On 20 August 2021, China passed the Personal Information Protection Law (PIPL). The new PIPL came into force on 01 November 2021 and has been described as one of the strictest data privacy laws in the world. While there are various requirements under the new PIPL, many articles are modelled on similar concepts as the GDPR.
Like the GDPR, the purpose of the PIPL is to “protect the rights and interests of individuals”, “regulate personal information processing activities”, and “facilitate reasonable use of personal information”. However, unlike the GDPR which gave EU businesses a two-year implementation period to allow for compliance with the new law, the PIPL provides only a two month implementation period.
Please note that while the PIPL makes reference to “personal information” rather than “personal data”, the terms are synonymous.
Do You Need to Comply?
The PIPL will apply to both organisations and individuals that process the personal information of individuals located in China. Please note that like the GDPR, organisations include all legal entities including sole-traders.
The PIPL will apply if an organisation or individual:
- based in China processes the personal information of individuals located in China
- based out-with China processes the personal information of individuals located in China including (i) providing products or services to individuals based in China and (ii) analysing the behaviour of individuals based in China
In a nutshell, if an organisation or individual processes the personal information of individuals located in China then the new PIPL will apply. Processing refers to the collection, storage, use, processing, transmission, provision, public disclosure, deletion, and any operation which is performed on personal information.
How do You Comply?
The main principles of the PIPL and how to comply are as follows:
- Requirement for a Special Institution of Repetitive in China
Similar to the GDPR which requires you to appoint an EU representative if you fall within the scope of the Regulation and are not established in the EU/EEA, the PIPL requires you to set up a special institution or hire a representative in China to handle the personal data matters on your behalf. Please note that the institution/representative must be made known to CAC, China’s regulatory body. There has not been much practical guidance published on how this aspect of the PIPL is to be complied with. As such, those impacted by the new PIPL should continue to keep updated on new guidance published and seek independent legal advice on the matter.
- Lawful Basis for Processing Data
Like the GDPR, the PIPL requires you to have a “lawful basis” for processing the personal information of those located in China. With that said, the PIPL does not provide “legitimate interest” as a lawful basis. It also will only allow the processing of personal data without consent where:
- The organisation/individual needs the data to perform legal responsibilities
- It is a public health emergency;
- It is to carry out news reporting, although this is to be done within reason.
- The Need for Consent
Under the PIPL, consent must be given when processing data. You will be deemed to have consent where the consent was freely given, informed and demonstrated by a clear action. This is also similar to the GDPR. The PIPL also requires you to obtain separate consent if you:
- wish to share personal data with another processing entity;
- wish to disclose information publicly;
- are processing sensitive information; or
- wish to transfer personal data internationally
The PIPL also allows Chinese citizens to raise legal actions against companies who violate their data protection rights.
Next Steps for You
Those impacted or believe they may be impacted by the new PIPL should continue to keep updated on any guidance or legislative changes. It is also advised that those impacted, or believe they may be impacted, by the new PIPL review and update any internal policies, protocols, and privacy notices where relevant. In particular, the requirement for separate consent in certain transactions might be a point to be consider when revising existing notices and policies.
Should you have any queries regarding the new PIPL or require further guidance or assistance, please contact our team.