the collector all the time. As a result, the collector, as a facts controller, should really be liable for any violation and infringement in the class of private details processing.

It is really worth noting that there is increased flexibility in determining the position of topics in particular facts processing eventualities. For case in point, in the circumstance that a financial institution contracts a marketplace study firm to carry out a study of client fulfillment with the bank’s solutions, even though the company conducts the survey on behalf of the bank, it truly performs the role of info controller since it has the autonomy to make your mind up how to acquire details, how to get samples, and how to existing the outcomes.

In the event of any violation, the enterprise should be held liable according to the extent of its position as a controller. In addition, going again to the earlier example, if the IT provider provider’s facts processing conduct goes past the agreement amongst the IT company service provider and the collector, and so will cause damages, the IT provider company has carried out the position of controller and is liable for infringement and for breach of its contract with the collector.

A crystal clear identification of info controllers and processors is important to deciding and judging their legal rights and tasks, and hence, even further clarification and changes must be released. Based mostly on the present composition of the draft, as an enterprise conducts company pursuits connected to individual data, it should really completely look at its processing conduct, rights and obligations as a information controller and a knowledge processor, and acquire the initiative to full a thorough overview of its compliance, regardless of whether it has the independent will to identify the goal and strategy of information and facts processing.

In individual, when getting into into a agreement on information processing, the purpose and length of information and facts processing, processing strategy, kind of particular data, security steps, and rights and obligations of both events shall be absolutely stipulated in the contract. In addition, the data processing functions carried out by the authorised get together ought to be monitored.

Chen Yuxuan is a husband or wife and Tian Chenguang is a counsel at Yuanhe Companions

Wang Yaxi Zhu Mengxuan Yuanhe Partners commercial advertisingYuanhe Associates
58F, Fortune Economical Heart (FFC)
5 Dongsanhuan Zhonglu, Chaoyang District
Beijing 100020, China
Tel: +86 10 5733 2388
Fax: +86 10 5733 2399