China passed the Personal Information Protection Law (“PIPL”), on August 20, 2021, with the law effective beginning November 1, 2021. The PIPL is essentially China’s version of the EU’s General Data Protection Regulation (“GDPR”): a comprehensive set of rules for how companies should collect, use, process, share, and transfer personal information in China; those entities subject to PIPL should familiarize themselves with the details of the regulation, especially given the short timeline between enactment and enforcement.
Similar to the GDPR and the CCPA, the PIPL provides individuals with a number of rights, which center around providing individuals with the right to know and make decisions on the processing of their personal information (“PII”), as well as the right to restrict or object to that processing. Specifically, prior to collection a data subject must be clearly informed of:
Similar to GDPR, the goal is to ensure transparency of the processing of data subjects’ personal information and to empower individuals to control the flow and usage of their data. Specific rights granted under PIPL include:
Companies should familiarize themselves with the rights granted under PIPL and ensure that their data subject access request framework is up-to-date and scalable; given the massive population of China a scalable DSAR approach is crucial to avoid violations.
Yes. in addition to activities within China, the PIPL retains jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a “blacklist” that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.
The general rule is that explicit consent is the primary lawful basis for processing PII, however for purposes of PIPL, consent is not required for
There are. Companies that process personal information that exceeds an amount threshold (which threshold has not yet been published) will need to undergo security assessments approved by the Cyberspace Administration of China (“CAC”). Companies not exceeding the threshold may transfer PII outside of China by doing one of the following:
The standard contract is similar to the Standard Contractual Clauses (“SCC”) under the GDPR, but the CAC has not yet published the full text of the standard contract. Once the standard contract is published, business operators that have a need to transfer personal information outside China should review and revise their existing data transfer agreement to make it consistent with the official template.
Maybe. Under the PIPL, companies should conduct an impact assessment before the following data processing activities:
The PIPL requires certain companies to designate a person who will be responsible for personal information protection matters, which is similar to the requirements under the GDPR to designate a Data Protection Officer(“DPO”). In contrast to the DPO requirement under the GDPR, the PIPL restricts the application scope only to certain companies—i.e., those that will process personal information exceeding a yet-to-be-announced amount threshold designated by the CAC.
Violations of the PIPL can result in penalties of up to RMB 50 million (approx. $7.5M) or 5% of the last year’s revenues of the company, in addition to having the company’s business license revoked. Interestingly, personal liability can attach to PIPL violations, and for the directly responsible persons of the company, the government authority could impose a fine of up to RMB 1 million (approx. $150K) and may prohibit them from serving as directors, supervisors, senior managers, or DPOs of related companies within a certain period of time.
The PIPL provides a grace period of less than three months before it takes effect. If your business is collecting and/or processing data from individuals in China, you should familiarize yourself with PIPL’s requirements immediately.
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.