PIPL: China’s Personal Information Protection Law

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP December 7, 2021

Try Termly For Free
PIPL-China-Personal-Information-Protection-Law-01

China’s Personal Information Protection Law (PIPL) came into effect on Nov. 1, 2021. Like the EU’s General Data Protection Regulation (GDPR), this law is comprehensive and aligns with the emerging global standard for privacy.

As with the GDPR, the PIPL affects websites and companies outside of China. Therefore, as long as your website collects or deals with information of people residing in China, you need to comply with the PIPL.

Read on to learn more about the PIPL and how you can prepare yourself to be PIPL-compliant.

Table of Contents
  1. What Is China’s New Privacy Law?
  2. What Does China’s PIPL Mean for Consumers?
  3. What Does the PIPL Mean for Marketers?
  4. What Does the PIPL Mean for Multinational Private Sector Companies?
  5. Who Has to Comply With China’s PIPL?
  6. What Are the PIPL Requirements for Businesses?
  7. How To Comply With the PIPL
  8. China’s PIPL Penalties and Fines
  9. China’s Data Privacy Laws vs. Other Countries: How Does PIPL Compare To Similar Laws?
  10. Conclusion

What Is China’s New Privacy Law?

China’s newest data protection law, the PIPL, is the latest in a procession of laws meant to protect the personal data of individuals in China.

According to Todd Liao, an attorney at Morgan Lewis in Shanghai, the PIPL’s purpose is to establish a general framework regarding how companies worldwide — both inside and outside of China — should process, collect, and transfer personal data — making the PIPL very similar to the EU’s GDPR.

What Does PIPL Stand for?

PIPL is an initialism that stands for the Personal Information Protection Law of China.

What Is the Effective Date of PIPL?

It was passed on Aug. 20, 2021, and the PIPL’s effective date is Nov. 1, 2021.

Since the PIPL came into effect less than two months after it was passed, there’s been limited time to adjust to the PIPL.

Many organizations hope that the Chinese government will implement a soft enforcement approach for the next few months to give companies more time to adjust their procedures.

What Does China’s PIPL Mean for Consumers?

China’s newest personal information protection law is a game-changer for consumers. Like other privacy laws, the PIPL provides individuals — including consumers — with certain rights. According to Chapter IV of the PIPL, these rights include:

  • The right to know what businesses will be doing with their personal information
  • The right to make decisions about their personal information
  • The right to prohibit or restrict businesses from processing their personal information
  • The right to copy and consult their personal information from processors
  • The right to delete and correct their personal information
  • The right to portability of their personal information
  • The right to ask you to explain the processing rules

Close relatives of an individual can also exercise these rights for their own justifiable and legitimate interests after the individual has passed away unless the individual had made other arrangements during their lifetime.

We don’t know how Chinese consumers feel about the PIPL quite yet, since it came into force so recently. However, we do know that the need for something like the PIPL has been long-awaited by Chinese consumers.

According to an Oct. 2021 survey by Cisco, consumers in China were the most enthusiastic about privacy laws compared to consumers from all other countries measured. About 80% of those who knew about China’s 2017 Cybersecurity Law felt it had a positive effect.

As such, we can expect Chinese consumers to approve of the PIPL, particularly since it will provide tight data security in the private sector. In addition, PIPL will empower consumers to have more control over whether or how their personal information is shared.

However, the PIPL will not protect consumers’ personal information from being handled and processed by the government since it only regulates the private sector.

What Does the PIPL Mean for Marketers?

The PIPL will have a significant impact on marketers and advertisers. Its comprehensive nature will:

  • Provide marketers with clearer guidelines for operating domestically and internationally
  • Help establish a consistent global standard to which multinational companies can adapt

Since the PIPL is so new, we still don’t know how it will affect marketers. To cover their bases, marketers should apply what they’ve learned from GDPR compliance carefully review the following for PIPL compliance:

  • Cookies for storing personal information
  • Lead generation campaigns
  • Customer analytics and relations
  • Location tracking of individuals in retargeting and remarketing campaigns
  • Contact forms
  • Newsletters
  • Using algorithms to predict consumer behavior
  • Using and accessing third-party data
  • Using, processing, and transferring cross-border data

What Does the PIPL Mean for Multinational Private Sector Companies?

The PIPL will probably improve the relationships between multinational private sector companies.

