PIPL
The Personal Information Protection Law of China (PIPL) applies broadly to the handling of PI of natural persons that is undertaken within China. It also has extraterritorial reach.
PIPL’s main features
PIPL recognizes and protects multiple data privacy rights, including:
- The right to make informed decisions regarding the collection and use of personal information.
- The right to restrict such collection or processing.
- The right to receive a copy of the processed information in order to consult and decide how it should be used.
- The right to amend and delete personal information from an organization’s databases and public domains.
- The right to receive detailed explanations from processors regarding the processing and use of data.
PIPL's application:
The law applies to Personal Information Processing Entities (PIPEs), who may be organizations or private personas determining the purpose for which data is processed. PIPEs must comply with the regulation and only process personal information with a clear and reasonable purpose in a minimized, non-excessive manner. They are obligated to have detailed data policies in place and conduct risk assessments before processing personal data.
PIPL applies to companies operating directly in China and those conducting partial business in China, regardless of where their data processing activities occur geographically. When data is considered “sensitive personal information” under the law, PIPEs are obligated to minimize the processing of information, acquire consent, and apply advanced security measures. Such data includes any information involving minors under 14 and religious, financial, or medical information.
While the law does not yet specify which volume of data is considered disproportionate, processing data beyond a specific amount requires the involvement of an information protection officer.
The law also covers information related to HR; meaning companies must obtain consent and anonymize the information when sending employees’ data out of China.
Companies that fail to comply with the law may be subjected to fines, suspension of data processing applications, and revocation of business licenses or specific titles.