On Nov. 1, 2021 the China’s Personal Information Protection Law (PIPL) is into effect, aimed to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
With its entry into force, the broader cyber and data security governance in China is regulated by three pieces of legislation: the PIPL, the Cybersecurity Law, and the Data Security Law. Implementing regulations have been adopted and some have yet to be adopted, making it complex to comply with this framework without proper legal and cybersecurity guidance.
On a comparative perspective, the PIPL aligns with the strictest international privacy benchmarks of the European Union’s General Data Protection Regulation (EU GDPR) in large part, but it differs from the EU framework to a relevant extent. For instance, the PIPL includes certain substantive obligations that differ from the EU GDPR but there are also obligations found in the EU GDPR that are not included in the PIPL.
Like the EU GDPR, also the PIPL has extraterritorial application and imposes thought-through privacy management policies and practices to companies and entities all over the world, when the purpose of the processing is:
(i) To provide products or services to individuals in China
(ii) to “analyze” or “assess” the behaviour of individuals in China; and/or
(iii) for other purposes to be specified by laws and regulations
If you just discovered that your company falls in these conditions, you are also obliged to: