On Nov. 1, 2021 the China’s Personal Information Protection Law (PIPL) is into effect, aimed to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
With its entry into force, the broader cyber and data security governance in China is regulated by three pieces of legislation: the PIPL, the Cybersecurity Law, and the Data Security Law. Related implementing regulations have been adopted and some have yet to be adopted, making it complex to comply with the mentioned framework without proper legal and cybersecurity guidance.
On a comparative perspective, the PIPL aligns with the strictest international privacy benchmarks of the European Union’s General Data Protection Regulation (EU GDPR) in large part, but it differs from the EU framework to a relevant extent. For instance, the PIPL includes certain substantive obligations that differ from the EU GDPR but there are also obligations found in the EU GDPR that are not included in the PIPL.