China has passed a new, comprehensive data privacy law that will have a profound impact on how tech companies operate in the country. It was enacted August 20. The Personal Information Protection Law of the Peoples Republic of China (PIPL) is the name of the new Chinese data privacy law.
The PIPL, which is modeled after the European Unions General Data Protection Regulation (GDPR), imposes restrictions and protections on data collection and transfer that both Chinese and foreign companies will have to comply with. It targets apps that use personal information to target consumers, or offer different prices for products and services to them. It also prevents the transfer of personal data to countries with lower security protections.
Companies don't have much time to prepare for the PIPL which is due to go into effect on November 1, 2021. Companies that have already implemented GDPR, especially if they have done so globally, will find it easier to comply with China's new requirements. Firms that haven't implemented GDPR practices should consider adopting one. Additionally, U.S. businesses will need to be aware of the new restrictions regarding the transfer personal data from China to the U.S.
Companies that have not adopted GDPR principles are more likely to fail to implement and comply with the PIPL.
This is a deep dive on the PIPL and its implications for tech companies:
Requirements for new data handling
The PIPL is the most strict set of data privacy requirements and protections in the world. It also includes specific requirements relating personal information processing by governmental agencies, which will not be covered here. The law covers all information that is recorded electronically or by other means and related to identifiable or identifiable natural persons. Anonymized information is not covered.
These are the new requirements that China has for personal data handling. This will have a major impact on tech companies:
China law: Extra-territorial Application
China regulations were previously only applicable to activities within the country. Similar to GDPR, the PIPL applies the law to personal data handling activities within Chinese borders. It is similar to GDPR in that it expands its scope to personal data handling outside China, provided the following conditions are met.
The purpose of the site is to offer products and services to Chinese citizens.
Where to analyze or assess the activities of individuals within China.
Other situations may be covered by laws and administrative regulations.
If you sell products in China to U.S.-based companies, even though you don't have any operations or facilities there, you could be subject to China's data privacy law.
Data handling principles
The PIPL establishes the principles of transparency, purpose, data minimization. Companies are required to only collect personal data for a specific, reasonable, and disclosed purpose. They can also limit the scope of the purpose to achieve it. Data must be kept only for that purpose. To avoid any adverse impact on individual rights or interests, every information handler must ensure that the data it handles is accurate and complete.