Since the Personal Information Protection Law (PIPL) was passed in China in 2021, many foreign companies are scrambling to understand their obligations under this new legislation.
In this guide, we’ll walk you through everything you need to know about China’s PIPL so that your business can stay compliant and continue thriving in one of the world’s most exciting markets.
Introduction to China’s Personal Information Protection Law (PIPL)
Since China’s enactment of the Personal Information Protection Law (PIPL) on August 20, 2021, foreigners doing business in China have been grappling with how to comply with the law. The PIPL is a comprehensive law that regulates the collection, use, storage, and security of personal information. It also establishes rules for data transfers out of China.
The PIPL applies to any entity that collects or uses personal information within China, regardless of whether the entity is based inside or outside of China. This means that foreign companies doing business in China must comply with the PIPL if they collect or use the personal information of Chinese citizens.
Compliance with the PIPL can be a challenge for foreign companies because the law is still new and there is little guidance from regulators on how to comply. In addition, the PIPL contains some unique provisions that are not found in other data privacy laws around the world.
This article will provide an overview of the key provisions of the PIPL and offer practical tips on how foreign companies can comply with the law.
How Does the Law Affect Foreigners?
The law stipulates that the personal information of Chinese citizens shall be protected by law, and the State shall take measures to protect the personal information of citizens. Personal information refers to any information recorded electronically or in other ways that can identify a specific natural person, including but not limited to a citizen’s name, date of birth, identity card number, biometric information, address, telephone number, economic background information, and so on.
The law applies to foreigners who reside in China for a period of time not exceeding the prescribed length of stay for their visa type. As such, their personal information is also protected under this law while they are in China. In addition, the law mandates that organizations and individuals who collect, use, or disclose foreigners’ personal information must comply with the following principles:
- Legality and necessity: The collection, use, or disclosure of foreigners’ personal information must have a legal basis and be necessary for the performance of duties prescribed by laws or regulations;
- Accuracy and timeliness: The collected personal information must be accurate and updated in a timely manner;
- Proportionality: The scope of collected personal information must be proportional to the purpose for which it is used;
- Safety: Organizations and individuals must take security measures to protect foreigners’ personal information from unauthorized access, disclosure, alteration, or destruction.
What are the Key Provisions of the Law?
The Personal Information Protection Law (PIPL), which came into effect on November 1, 2021, is a landmark legislation in China that governs the collection, storage, use, and sharing of personal information by organizations. The law applies to both domestic and foreign organizations that collect, store, or use the personal information of Chinese citizens.
Under the PIPL, personal information must be collected and used lawfully and with the consent of the individual concerned. Organizations must also take measures to protect the personal information they collect from unauthorized access, disclosure, or destruction.
Organizations that violate the PIPL may be subject to administrative penalties, including fines of up to RMB 1 million (approximately US$150,000). In addition, individuals who suffer damages as a result of an organization’s violation of the PIPL may file a civil lawsuit against the organization.
Penalties for Violating China’s Personal Information Protection Law
If you violate China’s Personal Information Protection Law, you may be subject to administrative penalties, including but not limited to:
- A fine of up to RMB 1 million (approximately USD 150,000);
- revocation of your business license; or
- imprisonment for up to 3 years.
In addition, the violator may be ordered to make restitution to the victim and take corrective measures. If the violation constitutes a crime, the violator will be prosecuted according to criminal law.
e violated China’s Personal Information Protection Law. Companies that do business in China should be aware of the law and take steps to ensure they are compliant.
Tips for Complying with China’s Personal Information Protection Law
Foreigners working or living in China should be aware of the country’s Personal Information Protection Law (PIPL), which took effect on November 1, 2021. The PIPL requires organizations to take steps to protect the personal information of Chinese citizens and imposes hefty fines for non-compliance.
Here are some tips for complying with the PIPL:
- Know what personal information is covered by the law: The PIPL applies to any kind of personal information that can identify an individual, including name, date of birth, ID number, address, biometric data, and more.
- Have a data protection policy in place: Organizations subject to the PIPL must have a written data protection policy that outlines how they will collect, use, store, and protect personal information.
- Get consent before collecting or using personal information: Organizations must obtain explicit consent from individuals before collecting, using, or disclosing their personal information. This includes obtaining consent for transferring personal information overseas.
- Keep personal information secure: Organizations must take reasonable security measures to protect personal information from unauthorized access, use, or disclosure. This includes ensuring that data is stored securely and only accessed by authorized personnel.
- Disclose breaches promptly: Organizations must notify individuals of any unauthorized access to their personal information and take steps to mitigate any potential harm caused by the breach
Understanding China’s personal information protection law is essential for foreigners living in or visiting the country. Even those who are not based in China will want to take note of the regulations and understand their obligations when using services that involve the collection, processing, and storage of data. By familiarizing yourself with this law, you can ensure that your rights as a consumer are respected while providing an extra layer of security for your own sensitive information.