What is China’s Personal Information Protection Law (PIPL)?

Scope & Extraterritorial Reach

The Personal Information Protection Law (PIPL) applies to any organization or individual that processes the personal information of individuals located within China, regardless of where the data processing occurs. This means that both Chinese and foreign entities, including those based outside of China, must comply with the PIPL if they handle data belonging to individuals in China. This extraterritorial scope presents significant compliance challenges for multinational companies that interact with Chinese citizens or residents.

Entities subject to the PIPL include:

• E-commerce platforms collecting customer information such as names, addresses, and payment details.
• Social media companies gathering user data like profiles, posts, and location information.
• Financial institutions processing customer details such as financial records and social security numbers.
• Employers collecting employee data, including health records, addresses, and performance evaluations.
• Individuals who collect data for commercial or other purposes.

In essence, any entity that collects, uses, stores, transfers, or discloses personal data of individuals located in China must ensure compliance with the PIPL, irrespective of the entity’s location.

Key Definitions

The PIPL provides clear definitions of personal information and sensitive personal information, both of which are central to the law’s framework.

1. A. Personal Information: The PIPL defines personal information as any information related to an identified or identifiable natural person. This can include data such as:
   • • Names
     • Phone numbers
     • Email addresses
     • Date of birth
     • Biometric information (fingerprints, facial recognition data)
     • Location tracking data
     • Internet browsing history

However, the PIPL excludes anonymized data from its definition of personal information. Anonymized data, which cannot be used to identify an individual, falls outside the scope of the law.

1. B. Sensitive Personal Information: Sensitive personal information is categorized as data that, if leaked or misused, could harm an individual’s dignity or safety. This type of information requires stricter handling and includes:
   • • Race, ethnicity, and religion
     • Political views
     • Health data
     • Financial records
     • Biometrics (e.g., fingerprints, DNA)
     • Data on minors under 14 years old

For sensitive personal information, the PIPL mandates explicit consent before collection or processing, and handlers must implement robust security measures to protect such data from misuse or breach.

Key Principles of Data Processing

The PIPL outlines several guiding principles for data handlers to follow, which form the foundation of compliance with the law. These principles include:

1. Legality, Propriety, and Transparency: Data processing must be lawful, appropriate, and conducted with transparency. Organizations must inform individuals about the specific purposes for collecting their data and how it will be used.
2. Purpose Limitation: Personal information can only be collected for clear, lawful, and necessary purposes. Any data collected should be directly related to the stated purpose and not used in ways that deviate from that purpose unless further consent is obtained.
3. Data Minimization: Organizations are required to collect only the minimum amount of personal information necessary to achieve the intended purpose. Excessive data collection is explicitly prohibited.
4. Storage Limitation: Personal information should not be retained for longer than necessary to fulfill the purpose for which it was collected. Organizations must set a retention period and securely delete or anonymize the data once the purpose is achieved or the retention period expires.
5. Accuracy and Accountability: Data handlers must ensure that personal information is accurate and up to date, taking necessary measures to correct inaccurate information. Additionally, handlers must be held accountable for their data processing activities, ensuring they comply with the PIPL’s provisions.

Individual Rights

In line with global data privacy regulations, the PIPL grants individuals several key rights over their personal data. These rights empower individuals to take control of their information and hold organizations accountable for how their data is used. Key rights include:

1. Right to Know: Individuals have the right to know what personal information is being collected, for what purpose, and how it will be used, stored, and transferred.
2. Right to Access: Individuals can request access to their personal information and obtain a copy of the data that an organization has collected about them.
3. Right to Rectification: If personal information is inaccurate or incomplete, individuals can request corrections or updates to their data.
4. Right to Deletion: Individuals have the right to request the deletion of their personal data under certain conditions, such as when the purpose for which the data was collected has been fulfilled or when the data is no longer necessary.
5. Right to Data Portability: The PIPL allows individuals to request a copy of their personal information in a structured, commonly used format, and they may request that their data be transferred to another organization if technically feasible.
6. Right to Object: Individuals have the right to object to the processing of their personal information, especially in cases involving marketing or automated decision-making.
7. Right to Withdraw Consent: Individuals can withdraw their consent to data processing at any time, and organizations must stop processing their data unless they can demonstrate a lawful reason to continue.

These rights aim to give individuals greater control over their personal information and empower them to ensure that their data is handled responsibly by organizations.

Consent & Legal Bases for Processing

A central tenet of the PIPL is the requirement to obtain informed consent from individuals before collecting, processing, or sharing their personal information. The consent must be explicit, voluntary, and informed, meaning individuals should be clearly told why their data is being collected, how it will be used, and with whom it will be shared. Moreover, individuals must be given the option to withdraw their consent at any time, and organizations must provide an easy mechanism for doing so.

In some cases, the PIPL allows data processing without consent, particularly in situations involving:

• • Performance of contractual obligations.
  • Compliance with legal duties.
  • Public interest, such as public health or safety.
  • Protecting the life, health, or property of an individual in an emergency.
  • News reporting or government supervision.

