What is the PIPL?
The Personal Information Protection Law (PIPL) is China's first comprehensive consumer data privacy law. The law was passed on August 20th, 2021 by the Standing Committee of China’s National People’s Congress and went into effect on November 1st, 2021.
The PIPL is similar in size and scope to the EU’s General Data Protection Regulation (GDPR), and imposes serious restrictions on how personal data can be collected, used, and managed--especially by foreign entities.
Along with China’s Data Security Law, the PIPL builds a framework that gives China’s government broad enforcement capabilities and create a strict compliance environment for the nation’s Big Tech companies and international businesses operating in China.
What are the PIPL's Goals?
The stated goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.
The four official declared goals of the law are:
- To protect the rights and interests of individuals.
- To regulate personal information processing activities.
- To safeguard the lawful and “orderly flow” of data.
- To facilitate reasonable use of personal information (Art. 1).
The CPRA retains the consumer rights detailed in the CCPA and adds two more:
- The right to rectification. California citizens will have the right to correct any inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal information. Sensitive personal information is defined as any data that includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information.
The PIPL applies to any organization that processes the personal information of Chinese citizens for the purpose of providing them with products or services, analyzing or assessing their behavior, or for “other purposes to be specified by laws and regulations.” This holds true regardless of whether or not processing occurs within China's borders. The PIPL sets forth special requirements for foreign “personal information processing entities," which are outlined below.
Any organization that processes personal information must have a lawful basis to do so, according to the PIPL. In Article 6, the law stipulates that any personal information processing "have a clear and reasonable purpose," and shall be "limited to the smallest scope for realizing the processing purpose."
The following are considered a lawful basis for processing under the PIPL:
- The user has knowingly and explicitly consented to data processing.
- Processing necessary to enter into or perform a contract to which the individual is party.
- Processing necessary to conduct human resources management under labor rules formulated and collective contracts entered into in accordance with laws.
- Processing necessary to respond to public health emergencies, or to protect the safety of an individual's health and property in an emergency.
- Processing for purposes of carrying out news reporting and media monitoring for public interests, to a reasonable extent.
- Other circumstances required by law
User consent is only considered valid if it is knowingly and explicitly granted, with full information of the extent of personal information processing. Users also have the right to withdraw their consent at any time, and an easy option to do so must be made available.
The PIPL also stipulates that consent must be obtained when processing personal information such as medical or health information, biometrics, or financial records.
Finally, consent will also be required to conduct marketing to individuals through personal information processing. The PIPL stipulates that businesses must offer consumers options that do not target personal data, or offer a way to reject the processing of said data. Any application which illegally processes personal data without consent is subject to suspension or termination.
Data Processing Requirements
Once a legal basis for personal information processing is proven, the PIPL sets forth a series of requirements and constraints that dictate the rules for processing, including special rules for international organizations operating within China or targeting Chinese citizens for data processing. The PIPL stipulates that:
- Organizations based in mainland China or Hong Kong must set up a specialized agency or appoint a representative for data compliance.
- Cross-border data transfers must be submitted for approval by the Cyberspace Administration of China
- Foreign companies operating in China must appoint a local representative who will bear responsibility for PIPL compliance.
- Data processing contracts are required between controllers and processors
- "Large data handlers" must localize data within mainland China. The CAC will determine what constitutes a large data processor.
- Organizations must conduct risk assessments before processing sensitive data, transferring data abroad, or using sensitive data for automated decision-making.
- Online platforms must appoint privacy review committees and publish social responsibility reports.
Violations of the law will incur fines ranging between $7.7 million up to 5% of the previous year's business revenue. The law will be enforced by the Cyberspace Administration of China (CAC), the nation’s cyber and data protection regulator.