For example, in March 2021, large Chinese tech companies like ByteDance and Tencent were revealed to be developing a mobile identifier called the CAID.

The CAID met all of China’s data privacy standards, but it went against Apple’s privacy update, which limited advertisers from using its Identifier for Advertisers (IDFA). This meant that Apple had to make a tough decision — should they end their relationship with Chinese marketers or accept CAID and give Chinese advertisers an advantage over those in other markets?

Fortunately, Apple doesn’t have to think about this issue anymore. Now that China has the PIPL, the country’s privacy regime has caught up with international standards. As such, there will be more consistency — at least in the private sector — about what data is okay to use and collect and when.

Who Has to Comply With China’s PIPL?

According to Article 73, the PIPL applies to all “personal information handlers,” which refers to individuals and organizations that “decide handling purposes and handling methods” on their own.

China’s data protection law only applies to organizations within the private sector and does not apply to individuals handling personal information for family or personal reasons.

Like the EU’s GDPR, China’s PIPL requires compliance from organizations around the world. Any organization that processes, collects, or transfers the personal data of individuals living in China must comply with the PIPL.

However, unlike the GDPR, the PIPL only protects consumers’ data from private businesses. This means that the Chinese government will still have full access to Chinese consumers’ personal data.

What Are the PIPL Requirements for Businesses?

As discussed above, PIPL establishes strict standards for compliance. Here are the concepts and definitions that businesses need to pay attention to.

Basis for Processing

According to Article 13, businesses can only handle individuals’ personal data if they’ve met at least one of the following criteria:

  • They’ve obtained individuals’ consent.
  • They need individuals’ personal information to fulfill or conclude a contract where the consumer is an interested party.
  • They need individuals’ personal information for human resources management as determined by labor laws and lawful collective contracts.
  • They need individuals’ personal information to fulfill statutory duties, obligations, or responsibilities.
  • They need individuals’ personal information for public interest activities and incidents such as news reporting and emergency conditions.
  • The individuals themselves have already disclosed the individuals’ personal information.

The PIPL also prohibits businesses from handling personal information in “misleading or coercive” ways, so make sure you have a transparent privacy policy that gives consumers an accurate understanding of how you will handle their personal information.

Definition of Sensitive Personal Information

Like the GDPR, the PIPL establishes a comprehensive definition for “sensitive personal information (SPI).” According to Article 28 of the PIPL, sensitive personal information refers to personal information that may easily damage an individual’s dignity, personal or property security.

This SPI includes:

  • Information on biometric characteristics
  • Specially-designated status
  • Religious beliefs
  • Medical health
  • Financial information
  • Individual location tracking
  • Personal information of minors under the age of 14

Processors’ Obligations

The PIPL establishes many obligations for processors of personal information. Businesses must inform individuals about the following before handling their personal data:

  • The name and contact method of the personal information handler
  • The purpose of handling the individual’s personal information, the categories of handled personal information, the handling methods, and the retention period
  • Procedures and methods for individuals to exercise their rights under PIPL
  • Any changes in the handling process

Additionally, businesses need to establish the following before handling individuals personal data:

  • Operating rules and internal management structures
  • Security measures to prevent data breaches and leaks such as de-identification and encryption
  • Categorized management of personal information
  • Determination of operational limits for personal information handling and regular security training and education for employees

If your business handles a certain amount of data — which has yet to be determined by the Chinese government’s cybersecurity and informatization department — you have to appoint personal information protection officers. These officers will be responsible for supervising personal information handling and protection measures.

According to Article 54, businesses that handle personal information must regularly audit their personal information management processes to see if they comply with relevant laws and administrative regulations.

Consent

Article 14 of the PIPL requires businesses to be extremely careful when obtaining and determining consent. As in the GDPR, consent needs to be:

  • Voluntary
  • An explicit statement
  • Given after the individual has received full knowledge about how their information will be used

Individuals have the right to rescind their consent at any time, and businesses must provide a convenient way for them to withdraw their consent. Businesses also need to get new or renewed consent from individuals when:

  • Passing their data to a third party
  • Changing the way they’re handling their data
  • Using their data in any type of automated decision-making

When obtaining consent for automated decision-making, you need to provide a transparent explanation of the decision-making process and prove to the consumer that the results will be fair and just. Consumers can’t provide proper consent if your automated decision-making creates biased results.