However, the law generally prioritizes consent, particularly when processing sensitive personal information. Separate consent is required for sensitive data, and handlers must ensure that individuals fully understand the implications of providing such consent.

Obligations of Handlers (Controllers & Processors)

The PIPL places several obligations on personal information handlers, which include both controllers (those who determine the purpose and means of processing personal data) and processors (those who process data on behalf of controllers). These obligations are designed to ensure that data is handled responsibly and securely.

Key obligations include:

• A. Transparency and Notification: Organizations must notify individuals about the collection, use, storage, and transfer of their personal data in a clear and understandable manner.
• B. Security Measures: Data handlers must implement security measures, such as encryption, access controls, and regular audits, to prevent unauthorized access, disclosure, or breach of personal data.
• C. Data Breach Notifications: In the event of a data breach, organizations must promptly notify affected individuals and relevant authorities. Failure to do so can result in penalties.
• D. Data Protection Officers (DPOs): Organizations that process large amounts of personal data or handle sensitive data are required to appoint a Data Protection Officer (DPO) to oversee compliance with the PIPL.
• E. Impact Assessments: For certain high-risk processing activities, such as cross-border data transfers or handling sensitive information, organizations must conduct personal information protection impact assessments (PIPAs) to evaluate the risks and implement safeguards.

Handlers are required to implement appropriate security measures, such as encryption and access control, to protect personal information from unauthorized access, disclosure, or destruction. They must also notify individuals and relevant authorities in the event of a data breach.

Cross-Border Data Transfers

One of the most challenging aspects of the PIPL is its restrictions on cross-border data transfers. Organizations that wish to transfer personal data outside of China must meet the following conditions:

• Obtain Informed Consent: Organizations must obtain clear and informed consent from individuals before transferring their data internationally.
• Adequate Protection: The recipient country must offer an adequate level of data protection, as determined by the Cyberspace Administration of China (CAC). If the protection is deemed insufficient, organizations must implement additional safeguards, such as binding corporate rules (BCRs) or standard contractual clauses (SCCs).
• Notify the CAC: Organizations may be required to notify the CAC or undergo security assessments before transferring data abroad, particularly if the data is considered sensitive or if the organization handles large volumes of personal data.

These requirements are similar to the GDPR’s data transfer provisions, which also emphasize ensuring that the level of protection for personal data is maintained when transferred outside the jurisdiction.

Exemptions & Special Processing Circumstances

While the PIPL is stringent, it allows for certain exemptions. For instance, the processing of personal information for purposes related to national security, public safety, or criminal investigations is exempt from the PIPL’s general requirements. Additionally, data processing for scientific research, statistics, or journalism may be exempt, provided it adheres to specific conditions designed to minimize risks to individuals’ privacy.

Enforcement & Penalties

The Cyberspace Administration of China (CAC) is the primary regulator responsible for enforcing the PIPL. Non-compliance with the law can result in significant penalties, including:

1. Administrative fines: Organizations can face fines of up to RMB 50 million (approximately USD 7.7 million) or 5% of their annual revenue, whichever is greater.
2. Business suspensions: The CAC has the authority to suspend or shut down operations of non-compliant businesses.
3. Blacklist Mechanisms: Non-compliant companies may be placed on a national “blacklist,” which could result in reputational damage and limitations on accessing financial or market opportunities.
4. Criminal penalties: Individuals directly responsible for serious violations can face imprisonment for up to seven years.

These enforcement mechanisms reflect China’s commitment to data protection and its willingness to impose severe penalties for violations.

Comparison with the GDPR: Key Differences

While the PIPL is often compared to the GDPR, there are some notable differences between the two laws:

• National Security Emphasis: The PIPL places greater emphasis on national security, requiring data localization and stricter controls on data that could impact China’s national interests.
• Cross-Border Data Transfer Restrictions: The PIPL’s conditions for cross-border data transfers are generally stricter than the GDPR’s, reflecting China’s focus on digital sovereignty.
• Scope of Sensitive Information: While both laws define sensitive personal information, the PIPL’s scope is broader in some respects, particularly regarding the protection of minors’ data.

Wrapping Up

The Personal Information Protection Law (PIPL) represents a major shift in China’s data privacy landscape, and its extraterritorial reach means that businesses worldwide must ensure compliance if they handle data from Chinese residents. To avoid severe penalties, organizations should conduct comprehensive data audits, implement robust consent mechanisms, and ensure that adequate protections are in place for cross-border data transfers. Regular employee training and a strong focus on data security measures will also help organizations meet the stringent requirements of China’s new data protection regime.

The PIPL signals China’s increasing focus on digital sovereignty and data protection, reflecting a global trend toward stricter personal data regulations, such as Europe’s GDPR. For organizations operating in China or dealing with Chinese citizens’ data, understanding and adhering to the PIPL is essential for long-term compliance and operational success.