What is PIPL?
Personal Information Privacy Law (PIPL) is the new Chinese data privacy law that became effective on November 1st, 2021. PIPL establishes an extensive data protection framework for the acquisition, use, and dissemination of the personal information of Chinese citizens. The first official data privacy law of its kind in China, it will protect individuals, society, and national security in the style of the unique Chinese political system. Notably, it does not protect personal information from government access and surveillance. It’s tied to the government’s national security goals, and builds on China’s new Data Security Law. The strict requirements of PIPL will certainly reshape how companies in China do business. Perhaps illustrated by the departure of Yahoo and LinkedIn from China, observers have speculated that one goal of the PIPL is to keep the growth and reach of ‘big tech’ in check.
The Cyberspace Administration of China (CAC) are in charge of the PIPL and are expected to be quick and assertive with their enforcement. PIPL is comparatively stricter than most data privacy laws and most closely resembles Europe’s GDPR law. Similarities include maximizing individuals rights and requests (albeit with a caveat allowing denial of these rights), the basis of consent, and the high penalties if breached! A breach of PIPL can invite fines of up to 50 million yuan ($7.8 million) or 5 percent of its annual revenue—roughly equivalent to GDPR fines.
Notable differences include the absence of “legitimate interest” as a legal basis, the referral to data subjects as “individuals” and data processors as “Handlers”, the data localization requirements, and its retaliatory blacklist.
The comprehensive document originally written in the Chinese language has been translated by Stanford University into English for a clearer understanding.
What are the requirements for PIPL?
PIPL applies to anyone within or outside the People’s Republic of China who handle the personal information of natural persons residing in China.
Requirements include evaluating your handling and legal basis, implementation of technical security measures, individual rights mechanisms, privacy notices and registration with the Chinese Government, amongst others.
Why should you be PIPL compliant?
China’s regulators will vigorously enforce the PIPL for companies registered in China, and infractions may result in the confiscation of PIPL-related profits, suspension of service in China, restitution for loss to the individual or gain to the corporation, and possibly criminal culpability.
Violations that go uncorrected can result in fines of up to 1 million Yuan for the organization and 10,000-100,000 Yuan for the responsible people. Flagrant, purposeful, and/or persistent infractions will result in fines of up to 50 million Yuan or 5% of the guilty organization’s annual turnover, as well as fines of 100,000-1 million Yuan for culpable people, as well as a prohibition on them holding senior positions.
For companies who are not registered in China, enforcement of legal ramifications remains to be seen, as it will be dependent upon the cooperation of countries outside of China. The Chinese businesses themselves (within China) will no longer be able to work with or transfer PI to companies outside the borders who do not comply. Companies will have to weigh up the value of working with Chinese companies vs. the restrictions and consequences of complying with PIPL.
How to achieve compliance?
Compliance with PIPL begins with determining whether you need to appoint a “dedicated entity” or “representative” inside China and file the information of the entity or the representative with competent government authorities.
Following that, you must identify the lawful basis for handling of PI, implement mechanisms and procedures for the exercising of individual rights and requests, provide privacy notices explaining handling details in full, receive consent where applicable, have all technical controls and incident response plans in place, and evaluate your need to take a personal information impact assessment.
Compliance with PIPL is expected to be an ongoing process, to be achieved by implementing best practices and following the development of its law. There remain certain aspects of the law that need clarification and Chinese lawmakers are expected to release those over time. Sector-specific solutions are needed for some of the challenges that arise from implementation of PIPL.
The Centraleyes platform provides PIPL as one of its 50+ pre-loaded questionnaire frameworks to save you hours assessing and remediating your compliance. It covers all aspects of the PIPL law, provides a clear visual evaluation of your compliance levels and actionable steps to remediate. Onboard in just minutes, input and track your compliance effortlessly, and generate practical real-time reports to share with the board.
Full English translation by Stanford University:
Technical considerations for companies:
Yahoo pulls out of China over its ‘increasingly challenging’ business environment.