Understanding the Illusive China Personal Information Protection Law

What is the China Personal Information Protection Law (PIPL)?

In 2021, the top legislative body in the People’s Republic of China, the Standing Committee of the National People’s Congress, adopted the Personal Information Protection Law (PIPL).

The final version of the law has been released in Chinese and has been translated to English by the Stanford DigiChina Cyber Policy Center.

The PIPL is the country’s first comprehensive data privacy law.

PIPL Protects 1.5 Billion Consumers

The China Personal Information Protection Law aims to help citizens control what happens to their personal and sensitive information and regulate how personal data is handled.

Personal information is defined as all types of data recorded, either electronically or in other forms, related to identified or identifiable persons. It does not include anonymized data.

This gives Chinese citizens more power to decide how much information companies can access, as well as who those companies share information with.

Companies doing business in China must demonstrate they comply with the new rules.

The bottom line?

PIPL has boosted the privacy protections of 1.5 billion consumers or 20% of the world’s population.

PIPL impacts:

• the handling of personal information within China’s borders
• any handling of personal data outside China if it’s related to selling goods or services to people in China.

How Can Businesses Comply with the China Personal Information Protection Law?

In line with PIPL, businesses may collect and use personal information to comply with legal obligations if they have free and informed consent from individuals.

Sensitive personal data, including financial information, may only be used if there is a “specific purpose and sufficient need.”

PIPL states that companies handling personal data relating to Chinese citizens must:

• provide a privacy policy
• use unmarked checkboxes to obtain express consent to process data
• collect only the data required to perform a legitimate task
• get consent for sensitive data processing
• help people exercise their privacy rights
• comply with any relevant authorities
• complete regular compliance audits
• protect data and train staff in cybersecurity
• employ a data protection officer
• perform an impact assessment/national security review if handling sensitive data or sending it overseas.

How Does PIPL Impact Data Protection and Retention?

Core data protection principles like purpose limitation, transparency, and data quality are part of China’s PIPL.

The law states that data can be kept for “the shortest time necessary to achieve the purposes.” The law also includes accountability requirements.

PIPL states that “personal information handlers [data controllers] shall take necessary measures to ensure that personal information handling activities comply with the provisions of laws and administrative regulations.” 

These include:

This is only allowed if it is “truly needed” and only if appropriate contracts are in place and/or a prescribed security assessment is executed.

How Does PIPL Impact Data Handling?

Under PIPL, you can’t handle sensitive data without explicit consent.

Even if you already obtained consent for data processing, you need additional consent to handle any sensitive data.

However, the PIPL does provide an exclusion for news reporting: you can collect personal data for journalistic and reporting purposes.

What are Chinese Citizens Entitled to Under the Law?

Chinese citizens have the right to:

• know an organization’s data policies
• withdraw consent for data processing
• not be discriminated against if they withdraw consent
• make decisions regarding their data
• request copies of their data
• refuse automated profiling
• amend their data
• delete their data.

Who is Responsible for PIPL Enforcement?

PIPL enforcement has been entrusted to the Cybersecurity Administration of China (CAC), which is also allowed to impose fines.

Penalties can be up to 50 million yuan ($7.8 million) or 5% of a business’s annual turnover and may be recorded on China’s credit file system.

This is the equivalent of a social credit score and can have a significant impact on your business reputation and credit status.

Additionally, non-compliance may see overseas companies that don’t fall into line or that harm the national security of China placed on a blacklist, which could effectively ban them from processing Chinese personal data.

How do PIPL and General Data Protection Regulation (GDPR) Compare?

The EU’s GDPR and China’s PIPL are both designed to protect users’ privacy rights when they use the internet or buy goods and services online.

In both cases, it doesn’t matter if your business is physically located in the EU or China. It only matters whether you’re targeting protected individuals located in those regions.

The two laws are similar in that they both: 

• protect personal data, and set out lawful grounds for processing
• require clear and positive consent
• require companies to minimize their data collection and processing where possible
• require companies to perform impact assessments and protect data from risk
• let people access information that’s held about them
• let people ask for information to be corrected and deleted
• let people withdraw their consent for their information to be handled by a company.

However, there are some key differences:

PIPL…

• is less specific when it comes to privacy rights
• doesn’t set out a timescale for reporting and responding to data breaches
• has stricter consent requirements
• penalties are more severe.

What counts as sensitive data is also more clearly defined in PIPL.

The law classes sensitive data as any information that may cause material harm to an individual if it’s leaked or used illegally.

Some examples of sensitive information are:

• financial account information
• biometrics characteristics
• medical health
• religious beliefs.