Understanding China’s Personal Information Protection Law: What You Need to Know

Understanding China’s Personal Information Protection Law: What You Need to Know

Do you operate a business in China or plan to do so in the near future? The Personal Information Protection Law of the People’s Republic of China (“PIPL”) enacted on August 20, 2021, has come into effect since November 1, 2021. PIPL has brought sweeping changes to the current data protection and privacy landscape in China. This law is a response to the increasing need to ensure that individuals’ personal data is protected and secured. In this article, we’ll provide an overview of the PIPL and everything you need to know to stay compliant.

What is the Personal Information Protection Law (PIPL)?

The Personal Information Protection Law is a comprehensive law that sets out rules for collecting, processing, and protecting personal data in China. The law applies regardless of whether an organization is based in China or elsewhere if they process and collect personal data in China.

The PIPL includes provisions similar to the EU General Data Protection Regulation (GDPR) and imposes strict requirements for processing personal data. It provides individuals with more control over their data, incorporating significant changes that are more protective of privacy than the current laws. In short, PIPL is the backbone of China’s privacy and data protection regime, making it imperative to understand.

What are the key provisions of the PIPL?

The PIPL includes essential provisions, and some crucial ones are as follows;

1. Consent Requirements

Organizations must obtain an individual’s explicit and informed consent before collecting and processing their personal data.

2. Territorial Scope

The PIPL applies to all international and domestic organizations that process personal data in China.

3. Cross-border transfer

Organizations must perform a personal data security assessment and obtain written consent before transferring personal data outside of China.

4. Protection of Children’s Data

Organizations must obtain explicit consent from children or their guardians before collecting and processing their data.

What are the obligations of organizations under the PIPL?

The PIPL imposes specific requirements on companies and organizations that collect, process, and transfer personal data. The obligations under the PIPL include:

1. Data Protection Impact Assessment (DPIA)

The DPIA is a mandatory assessment to identify and evaluate the potential risks and effects of processing personal data.

2. Appointment of a Data Protection Officer

Organizations must appoint a data protection officer to oversee data protection compliance.

3. Data Breach Notification

Organizations must notify individuals and relevant authorities within a reasonable period of becoming aware of a data breach.

4. Record Keeping

Organizations must maintain accurate records of their personal data processing activities and provide them to regulatory authorities upon request.

What are the penalties for non-compliance?

The PIPL imposes significant fines and penalties on organizations and individuals that are in breach. Fines can escalate to as much as RMB50 million or 5% of an organization’s annual revenue.

Conclusion

The PIPL aims to provide increased protection for individuals’ personal data and data privacy rights in China. It comprises strict data protection obligations on organizations that collect, process, and transfer personal data. Complying with the PIPL requires significant effort, time, and resources, which is why it’s crucial to get started now. The consequences of non-compliance are severe.

As a business owner conducting business in China or planning to do so, it’s imperative to understand the provisions outlined in the PIPL. Take sufficient steps to ensure your organization is in compliance with the new law. Remember, the key to compliance involves taking a proactive approach to data privacy and security.