The Personal Information Protection Law ("PIPL") which took effect on November 1, 2021, is China's first law specifically designed to protect personally identifiable Information (PII).
Before this law, there were laws that had certain provisions for the protection of personal data (such as the law on cybersecurity and the law on data security). But none of those laws were specifically designed to protect personal data.
The PIPL is a detailed and comprehensive law in China that complements and improves the general provisions set forth in China's Cybersecurity and Data Security Laws. It sets out detailed rules regarding data privacy and personal information protection in China, clarifying any ambiguities from the previous two laws.
In this article, we take a closer look at China's Personal Data Protection Law and clarify important issues such as penalties, rights, and scope of application.
Below, you'll learn whether this law applies to you ā and how it relates to GDPR.
Article 3 of PIPL explains to whom this law applies to. At first, it is worth noting that it protects only the data of natural persons and not of legal persons.
You must comply with the China data privacy law if:
Your company/organization processes personal information in China;
Your corporation handles personal data outside of China, but complies with at least one of the following conditions:
The processing of personal information must be done to provide products or services to individuals residing in China;
The processing of personal information is done to analyze and assess the conduct of individuals residing in China;
Or there are other circumstances prescribed by law
In doing so, the company/organization must have received consent from the owner of the personal data for the processing of such data. But such consent must be explicit. The opt-out consent mechanism (required by the CCPA) is considered invalid consent under the PIPL. In general, it remains to be said that data may only be collected to the extent and for the duration that it is necessary.
But there are a few exceptions when consent is not required for data processing.
If the processing is necessary due to the conclusion of contracts to which the data owner is a party;
Processing of personal data due to the performance of legal duties or obligations;
If the personal data is processed due to the need to protect the health, life, and safety of the property of natural persons in an emergency situation;
Processing, to a reasonable extent, for actions of public interest;
Processing, to a reasonable extent, under the PIPL, of personal information that has been made public by the data subject
PIPL grants individuals the following data subject rights as outlined in Articles 44-49.
Right to receive information, right to express dissent, and right to restrict processing
Right of access and right to transfer data
Right to correction
Right to be forgotten (right to erasure)
Right to clarification on processing regulations
Right for immediate family members of a deceased individual
In parallel with the rights of the subject, there are obligations for the data processor.
It is important to first note that under the PIPL, there is a controller and a processor, just like in GDPR. But this law uses different terms for them. Thus, according to PIPL, the data processor is actually the data controller under the GDPR.
Any processor of personal data of Chinese citizens is required to comply with the Personal Information Protection Law of China. Compliance with the law implies obligations for the processor of personal data in order to protect them.
Develop an internal arrangement system
Implement categorized management of personal information;
Taking appropriate security technical measures (encryption and de-identification)
Reasonably determine the operational permission for the processing of personal information,
Regular implementation of safety education and training for employees;
Organizing and developing the implementation of emergency plans for personal information security incidents; and
Undertaking all other measures prescribed by laws and administrative regulations.
To better understand the law and its application, letās take a closer look at what the legal definition of sensitive information is.
According to PIPL, sensitive information is considered to be those whose leakage or use may cause a violation of the dignity of natural people or damage to their person or property. Including:
Biometric identifiers of the individual,
Religious faith,
Medical records and health status,
Financial status and location tracking,
Personal data of minors under the age of 14.
The definition of sensitive data under the PIPL shares several characteristics, but is not the same as personally identifiable information (PII) under GDPR. Because PIPL goes a little further. This law defines sensitive data as any information that can cause material damage to an individual if leaked or used illegally.
PIPL is heavily impacted by the European GDPR. Compliance with PIPL will be much easier for companies that are already GDPR-compliant. However, companies need to be aware of the differences between these two laws in order not to risk violations and penalties. Therefore, letās take a look at the main differences between PIPL and GDPR.
For the purposes of personal data processing, PIPL categorizes minors under 14 years of age. While the GDPR categorizes a minor as a person under the age of 16 ā allowing some EU member states to set this limit as high as 13.
The GDPR does not automatically categorize all personal data of minors as SPI (requires consent from a parent or guardian). While PIPL has automatic categorization.
Penalties for non-compliance and violation of PIPL may reach up to RMB 50 million
GDPR max fines for non-compliance may reach up to 20 million euros.
Under GDPR, the Data Protection Officer (DPO) is not responsible for the organizationās non-compliance. PIPL doesnāt say this explicitly.
GDPR has a lawful basis of legitimate purposes, but PIPL hasnāt. Financial data is not sensitive under the GDPR, but under the PIPL is sensitive.
The GDPR diesnāt have a strong data localization, the PIPL does. The data breach notification deadline, under GDPR, is 72 hours, while under PIPL it must be āimmediateā ā but this is not specified.
As you learned from our article, the chances that your company will also have to comply with the PIPL guidelines are very likely due to the extraterritorial scope of application. It is best to seek advice on this from data protection experts. The good news is that if you are already taking the GDPR into account in your day-to-day business, PIPL compliance is not rocket science.
Andreas Springer _Actonic_
Head of Marketing
Actonic GmbH
Germany
2 accepted answers
0 comments