China passed the Personal Information Protection Law (PIPL) in August 2021. This is major international legislation, following in the footsteps of groundbreaking policies like the GDPR in Europe, the LGPD in Brazil, and the CCPA and CPRA in the United States, enforcing privacy protections for a broad range of people.
We took a look at what might feel familiar and different about the PIPL, and cover the answers to everyone’s biggest questions.
What You Need to Know About the PIPL:
- This Personal Information Protection Law (PIPL) is one of the world’s strictest laws on data privacy.
- It resembles many elements of the GDPR.
- It enforces that companies must provide a way for users to opt out, and companies must gain user consent for collecting, sharing, or using their information.
- The PIPL consists of 24 articles and eight chapters (more details below).
- Penalties for not complying with the data security law could total up to 5% of the company’s annual revenue, which is notably higher than the GDPR.
The Law’s Backstory:
The PIPL is coming off the heels of a significant decision by the Chinese government to impose additional protection regarding how sensitive data is processed and mentioned.
What Companies Are Subject to the PIPL and Who Is Entitled to Data Rights?
Chinese state media recently shared that the law is most likely to impact retail and e-commerce businesses. According to the Future of Privacy Forum, “The PIPL principally applies to organizations and individuals’ handling PI of natural persons within the jurisdiction of China. The law applies to any organization or person physically within the borders of China.”
Similarities Between the PIPL and Other Privacy Legislation
One similarity between the PIPL and, say, the GDPR is the handling and definition of personal information (PI). In China’s version of the data protection law, they apply a broad definition of the term. Modeled after the GDPR, it includes lawful grounds for processing personal information. However, the PIPL veers away from the GDPR by notably leaving out “legitimate interests” from the definition of personal information, which applies to the handling and collecting of sensitive personal information. Translation: lawful grounds are required even before collecting, sharing, or interacting with the data. Hence, why the PIPL is considered one of the more stringent laws that we’ve seen internationally.
People are given a number of rights for how their data can be used. It makes it mandatory for users to be given options for how their data is handled.
Appointing a DPO is required: Similar to the GDPR and CCPA, companies that process sensitive PI will be required to appoint a data protection officer if they are processing more than a certain threshold amount of personal data.
The data security law provides for extra-territorial effects, covering international companies who are processing Chinese citizens’ data, outside of China. It means that companies based outside of China will have to go through strict data processing protocols, similar to the GDPR, and those companies must also complete Data Protection Impact Assessments.
As stated by the National Law Review, even if companies do pass the stringent requirements to process data internationally, they must also meet at least one of the following conditions:
- Receive approval from government authorities following a security assessment
- Obtain certification from government authorities
- Conclude a contract with the foreign entity receiving the data that comports with a standard contract drafted by government authorities or
- Comply with “other conditions” in law or administrative regulations (a catch-all provision)
This is similar to the Schrems II ruling from July 2021, which invalidated the Privacy Shield and requires companies to examine on a case-by-case basis the data is protected from foreign governments in a manner sufficient to comply with the EU’s standards.
When Does the PIPL Go Into Effect?
The Personal Information Protection Law took effect on November 1, 2021. At the time, companies had a short time window to prepare to comply with the PIPL before it took effect. As a comparison, the CPRA was approved by voters in November of 2020 but will not entirely go into effect until 2023. Originally, there was speculation that the law would have six month grace period. This puts the PIPL in leagues with the LGDP for a remarkably fast turnaround time.
Penalties and Enforcement
The privacy regulation created a framework for massive fines to be dished out to technology companies based in China and processing the data of Chinese citizens.
China backs up its priority of data privacy by instilling penalties that are much more severe compared to its counterparts. Penalties for not complying with the law could total up to 5% of the companies annual revenue, or a fine of up to 50 Million Yuan ($7,690,00 USD). For those found personally responsible for negligence, a jail sentence of up to 7 years could be imposed for those who are caught still selling or openly disclosing someone’s sensitive personal information in an instance when they no longer have that right granted to them. Or, they can be subject to fines between 100,000 Yuan (approximately $15,000USD) to 1 million Yuan (approx. $154,000 USD). It can also prohibit persons found responsible for non-compliance from serving in managerial positions in other companies for a set period of time.
The penalties and enforcement show why many are calling the PIPL one of the most stringent data privacy laws in the world. It is a strong statement of how seriously Chinese leadership is taking data privacy on the heels of previous fine enforcements.
Ensuring PIPL Compliance
Many legal experts are cautioning businesses not to assume their GDPR efforts will translate to PIPL compliance. Per Omer Tene, VP and Chief Knowledge Officer at IAPP on Twitter, “If you’re doing business in China, get legal advice. They’re not playing around.”
If you are a DataGrail customer, rest assured that we are committed to partnering every step of the way to set you up for success with PIPL. If your legal team determines that PIPL applies to your business, be sure to reach out to your customer success manager to coordinate further.