On August 20, 2021, China’s Personal Information Protection Law (PIPL) was adopted by the National People’s Congress (NPC) Standing Committee. The law is set to take effect on November 1, 2021, giving organizations little time to comply with, what The Wall Street Journal describes as, one of the world’s strictest data privacy laws. The official text is available here (only available in Chinese).

Draft versions of China’s PIPL have been debated since its introduction in 2020 to give data subjects more control over the use of their data and regulate how large technology companies are handling and using personal information in China. China’s PIPL is the latest move from the NPC following the passing of China’s Data Security Law in June, which will enter into effect on September 1.

Watch the webinar: China PIPL: What You Need to Know

What is China’s Personal Information Protection Law?

China’s PIPL aims to regulate the collection and usage of personal information by companies operating in the country and offer data subjects a greater level of protection and control over their personal information. The PIPL specifies that organizations collecting personal information must have a clear and reasonable purpose for doing so as well as introducing specific conditions for collecting personal information including individual consent.

In certain aspects, the PIPL mirrors the provisions outlined by the GDPR. Similar to the purpose limitation principle, the PIPL stipulates that personal information should be processed within the “minimum scope necessary” and similar to the concept of a Data Protection Officer, the PIPL specifies that organizations should appoint an individual to take charge of personal information protection operations. Further similarities to the GDPR include:

  • Guidelines for the international transfer of data
  • Options to reject business marketing particularly where marketing is targeted to personal characteristics
  • Requirements to obtain consent for processing sensitive personal information which includes:
    • Biometrics
    • Medical & Health data
    • Financial accounts, and
    • Geolocation

Organizations that fall under the scope of the PIPL will be required to conduct regular audits of their compliance programs as well as performing risk assessments before processing sensitive personal information, making international data transfers, and disclosing personal information among other things.

In relation to penalties, the PIPL provides for the suspension or termination of services for illegal processing activities, and in more serious cases handlers of personal information may be subject to fines up to RMB 50 million (approx. €6,316,830) or up to 5% of the prior year’s revenue.

With just over two months until China’s PIPL comes into effect, organizations find themselves working against the clock to try and work additional compliance considerations into their existing privacy programs. Some solace can be taken in the PIPL’s similarities to the GDPR however caution should be taken when addressing the PIPL’s nuances. Visit OneTrust.com or request a demo to see how OneTrust’s privacy solutions can assist your organization in its preparedness for China’s PIPL. Alternatively, visit DataGuidance.com to keep up to date with the latest news on the PIPL, official texts, and expert opinion.

Further reading on China’s Personal Information Protection Law:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on China’s Personal Information Protection Act.