On August 20, 2021, China’s 13th Standing Committee of the National People’s Congress passed the country’s first comprehensive data protection law, the Personal Information Protection Law (the “PIPL”). The law partially models itself on omnibus data protection regimes from other jurisdictions, including the EU General Data Protection Regulation (“GDPR”).

When it comes into effect on November 1, 2021, The Personal Information Protection Law will govern personal information processing activities carried out by companies or individuals within China. Like the GDPR, the PIPL also will apply to a company’s processing activities conducted outside of China. The law covers a company not established in China if it processes personal information about individuals located in China to (1) offer goods or services to individuals in China, or (2) analyze and evaluate the behavior of individuals in China.

The PIPL establishes a comprehensive framework to govern the processing of personal information. The PIPL, like the GDPR, specifies that organizations must handle personal data for a reasonable purpose and limit it to the minimum necessary scope to achieve the intended goals. It also requires companies to provide notice to data subjects that includes elements specified in the law.

Like the GDPR, the PIPL requires a company to establish a legal basis to process personal information. Under the PIPL “notice and consent” is the primary legal basis for lawful processing. The law carves out exceptions to the notice and consent requirement based on the complexity and circumstances of the personal information processing activity.

Regardless of the available legal basis for processing, companies must obtain consent in the following instances when:

• disclosing personal information to a third party,
• processing “sensitive” personal information
• transferring personal information outside of China.

The PIPL also specifies rules regulating specific types of processing activities (e.g., joint processing, data processing by third parties such as vendors, data sharing, the publication of personal information, and automated decision-making), as well as rules applicable to different types of data, such as “sensitive” personal information. In addition, the PIPL prohibits data-enabled price discrimination against existing customers.

In addition to providing for data minimization and purpose specification, the PIPL provides for data subject rights, including rights of access, correction, and deletion of personal information.

Various authorities, including the CAC, relevant departments of the State Council, and local government departments at or above the county level, will have supervisory, planning, coordinating, and administrative responsibilities under the PIPL. Penalties for serious violations of the PIPL include fines for just under 50 million RMB or 5% of an entity’s revenue in the prior year.

Are you looking for help with compliance? Schedule your free consultation with us.