Dive into China's Personal Information Protection Law (PIPL), an extensive privacy regulation governing personal data handling. Explore its impact, compliance obligations, handling sensitive data, consent rules, and international transfers.
Explore more privacy compliance insights and best practices
The Personal Information Protection Law (PIPL) is a comprehensive data privacy law in China that aims to protect the personal information of individuals located in China, regardless of the location of the processor. The law applies to organizations and individuals that collect, use, store, transfer, or disclose the personal information of individuals located in China. It is one of the many data protection laws now in effect in Asia, for instance, Japan's APPI.
The PIPL establishes a framework for the collection, use, storage, transfer, and disclosure of personal information, and it emphasizes the principles of transparency, purpose limitation, data minimization, accuracy, security, and accountability. It also grants individuals a number of rights regarding their personal information, including the right to access, correct, delete, and object to the processing of their personal information.
The PIPL was enacted on August 20, 2021, and went into effect on November 1, 2021.
The PIPL of China - like Japan's APPI - applies to any organization or individual that collects, uses, stores, transfers, or discloses the personal information of individuals located in China, regardless of the location of the processor. This means that both domestic and foreign entities that handle the personal data of Chinese citizens are subject to the PIPL's requirements.
Here are some specific examples of entities that are subject to the PIPL:
In addition to these specific examples, the PIPL applies to any organization or individual that processes personal information of individuals located in China, regardless of the nature of the processing activity or the size of the organization.
The PIPL's extraterritorial scope means that foreign entities that handle the personal data of Chinese citizens are subject to the law, even if they are not located in China. This can pose challenges for foreign companies, as they may need to adapt their data handling practices to comply with Chinese law. Personal information processors must also take necessary measures to ensure that the personal information processing activities undertaken by the overseas recipients meet the personal information protection standard prescribed by the PIPL.
The PIPL defines "personal information" as any information related to an identified or identifiable natural person. This means that the law applies to a wide range of information, including:
The PIPL excludes anonymized information from its definition of personal information. Anonymized information is information that cannot be used to identify an individual. For example, if a company collects data on the average age of its website visitors, this data would be considered anonymized information because it cannot be used to identify any specific individual. (Compare Japan's APPI)
The PIPL defines "sensitive personal information" as personal information that may easily lead to the infringement of an individual's personal dignity or cause harm to their person or property. This includes information about:
The PIPL imposes additional requirements on the handling of sensitive personal information. For example, handlers must obtain explicit consent from individuals before collecting or using their sensitive personal information, and they must implement stricter security measures to protect this type of information.
The PIPL in China places a strong emphasis on obtaining clear, informed, and voluntary consent from individuals before collecting or using their personal information. This consent requirement applies to both general personal information and sensitive personal information, which includes information about an individual's race, ethnicity, religion, politics, health, biometrics, genetics, sexual orientation, criminal records, and other sensitive information that may be designated by the Cyberspace Administration of China.
For the collection or use of general personal information, the PIPL requires that consent be obtained in a way that is clear, informed, and voluntary. This means that individuals must be provided with clear and concise information about the purpose for which their personal information is being collected or used, and they must be given a genuine choice to consent or not consent.
For the collection or use of sensitive personal information, the PIPL requires that consent be obtained in a way that is explicit and separate from consent for the collection or use of general personal information. This means that individuals must be provided with even more detailed information about the purpose for which their sensitive personal information is being collected or used, and they must be given a clear and unambiguous opportunity to consent or not consent.
In addition to the general requirements for consent, the PIPL also sets out a number of additional considerations that handlers must take into account when obtaining consent. These considerations include:
In the context of China's PIPL, the terms "individuals" and "handlers" refer to distinct roles with specific rights and responsibilities in the handling and protection of personal information.
The PIPL defines "individuals" as natural persons located within the borders of China. This means that the law applies to all personal information collected, used, stored, transferred, or disclosed about individuals who are physically present in China, regardless of their nationality or citizenship. The law's protections extend to both Chinese citizens and foreign nationals residing in China.
