What is PIPL (China’s Personal Information Protection Law)?
China’s Personal Information Protection Law (PIPL) was passed on August 20, 2021 and became effective on November 1, 2021. China's data privacy law applies to any company that processes personal information belonging to the citizens of the People’s Republic of China.
While PIPL is similar to other international privacy regulations, it is important to review your company’s privacy policies to ensure they comply with PIPL. The law works alongside China’s Cybersecurity Law (CSL) and Data Security Law (DSL) to create a comprehensive data security framework for Chinese citizens.
Some of the highlights of the Personal Information Protection Law include definitions of key terms, requirements for processing personal information, data localization, cross-border transfer of personal information, and fines for noncompliance. In this article, we will explore these highlights further to provide a comprehensive overview of the law. This will aid in identifying areas where an organization may need to update their privacy policies.
Personal Information Quick Definitions
How PIPL defines “personal information,” and other related terms should be understood before examining PIPL’s requirements for personal information.
Personal information is defined as any form of information (written data, images, or video) connected to an identifiable person.
Sensitive Personal Information
Sensitive personal information is personal information that could infringe the dignity of or cause harm to the individual it is attached to.
Anonymized or de-identified information is not included as protected personal information for PIPL. Data anonymization allows data to be processed and stored in such a way that it cannot be connected to an individual.
While there are multiple requirements for companies under China’s Personal Information Protection Law (PIPL), there are a few key requirements to keep in mind. Working towards compliance is a complicated process, especially for larger companies. Complying with all the requirements will be an extensive process if you are starting from nothing. However, this overview will show a few ways PIPL may differ from other privacy laws your organization is already compliant with.
Chapter II: Processing Personal Information
PIPL lays out requirements in which both ordinary and sensitive personal information can be processed. Personal information is officially defined by PIPL as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling. Personal information handling includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.”
The handling of ordinary personal information must either happen with the express consent of the individual, or fit one of several other categories, including:
- Processing or handling data to respond to health or security emergencies
- Processing or handling data to report on public interest issues
- Processing or handling data to fulfill statutory duties or responsibilities
- Processing or handling data to fulfill contracts
In most cases, express consent of the individual is mandatory. Even if your organization may legally qualify for another condition, it should not be assumed without extensive research.
There are additional rules outlined for sensitive personal information which is officially defined by PIPL as “personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.”
For sensitive personal information:
- Separate consent must be obtained, including written consent where regulations require it
- Individuals must be notified about their rights regarding their sensitive information
- Consent of a parent or guardian must be used for minors under 14
- All proper licenses must be obtained before handling sensitive personal data
There are many other guidelines and regulations in line for certain circumstances. It is worth reviewing the entirety of Personal Information Protection Law of the People’s Republic of China, Chapter II: Personal Information Handling Rules.
Chapter III: Cross-Border Transfer of Personal Information
For an organization to process personal information outside of the People’s Republic of China, it must meet one of the following conditions:
- A security assessment organized by the State cybersecurity and informatization department has been passed
- A personal information protection certification cybersecurity and informatization department as been obtained
- The organization is concluding a standard contract formulated by the State cybersecurity and informatization department
- Another condition provided by the State cybersecurity and informatization department is met
In other words, to transfer personal information across China’s border some type of approval must be obtained from the State cybersecurity and informatization department.
PIPL also lays out data localization restrictions for organizations that process substantial amounts of Chinese data. At a certain threshold, organizations must store personal information within China.
Additionally, if a business presence is not present within China, a local representative or local agency must take charge of PIPL compliance.
Chapter IV: Individual’s Rights to their Personal Information
Under PIPL, individuals have the right to control how and where their data is being stored. Individuals can:
- Know how their personal data is being used, and limit or refuse the handling of their data
- Consult and copy their personal information within a timely manner
- Correct their personal information when they find it is incorrect or incomplete
- Request information about how personal information is handled
Additionally, organizations must provide convenient ways for individuals to exercise the above rights.
Chapter V: Personal Information Handler’s Responsibilities
Organizations that handle personal information must meet the following duties:
- Formulate internal personal information management structures and rules
- Implement categorized management of personal information
- Utilize proper security measures like encryption and data deidentification
- Limit personal information handling and conduct employee security training
- Organize security incident response plans
- Engage in regular audits of their personal information
- Conduct consistent personal information protection impact assessments as information is handled
There are also additional transparency requirements for complex businesses with large user bases.
Violating PIPL requirements may result in fines or other corrective actions. A breach of PIPL will most likely result in an order to comply, as well as a request for any “unlawful income” generated. If this is ignored, violators can expect fines of up to 1 million yuan ($150,000). A fine for the individual responsible for compliance, or lack thereof, can reach up to 100,000 yuan ($15,000).
For cases that are deemed “serious,” fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover may be demanded. Certain licenses or operations may also be revoked.
Becoming compliant with PIPL, even if you have not received communication regarding noncompliance, is essential. PIPL came into effect in November of 2021, but many companies are still working to maintain compliance.
If you are looking for solutions to reach PIPL compliance, check out the TokenEx Personal Information Compliance Solution. Our Tokenization platform successfully pseudonymizes data while maintaining its business utility. If you’re struggling with personal information compliance, read more here: