Article
Are you impacted by the Personal Information Protection Law (PIPL)? | China’s Data Protection Legislation
November 9, 2021
The Personal Information Protection Law (“PIPL”) was adopted on August 20, 2021, by the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC). This legislation has gained much attention since its first draft, released in October 2020.
Personal Information Protection Law (“PIPL”)
The Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the PIPL are the three pillars of China’s data protection framework. They establish a broader regulatory architecture governed by cybersecurity and data privacy protection. The PIPL is China’s first comprehensive personal data privacy law, similar to the EU regulation, the GDPR. This new Chinese legislation will become effective on November 1, 2021, and applies to personal information processing activities outside of China when the purpose of the processing is to :
- provide products or services to natural persons in China;
- analyze and assess the activities of natural persons in China or
- for other purposes provided by laws and regulations.
Like the GDPR, the PIPL clarifies the legal bases for processing personal information, lays down the obligations and responsibilities imposed on processors, and imposes stringent requirements on data localization, safeguarding China’s interest in the cross-border transfer of personal information. Additionally, China legislation requires foreign processors to set up a specific department or designate a representative within China to be responsible for handling matters relevant to data protection (art.53).
At the end of September, Beijing explains what China’s new data protection law really means by explaining several terms:
“Important” data has been defined as potentially harming national security if it falls into the wrong hands or causes major production problems across multiple industries within China. Machine translation of the document suggests the definition of “important” also covers AI technology. IChina’s polar, deep sea, and space exploration programs.
“Core” data covers all of the above. Still, such material would be less disruptive to Chinese security and industry than losing “Important” data.
This complimentary document requires Chinese organisations to self-assess their data and decide what belongs in each bucket, then apply lifecycle management to ensure their classification efforts are current. Annual reviews will help things along.
To conclude,
It is critical for any company that processes the personal information of people in the PRC to conduct data mapping and gap analysis to evaluate whether it needs to develop or update its data privacy policy and procedures to fully comply with the PIPL. The PIPL reflects the converging trend of international data privacy regulations and adopts some international principles of data privacy protection.
