China’s Personal Information Protection Law (PIPL), which acts as an omnibus data privacy rulebook, comes into force on 1 November 2021. Data privacy in China was previously governed by a broad patchwork of different laws, but the PIPL now provides an overarching data privacy law to turn to in the first instance. Crucially, the PIPL also has extra-territorial effect, and so governs the processing of personal information of individuals located in China, regardless of whether or not the entities processing that information are in China.
Much of the PIPL has been based (at least at a high level) on the principles and provisions of the EU General Data Protection Regulation (GDPR). That being said, the PIPL is neither as prescriptive, nor anywhere near as detailed, as the GDPR. The PIPL instead provides a framework of largely high-level data privacy obligations, and is expected to be supplemented by guidance from the Chinese authorities. Exactly what implementing guidance will be published remains to be seen.
Key aspects of the PIPL include:
- substantially increased fines of up to RMB 50 million (c.$7.5 million) or 5% of the previous year’s turnover, and other operational sanctions;
- extra-territorial jurisdiction, as mentioned above, particularly relevant if providing products or services to (or analysing the behaviour of) individuals in China;
- tougher data localisation and data export constraints with particularly onerous restrictions on overseas data transfers for the purposes of investigations or litigation;
- broadened lawful processing grounds under which consent is no longer required;
- strengthened individual rights to access, rectify and erase personal information (among others); and
- data privacy compliance review and assessment obligations.
Given the comprehensive nature of the PIPL, compliance with the new regulatory framework may pose significant challenges for many organisations. This is further complicated by the fact that certain provisions under the PIPL remains contingent on the publication of further rules and guidance from Chinese authorities.
Rulefinder Data Privacy helps our users navigate the ever-changing situation in China and we also keep track of expected developments, proposals, consultations and draft laws and guidance in our Privacy Developments Tracker. To request the most recent copy of the tracker, please click below or email info@aosphere.com to receive the tracker and start your free trial.
This summary was published as part of aosphere's Rulefinder Data Privacy. Nothing in this summary is intended to provide legal or other professional advice: aosphere does not accept responsibility for loss which may arise from reliance on this summary.
What is Rulefinder Data Privacy?
Rulefinder Data Privacy is a user friendly database of global data privacy law and regulation sourced from leading privacy counsel across the globe and curated by aosphere’s team of senior data privacy professionals. Learn more here.