PIPL: Your Guide to China’s Data Protection Law
Recent data privacy news coming from Asia paints an exciting picture. The most noticeable change is the new law in China, the Personal Information Protection Law (PIPL), which took effect on November 1st.
According to Chinese authorities, the new law protects individual rights and maintains reasonable use of personal data. Here are some of its main articles, how they compare to GDPR, and what it all means for companies worldwide.
PIPL’s main features
<hl>PIPL recognizes and protects multiple data privacy rights, including:<hl>
- The right to make informed decisions regarding the collection and use of personal information.
- The right to restrict such collection or processing.
- The right to receive a copy of the processed information in order to consult and decide how it should be used.
- The right to amend and delete personal information from an organization’s databases and public domains.
- The right to receive detailed explanations from processors regarding the processing and use of data.
<hl>Additional important features involving PIPL's application include:<hl>
- The law applies to Personal Information Processing Entities (PIPEs) who may be organizations or private personas that determine the purpose for which data is processed. PIPEs must comply with the regulation and only process personal information when there’s a clear and reasonable purpose, in a minimized, non-excessive manner. They are obligated to have detailed data policies in place and conduct risk assessments before processing personal data.
- PIPL applies to companies operating directly in China and those conducting partial business in China, regardless of where their data processing activities occur geographically. When data is considered “sensitive personal information” under the law, PIPEs are obligated to minimize the processing of information, acquire consent, and apply advanced security measures. Such data includes any information involving minors under 14 and religious, financial, or medical information.
- While the law does not yet specify which volume of data is considered disproportionate, processing data beyond a certain amount requires the involvement of an information protection officer.
- The law also covers information related to HR; meaning companies must obtain consent and anonymize the information when sending employees’ data out of China.
- Companies that fail to comply with the law may be subjected to fines, suspension of data processing applications, and revocation of business licenses or specific titles.
GDPR vs. PIPL
<hl>While PIPL draws plenty of inspiration from GDPR, there are a few differences worth noting.<hl>
- GDPR and other data privacy laws consider the government an organization subjected to restrictions, while PIPL grants the Chinese government plenty of freedom and authority. State organizations can process personal information for statutory reasons but must store said data in China.
- The list of conditions under which organizations can process information without gaining consent includes fulfilling labor obligations, internal labor policies, and contracts; protecting public health or safety, reporting news, and other public interests.
- The law doesn’t detail a specific time limit, and organizations must respond within a reasonable, yet unclear time.
- There’s no minimum penalty under PIPL, giving authorities the ability to decide how to respond to violations.
Overall, you might say that PIPL is relatively vague, resulting from an early regulatory effort or indicating a different direction chosen by the Chinese government.
The PIPL effect
<hl>What does it all mean for companies operating in and outside of China? How should businesses prepare for the new law?<hl>
- Because the law is relevant for any cross-border data transmission, companies that don't necessarily operate directly in China may still be affected by it and exposed to penalties. Companies that did not have to implement any changes following GDPR and other local regulations might find themselves having to invest quite the effort in adapting to the new law. These efforts include reporting to local agencies, security assessments, assigning roles, and more.
- The law grants the Chinese government approval rights over the transmission of personal data stored in China to foreign judicial agencies. This may prevent data from reaching other regions, forcing companies to choose which market is more valuable in that sense.
- Because PIPL applies to HR-related data, companies with local employees or HR departments must also follow the law closely.
- According to Gartner, companies are already investing more in implementing privacy by design rather than reacting to new laws and market changes. This recent move coming from China is likely to push these decisions further.
What else is going on in Asia?
<hl>Other countries in the region are also embracing new data privacy laws, and here are a few we recommend following.<hl>
- Hong Kong: The Hong Kong Constitutional and Mainland Affairs Bureau published papers on data privacy in early 2020 and mentioned the work in the area again in 2021. We can expect these publications to become formal legislation, but the dates remain unclear.
- India: The Information Technology Act went into effect in 2000 and was joined by the Personal Data Protection Bill in 2019. When the new law comes into force, it will offer broader territorial provisions and further limitations.
- Japan: An amendment to the Act on Protection of Personal Information was introduced in mid-2020 and is expected to come into effect in 2022. Much like PIPL, the new law will expand offshore entities’ obligations.
Why we should pay attention to these laws
<hl>Countless data privacy laws are born every single day, so why should companies pay extra attention to PIPL and other initiatives coming from Asia?<hl>
First of all, China is never to be ignored, particularly when it comes to global businesses. In 2019, it was responsible for nearly 30% of global manufacturing. The pandemic gave us all a taste of what happens when regional production comes to a halt, and companies simply cannot afford to be blacklisted in that area.
China is also an exciting data privacy case study because it isn’t exactly the first place that comes to mind when we think of individual rights. This new law tells us a lot about where regulation is headed on a global scale, even for those who choose to be cynical about the law’s lack of protection against the Chinese government itself. Very soon, it will become impossible for businesses that want to approach other markets to do so without meeting strict guidelines and laws.
It would be wise for companies to perform a data privacy audit before entering new markets. This should be part of a company's roadmap, just like a structured business plan. It is also time for companies to be proactive and not just chase after the latest updates. For that, a robust data privacy strategy must be set, and the right tools should support it. By implementing technologies that make data privacy management easier, like Mine PrivacyOps, companies will be prepared not just for the next law but for the next era of data ownership.