China’s PIPL privacy law imposes new data handling requirements

Antonio G Ginting

Credit: Dreamstime

As part of the country’s growing scrutiny over the tech sector, China enacted on August 21 a sprawling and comprehensive data privacy law, the Personal Information Protection Law (PIPL), which goes into effect on November 1, 2021. In combination with China’s newly enacted and still little-understood Data Protection Law, which goes into effect on September 1, 2021, this law promises to impose a host of new data privacy, security, and protective obligations on all US and global companies doing business in China.

These significant laws fit into China’s broad “informatisation policy,” which Chinese President Xi Jinping has described as the modern equivalent of industrialisation. However, the data protection law comes closer to serving more as a cybersecurity law than the PIPL. In his efforts to boost China to” cyber superpower” status, President Xi has famously said that “cybersecurity and informatisation are two wings of one body, and two wheels of one engine.”

Both national security and the public interest come into play

Modeled in part on the EU’s stringent and pace-setting General Data Protection Regulation (GPDR), PIPL creates a legal regime for all data from both the perspectives of national security and the public interest. It aims to achieve four objectives:

  1. Protect the rights and interests of individuals
  2. Regulate personal information processing activities
  3. Safeguard the lawful and “orderly flow” of data
  4. Facilitate reasonable use of personal information

Its focus on national security departs from Western privacy frameworks such as the GDPR and California’s Consumer Privacy Act (CCPA). The PIPL further differs from these two forms of data privacy by containing provisions addressing China’s digital sovereignty. These provisions aim to limit the ability of overseas entities to infringe on Chinese citizens’ rights and constrain the danger to the country’s national security.

Organisations handling Chinese citizens’ data must meet conditions

The PIPL states that “personal information processors,” namely any organisation handling the personal data of Chinese citizens, may handle that information only if the processor meets one of the following conditions:

  1. The processor obtains personal consent
  2. The information is necessary for the conclusion and performance of a contract in which the individual is a party or necessary for the implementation of human resource management by following the labor rules and regulations established under the law and the collective contract signed per the law.
  3. The information is necessary to perform statutory duties or statutory obligations.
  4. The information is necessary to respond to public health emergencies or to protect the life, health, and property safety of natural persons in an emergency.
  5. The information is necessary to carry out news reports, public opinion supervision, and other acts for the public interest, and handle personal information within a reasonable range.
  6. Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope is conducted by following the provisions of this law.
  7. The information is processed under other circumstances stipulated by laws and administrative regulations.

Next Post

Oxnard fills top financial post with Ventura school administrator Betsy George

Bringing with her 25 years of experience in accounting and finance, Oxnard appointed Betsy George as its new chief financial officer who started the job Monday. George was originally hired by the city in June as an assistant chief financial officer, but later replaced previous chief financial officer Kevin Riper. […]
Oxnard fills top financial post with Ventura school administrator Betsy George
Open chat
thank you for contacting us, for more information please chat