China enacted the Personal Information Protection Law (PIPL) on August 21, 2021 as part of that country’s growing scrutiny of its high tech sector. This law goes into effect on November 1, 2021 and will impose a new set of obligations for data security, especially when combined China’s Data Protection Law. Both of these laws fit into China’s information policy, which Chinese President Xi Jinping has described as the modern equivalent of industrialization. The PIPL will have a significant impact on the way foreign companies in China handle data.
National and Public Interests
The PIPL is partially based on the European Union’s (EU’s) General Data Protection Regulation (GDPR), which is a precedent-setting piece of legislation for data protection. However, the PIPL also has a focus on national security that’s lacking in the GDPR and similar privacy frameworks like the Consumer Privacy Act (CPA) in California. The PIPL further diverges from other data privacy legislation by addressing China’s digital sovereignty. The purpose of these provisions is to limit the ability of foreign organizations to infringe on the privacy rights of Chinese citizens.
The PIPL regulates the handling of personal data for Chinese citizens by any organization, which it refers to as “personal information processors.” These organizations may generally handle this information only if they meet specific conditions, which generally include obtaining permission from the owner of that information. That individual must be fully informed and can withdraw consent at any time. Furthermore, personal information processors can’t withhold products or services from anyone who refuses to grant such permission. The PIPL similarly prevents the organizations from sharing personal information without the owner’s permission.
The provisions in the PIPL are complex, and it’s currently unclear how organizations in China will comply with them. It’s such a new law that the regulatory proceedings needed to establish compliance procedures simply having occurred yet. For example, US companies with operations in China had just now begun to focus on this law and attempt to assess its effect on them. While the PIPL does go into effect in November, provisions in this law also specify that the details of its implementation won’t be determined until various ministries issue the necessary regulation. The PIPL will therefore serve strictly as a framework law that requires other regulations to implement it.
All organizations that handle any type of personal data in China should begin developing the procedures needed to accommodate the PIPL now, even without the regulatory clarity that must eventually occur. The most important provisions as far as foreign companies are concerned will be those dealing with the flow of information across China’s national border. These provisions will be crucial to determining if a company has violated any sanctions. The monetary penalties for failing to comply with the PIPL are quite high, creating concerns over compliance. This will be a particularly challenging process for US companies since data privacy laws between the two countries often conflict.
It’s already clear that many foreign businesses will need to increase their staff to handle the provisions of the PIPL, regardless of the exact form the law eventually takes. It will have a particularly dramatic effect on data handlers outside of China that handle the personal information of Chinese citizens. These organizations will need to establish an entity in China that will be responsible for processing this information, whether that entity is part of the organization itself or an appointed representative.