The PIPL defines "handlers" as organizations and individuals that collect, use, store, transfer, or disclose personal information of individuals located in China. This means that the law applies to any entity that handles the personal data of Chinese residents, regardless of whether the entity is located in China or elsewhere.
The PIPL distinguishes between two types of handlers:
Under the PIPL, individuals have a number of rights regarding their personal information, including the right to access, correct, delete, and object to the processing of their personal information. Handlers are responsible for respecting these rights and complying with the PIPL's requirements to protect individuals' privacy.
The PIPL also establishes a number of obligations for handlers, such as the requirement to obtain clear and informed consent from individuals before collecting or using their sensitive personal information, to implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction, and to notify individuals and relevant authorities in case of a data breach.
By establishing a clear framework for the relationship between individuals and handlers, the PIPL aims to protect the privacy of individuals and ensure that their personal information is handled responsibly.
The PIPL provides some exemptions from its general requirements. For example, the processing of personal information for the purpose of national security, public security, criminal investigation, judicial prosecution, or public health emergencies is exempt from the PIPL's requirements. Additionally, the processing of personal information for the purpose of scientific research, statistical purposes, or journalistic purposes may be exempt from the PIPL's requirements, provided that certain conditions are met.
The PIPL in China imposes restrictions on the transfer of personal information outside of China, to ensure that the protection of individuals' personal information travels with the data. This is similar to the General Data Protection Regulation (GDPR) in the European Union (EU).
Under the PIPL, organizations that transfer personal information outside of China must comply with the following requirements:
In order to determine whether a foreign country provides an adequate level of protection for personal information, the CAC will consider the following factors:
If the CAC determines that a foreign country does not provide an adequate level of protection for personal information, organizations will not be able to transfer personal information to that country unless they obtain additional safeguards, such as binding corporate rules (BCRs) or standard contractual clauses (SCCs).
A personal information protection impact assessment (PIPIA) is required for organizations that process sensitive personal information, process personal information for purposes that may have a significant impact on the rights or interests of individuals, or process personal information in a manner that may pose risks to the security of personal information.
PIPIAs must be conducted by personal information processors under the following circumstances: (1) processing sensitive personal information; (2) using personal information to conduct automated decision-making; (3) entrusting other parties to process personal information, providing personal information to other personal information processors, or disclosing personal information; (4) transferring personal information out of the Mainland; or (5) carrying out processing activities which have significant impacts on the rights and interests of individuals.
The Cyberspace Administration of China (CAC) is responsible for enforcing the PIPL. The CAC has the authority to investigate and punish violations of the PIPL, and it can impose fines of up to RMB 1 million (approximately USD 155,000) for serious violations.
The consequences for PIPL non-compliance can be severe, including:
In addition to these consequences, organizations that do not comply with the PIPL may also be subject to private lawsuits from individuals whose personal information has been misused.
Here's a comprehensive overview of the key requirements for businesses under the PIPL:
Here are some tips for avoiding PIPL non-compliance:
By following these tips, organizations can help to ensure that they are complying with the PIPL and protecting the personal information of individuals located in China.
The DSL came into effect on September 1, 2021, and focuses on data security across a broad category of data (not just personal information). It applies to all organizations and individuals that collect, use, store, transmit, process, provide, or disclose data within the PRC, regardless of their nationality or location. It also applies to foreign organizations and individuals that collect, use, store, transmit, process, provide, or disclose data of individuals or organizations located within the PRC.
The DSL establishes a framework for the collection, use, storage, transmission, processing, provision, and disclosure of data, and it emphasizes the principles of data sovereignty, data security, data protection, and data utilization. It also grants individuals a number of rights regarding their data, including the right to access, correct, delete, and object to the processing of their data.
The DSL and PIPL are two complementary pieces of legislation that work together to protect data in China. The DSL focuses on the overall security of data, while the PIPL focuses specifically on the protection of personal information.
The General Data Protection Regulation (GDPR) is a data privacy law in the European Union. The GDPR does not apply in China, but the PIPL is similar to the GDPR in many ways. Both laws aim to protect the personal information of individuals and grant individuals a number of rights regarding their personal information. To know more about data protection, check out our blog posts on the topic.