You also need to make specific references to what consent is required for each piece of personal data. Otherwise, you won’t be able to meet the PIPL’s standards for specific consent.

Additionally, the PIPL requires you to obtain parental or guardian consent before handling the information of a minor under 14.

Third Parties in China

According to Article 21, if your business wants to share a consumer’s personal data with a third party or entrusted party in China, you need to:

  • Obtain that consumer’s consent
  • Establish a contract with a third party that outlines what they’ll be doing with the data

Under PIPL, third parties aren’t allowed to share consumer data with another third party. You need to create another contract to regulate that second transfer of data.

Cross-border Transfers of Personal Information

The PIPL puts many limitations on cross-border transfers of personal information.

According to Article 38, your business must meet one of the following conditions before transferring consumers’ personal information outside of China:

  • Pass a security assessment. This is established by the State cybersecurity and informatization department.
  • Establish a contract with the foreign receiving side. You must create this contract according to the State cybersecurity and informatization department’s standards. We don’t have a lot of details yet, but this contract will probably be similar to the EU’s standard contractual clauses (SCC) for data transfers between EU and non-EU countries.
  • Obtain a personal information protection certification. This can come from a specialized body according to provisions established by the State cybersecurity and informatization department. The Chinese government will provide more information about this specialized body and how you can obtain personal information protection certification from this body.
  • Comply with other conditions in regulations or law.

If your business’s personal information handlers don’t live in China, you have to appoint a “designated representative” or “dedicated office” in China to deal with all matters related to personal information handling.

After appointing this representative, you have to report their name and contact method to the Chinese government. Unfortunately, the Chinese government has not yet revealed how you can choose this representative.

The PIPL also prohibits businesses from giving personal information to any foreign government entity without permission from the Chinese government.

According to Article 41, only:

competent authorities of the People’s Republic of China […] are to handle foreign judicial or law enforcement authorities’ requests regarding the provision of personal information.

How To Comply With the PIPL

PIPL imposes many obligations on businesses. However, if your organization is already GDPR-compliant, you’ve already done most of your work.

What you should do is note the differences between PIPL and GDPR and find an attorney to help you prepare to become PIPL-compliant.

After getting a better idea of what PIPL compliance requires, consider taking the following steps:

  • Assemble a team for reviewing personal information handling processes and software.
  • Work with your organization’s human resources, sales, marketing, IT, and other departments that handle personal information to create procedures and policies that are PIPL-compliant. If you outsource work to third parties or agencies such as customer service, cloud platforms, and marketing services, require them to sign a contract that outlines their responsibilities according to PIPL principles.
  • Train and inform all employees, freelancers, and independent contractors on PIPL-compliant personal information handling methods.
  • Update your privacy policy, terms and conditions, cookie notifications, and all contracts, so they align with PIPL. If you didn’t obtain explicit, voluntary consent before, you need to notify these individuals and ask them to provide explicit, voluntary consent every time you handle their personal information.
  • Make sure your software and IT infrastructure have the required security measures and access rights.
  • Log all policies, efforts, and procedures you put in place to protect individuals’ personal information. Create an audit plan to review these procedures regularly.

Termly_Icon

Try Termly for Free!

Termly is a an easy-to-use solution for various worldwide data privacy laws.

termly-dashboard-add-privacy-policy-screenshot

We know that keeping up with complex data privacy laws can be confusing and time-consuming; that’s why we do the hard work for you!

Try our legal policy generators and cookie consent management solutions for FREE!

China’s PIPL Penalties and Fines

Compared to its counterparts, PIPL’s penalties and fines are incredibly severe. Violations of PIPL may result in:

  • Suspension of service in China.
  • Confiscation of any income a business has earned from PIPL violations.
  • Criminal charges if the PIPL violation is a crime.
  • Public security management punishment if the PIPL violation is a violation of public security management.
  • Compensation to victims, if the handling of personal information infringes upon personal information interests and rights and results in harm.

If the entity refuses to correct its violations, the government can impose a fine of up to 1 million Yuan on the person in charge who is directly responsible for the violations.

Any other directly responsible personnel will also get fined between 10,000 and 100,000 Yuan.

