China introduces its own GDPR, the Personal Information Protection Law (PIPL)
After the European Union’s GDPR and California’s CCPA (California Consumer Privacy Act), it is now China’s turn to pass a personal data protection law. The PIPL will go into effect on November 1st 2021, a tight schedule for companies to comply with this new legislation, which will affect every business, inside and outside of China, managing and processing personal data from employees based in China.
What is the PIPL (Personal Information Protection Law)?
The new law, called the Personal Information Protection Law (PIPL), is China’s first comprehensive data protection law, and one of the strictest privacy laws now on the books. With the PIPL, a comprehensive legal framework for data has been established. Similar to the General Data Protection Regulation (GDPR) present in the European Union, the PIPL encompasses the protection of personal information inside and outside of China:
- All information related to identified or identifiable natural persons
- Information that may not identify a natural person but may be related to an identified person is still treated as personal information
This means in practice that, if a company has facilities or personnel in China and processes personal data through these facilities or personnel, the data processing falls under the PIPL.
One of the main components of this law is the obligation to store sensible and personal data on servers located on Chinese territory.
Who is affected?
The Personal Information Protection Law (PIPL) will apply to:
- Organizations that process personal information in China
- Organizations located outside China when they provide products or services to persons located in China
- Organizations that process personal information for the purpose of analyzing or evaluating persons located in China.
Companies who have business in China, regardless of having an establishment in China or not, should be aware of the compliance risks.
Western companies doing business in China and handling citizens' personal data face extraterritorial jurisdiction of the law, as has been the case in the EU with the GDPR.
The text also prohibits the transfer of information from China to countries that do not have the same level of data protection. The European Union seems to be safe, but this is not the case for the United States, which still has no national data protection law. American companies will be the main target of such legislation.
When should Actions be taken?
As soon as possible, as the law will be taking effect on November the 1st 2021, which is only 3 months after it was passed (on August 20th).
Non-compliance with the PIPL: sanctions
The PIPL has broader extraterritorial jurisdiction, strict requirements and hefty fines. In case of non-compliance with the measures of the new legislation, companies face fines of up to 50 million yuan (6.6 million euros or 7.8 million dollars) or 5% of annual turnover, reports AFP. For the most serious cases, a suspension or permanent termination of services is possible.
Discover how the PIPL can impact your whistleblowing program in the 2nd part of our series on the subject:
If you have identified that your Organization and Whistleblowing Program might be affected by this new legislation or will be in the future, taking the step to quickly be compliant with the PIPL becomes a priority.
Get in touch with our team to learn how we can help.