This law (PIPL) was promulgated on August 21, 2021 and on November 1 of the same year it will enter into force.
This legislation marks China’s first comprehensive legal attempt to define personal information (PI) and regulate the storing, transferring, and processing of personal information. It has major implications for companies that rely on data for their operations in China. The implementation of the law will provide a legal foundation for the protection of personal information for foreign firms’ operations in China. However, it will also potentially limit cross-border transfer of such information, especially for data related to critical information infrastructure (CII) due to national security implications. The business community needs to understand the law’s impact on their data operations.
The law has 74 articles in total. Here we highlight 10 key points …
- This law can be applied to foreign companies.
Whenever a company handles personal information of natural persons within China, it must comply with this law. (Article 3). The law also applies to activities outside of China that handle the personal information of natural persons located in China under any of the following circumstances:
- The activities are for provide products or services to natural persons in China.
- The activities are for analyze and evaluate the behavior of natural persons in China.
- Other circumstances specified by other Chinese laws and administrative regulations
- Personal information from China can be shared with foreign applicants.
Previous requirements:
- The transaction must be approved by the Chinese regulatory authorities. (Article 38)
- The person who carried out the transaction had to obtain the prior consent of the person involved. (Article 39)
- Personal information collected and generated in China cannot be stored outside of the country. (Article 40)
- Foreign entities that violate this law will be sanctioned. (Article 42)
- Obtaining personal information can be done in two cases: when the consent of the person in question has been obtained or when the consent of the person is not required for the processing of the information.
The cases in which personal consent is not required are:
- When the collection of personal information is necessary for the performance of a contract.
- When a company collects the necessary information from employees for human resources management.
- When it is collected for press coverage in the public interest.
- When personal information is public (limited to a specific).
- Before handling personal information, the personal information processor must inform the person in a faithful, precise and understandable manner.
- People have the right to know and decide on the handling of their personal information. (Article 44)
People have the right to inspect and copy their personal information. (Article 45)
If the personal information is inaccurate or incomplete, the investigated person has the right to request the processor to correct or supplement it. (Article 46)
The investigated has the right to withdraw his consent at any time (Article 15)
The investigated has the right to request the processor of personal information to explain and clarify the rules for handling your personal information. (Article 48)
- State bodies may handle personal information in order to fulfill their legal duties, but they must do so in accordance with legal authority and procedures. (Article 34)
State bodies will inform people about the handling of their personal information. However, state bodies cannot inform people if the law establishes that such handling will be confidential. (Article 35, 18)
- Personal information may be collected in public places as long as the following requirements are met (Article 26)
The collection is necessary for public safety.
The collection complies with the relevant legal provisions.
- The China Cyberspace Administration and its counterparts in local governments are the regulatory authorities in this area.