Last month, China’s National People’s Congress passed the Personal Information Protection Law (PIPL). The PIPL, which will take effect on November 1, 2021, is designed to protect online user data privacy and strongly resembles the European Union’s General Data Protection Regulation (GDPR).
Akin to the GDPR, the PIPL has a broad scope and applies to both entities doing business in China and entities outside of China that process personal information of persons within China. Notably, the PIPL applies to both the public and private sector, but does not apply to the Chinese government.
The PIPL requires covered companies to obtain Chinese consumers’ consent before collecting personal information and places limits on the transfer of personal information outside of China, including to the US. These limits include providing individuals with details about the transfer, obtaining additional consent, and ensuring that the recipient country can provide the same level of protection required under the PIPL.
Like the GDPR, the PIPL creates certain privacy rights for Chinese consumers, such as the right to access, correct, know, and delete their personal information. Chinese consumers also have the right to data portability, restrict processing, withdraw consent, and lodge a complaint with regulators. Covered entities must ensure methods for Chinese consumers to exercise these rights.
The PIPL can be enforced by regulators in a number of ways, including issuing warnings, taking correction actions, suspending services, or issuing fines. Similar to the GDPR, the fines can be significant —up to 50 million RMB (about $7 million USD) or 5% of a business’ annual revenue for the prior fiscal year. There is also a private right of action for Chinese consumers.
The PIPL joins China’s Data Security Law, effective September 1, 2021, which sets a framework for companies to classify data based on its economic value and relevance to Chinese national security. Together, the laws force companies to examine their data collection practices. Companies with a presence in China or that collect the personal information of individuals in China should review their privacy practices to ensure compliance with the PIPL. While compliance with the GDPR may provide a good starting point for PIPL compliance, additional attention will be necessary. We expect additional guidance to be issued in the coming months, but companies can, and should, start preparing now.