The Personal Information Protection Law (PIPL), passed by People's Congress of China on August 20, 2021, is considered as one of the strictest data protection bills in the world. This law refers to a large extent to the EU's General Data Protection Regulations (GDPR). However, there is still a big gap between the two, which means that European companies in China still face certain risks and challenges related complying this Law.
PIPL is China's first comprehensive law specifically for the protection of personal information. It specifies
i) the scope of application,
ii) the rules of processing personal information with "notification-content" as the core,
iii) personal rights, processor obligations, and special obligations for large network platforms,
iv) specific rules for cross-border personal information transfer, and
v) supervision system for personal information protection.
According to PIPL, information processors are required to have clear and reasonable purposes for processing personal information. The information collection shall be directly correlated to these purposes, and the processing methods should be the optimal way of smallest impact on personal rights. Moreover, the collection is required to be limited in the specific scope for achieving the purposes.
At the same time, the information processing should be based on personal consent on the premise of full notification in advance. If important matters in the processing of personal information are changed, individuals shall be re-informed and consent should be obtained anew.
In addition, considering the complexity of economic and social life, the purposes and conditions of collecting personal information processing are increasingly diverse. From the perspective of safeguarding public rights, the PIPL also includes specific situations where personal information can be legally handled without personal consent.
Furthermore, PIPL also makes specific provisions on entrusted and joint personal information processing.
Compared to the previous drafts, PIPL added details including excessive collection of personal information in APPs and the "big-data-enabled price discrimination against existing customers". Moreover, the personal information of minors under fourteen is classifies as sensitive personal information. The rules for cross-border provision of personal information have also been revised.
Together with the Data Security Law, PIPL is the cornerstone for the Internet and information administration. Data Security Law, which takes effect on September 1, focuses on the economic value of data and related national security matters. These two laws require all companies operating in China review the way they store and process data.
According to the PIPL, there are two relevant circumstances for overseas enterprises involved in data processing. If the China-based subsidiary of a foreign company needs to transfer the personal information collected in China to its overseas headquarters for business purposes, it must meet one of the three conditions specified in the previous section. However, there are still no specific measures and details on the security assessment and on the certification process.
Foreign companies that do not have branches in China, but provide products or services to Chinese customers, are equally required to comply with the PIPL even though all their data processing activities are conducted outside China. They also need to set up a special office or representative in China to deal with personal information protection.
This means that, all companies dealing with Chinese consumers have to be compliant with the PIPL. Foreign companies should first understand the provisions in the PIPL and Data Security Law, and monitor new related regulations and implementation rules. English version of the PIPL is available at:
http://www.bestao-consulting.com/translated/detail/789
If you need more information on the topic, please contact:
assistant@bestao-consulting.com