Additionally, “grave violations” — which Article 66 defines a repeated, intentional, and flagrant violations — will incur one of two penalties:

  • Fines up to 50 million Yuan (7,821,055 USD)
  • About 5% of the offending entity’s annual revenue and fines ranging from 100,000 to 1 million Yuan (15,642 to 156,421 USD) for other directly responsible personnel

The other directly responsible personnel mentioned above may also be prohibited from holding the following positions for a certain period:

  • High-level manager
  • Director
  • Supervisor
  • Personal information protection officer

China’s Data Privacy Laws vs. Other Countries: How Does PIPL Compare To Similar Laws?

Here’s how China’s data privacy law compares to those of other countries.

PIPL vs. GDPR

As mentioned previously, the PIPL resembles the GDPR in many ways.

Like the GDPR, the PIPL establishes stringent standards for privacy protection, requiring explicit and voluntary consent before businesses can handle consumers’ personal information.

It also has broad international jurisdiction, which means that even companies that have nothing to do with China can be affected by the law if they collect data from people in China.

Both laws also regulate offshore information processing.

Article 53 of the PIPL requires offshore personal information processing entities outside of China to appoint a representative or create a “dedicated office” in China before they can legally transfer any personal data from consumers in China. Similarly, the GDPR requires entities to appoint an EU representative for offshore controllers.

There are also some significant differences between the PIPL and the GDPR.

Unlike the GDPR, Article 13 of the PIPL includes HR management and employees under the definition of protected personal information. This means that all personal information related to HR and employment, including performance reviews and pay stubs, can’t be sent outside of China unless the employee has given informed consent or the information has been anonymized. This regulation has many implications for companies that have HR branches located outside of China.

The PIPL and the GDPR also have different lawful bases for processing.

While the GDPR considers “legitimate processes” as a lawful basis for processing, the PIPL doesn’t. Besides consent, Article 13 of the PIPL also allows personal information handlers to handle personal information when:

  • They need personal information to fulfill or conclude a contract in which the consumer is an interested party.
  • They need the personal information for human resources management as determined by labor laws and lawful collective contracts.
  • They need personal information to fulfill statutory duties, obligations, or responsibilities.
  • They need the personal information for public interest activities and incidents such as news reporting and emergency conditions.
  • The individuals themselves have already disclosed the individuals’ personal information.

PIPL vs. CCPA

The PIPL also resembles the California Consumer Privacy Act (CCPA), which came into effect on Jan. 1, 2020, and will be amended by the California Privacy Rights Act of 2020 (CPRA) on Jan. 1, 2023.

Like the PIPL, the CCPA establishes a broad definition of personal information, including:

  • Name
  • Email
  • Geolocation data
  • IP address
  • Household data
  • Biometric information

However, unlike the PIPL, the CCPA doesn’t require companies to obtain an individual’s explicit or “opt-in” consent before using or collecting their personal information. Instead, organizations only need to obtain consent if they intend to sell someone’s personal information.

The CCPA also doesn’t consider transferring or sharing information as selling information, while the PIPL regulates all forms of data handling and processing. As such, the PIPL has a broader scope than the CCPA.

Another difference between the PIPL and CCPA is how they treat minors.

The CCPA prohibits businesses from intentionally selling the personal information of consumers under 16 years old unless one of these two situations happen:

  • The consumer is between 13 and 16 years old and has “affirmatively authorized the sale” of their personal information.
  • The consumer is under 13 years old, and their guardian has “affirmatively authorized the sale” of their personal information.

In contrast, the PIPL has a more straightforward model for protecting the personal information of minors. According to Article 31, personal information handlers must do the following when handling the personal information of a minor under the age of 14:

  • Obtain the consent of the minor’s parent or guardian.
  • Create specialized personal information handling rules for minors under the age of 14.

Conclusion

Although PIPL compliance looks daunting, it’s not that hard if you’re already GDPR-compliant. The PIPL has many provisions similar to the GDPR and, to a lesser extent, the CCPA, so businesses that already comply with these laws will be familiar with the PIPL’s requirements.

We highly recommend hiring an attorney or privacy expert to help you become PIPL-compliant.

Since we don’t know if there will be a grace period for becoming PIPL-compliant, you should start preparing for PIPL today. When the GDPR was introduced, many businesses had difficulty fulfilling GDPR requirements within the grace period. Some are still not compliant today, even though it’s been three years since the GDPR first came into force.

Organizations should start taking action as soon as possible to avoid penalties and fines.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources