Article

Are you impacted by the Personal Information Protection Law (China Data Protection Legislation)?

November 9, 2021

The Personal Information Protection Law (“PIPL”) was adopted on August 20, 2021 by the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC). This legislation has gained much attention since its first draft released in October 2020.

Personal Information Protection Law (“PIPL”)  

The Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the PIPL are the three pillars of China’s data protection framework. They establish a broader regulatory architecture governed by cybersecurity and data privacy protection. The PIPL is China’s first comprehensive personal data privacy law, very similar to the EU regulation, the GDPR. This new Chinese legislation will become effective on November 1, 2021 and applies to personal information processing activities outside of China when the purpose of the processing is to :

  • provide products or services to natural persons in China;
  • analyze and assess the activities of natural persons in China or
  • for other purposes provided by laws and regulations.

Similar to the GDPR, the PIPL also clarifies the legal bases for processing personal information, lays down the obligations and responsibilities imposed on processors; and imposes stringent requirements on data localization, safeguarding the interest of China in the case of cross-border transfer of personal information. Additionally, the China legislation requires foreign processors to set up a specific department or designate a representative within China to be responsible for handling matters relevant to data protection (art.53).

At the end of September, Beijing explains what China’s new data protection law really means by explaining several terms:

Important” data has been defined as having potential to harm national security if it falls into the wrong hands or cause major production problems across multiple industries within China. Machine translation of the document suggests the definition of “important” also covers AI technology.  IChina’s polar, deep sea, and space exploration programs.

Core” data covers all of the above, but loss of such material would be less disruptive to Chinese security and industry than for the loss of “Important” data.

This complementary document requires Chinese organisations to self-assess their data and decide what belongs in each bucket, then apply lifecycle management to ensure their classification efforts are up to date. Annual reviews will help things along.

To conclude,

It is critical for any company which carries out processing of personal information of people located within the PRC to conduct data mapping and gap analysis to evaluate whether it needs to develop or update its data privacy policy and procedures to fully comply with the PIPL. The PIPL reflects the converging trend of international data privacy regulations and adopts some international principles of data privacy protection.

Victoria MyData-TRUST

Victoria Derumier

Data Protection Manager at MyData-TRUST

If you want to contact us

Contact us