On Friday, 20 August 2021, the National People’s Congress of China adopted the Personal Information Protection Law (PIPL). This was reported by the website NPC Reporter. The final version of the law has been released in Chinese; an informal English translation will likely follow in the coming days. The new law will enter into force on 1 November 2021, and will require companies doing business in China to be able to demonstrate compliance with the new rules from the outset.
Even though the details of the final version of the law are yet unknown, based on the previously released draft it is clear the PIPL aligns closely in its approach to data protection with the GDPR. It aims to protect the personal information of natural persons and to regulate the ways in which personal data are handled. To this end, multiple grounds to process personal information are included in the law, such as compliance with a legal obligation and free and informed consent. Legitimate interest was notably absent from the draft versions of the law. Sensitive personal data, which includes financial information, may only be used if there is a “specific purpose and sufficient need”.
Core data protection principles like purpose limitation, transparency and data quality are part of the law as well. As to data retention, the law spells out that “the shortest time necessary to achieve the purposes” is to be maintained. Accountability requirements are included as well, with the PIPL stating that “personal information handlers [i.e. data controllers] shall take necessary measures to ensure that personal information handling activities comply with the provisions of laws and administrative regulations”. This shall include security management systems, relevant operating procedures, categorical management of personal information [this likely included a Processing Activities Register], appropriate technical and organisational measures for data security, periodic training of staff and data breach notification procedures.
PIPL furthermore includes obligations for risk assessments, data breach notifications, and to determine if personal information is allowed to leave China. This is only allowed if it is “truly needed” and then only if appropriate contracts are in place and/or a prescribed security assessment is executed [details are still to follow]. Also the appointment of a local representative will likely be required. Finally, enforcement will be entrusted to the Cybersecurity Administration of China (CAC), which will also be allowed to impose fines.
Once more details of the China PIPL become available, TrustArc will provide further guidance in blogs, webinars and podcasts. The new law will also be made available within our platform to allow customers to conduct compliance assessments.