What is PIPL – China’s Draft Personal Information Protection Law?
China has passed new regulations aimed at tightening the oversight of tech companies and enhancing the privacy of their citizens. The Personal Information Protection Law, or PIPL, will become effective on November 1st.
This new effort to regulate the technology sector subjects companies to even stricter rules, like limiting the processing of personal data to a clear and reasonable purpose. Beijing has also been cracking down on large organizations like Alibaba and Tencent.
Keep reading to learn more about how the new privacy law in China will affect the handling of user data.
PIPL – China’s Draft Personal Information Protection Law
What is the PIPL?
In April 2021, Chinese regulators released the draft of the Personal Information Protection Law – or the PIPL for short. This updated version replaced the initial draft from October 2020 – and is considered the Chinese version of the GDPR.
The legislation establishes rules about when companies can collect personal data – and what they can do with it. It obliges companies to obtain the data subject’s consent and comply with guidelines that protect the information if it is transferred abroad.
In other words, the only legal basis for the lawful processing of personal information is notice and consent. The only exceptions available are when processing data is needed to perform a contract or for employment purposes.
The PIPL also requires organizations to appoint an individual to manage the protection of personal data. They will be responsible for safeguarding the data and performing periodic checks to validate compliance with regulations. This legal basis is much narrower than those available under other consent regulations.
There is no doubt that the PIPL will play a major role in the development of digital business and other industries.
Rights of Data Subjects in PIPL
The PIPL introduces extensive rights for data subjects. These rights mirror those granted by the EU’s GDPR and the California Consumer Privacy Act. They also echo the entitlements described in Article 43 of their Cybersecurity Law.
In simple terms, the PIPL gives individuals the right to access, rectify, and delete the information collected by businesses and other organizations. Likewise, it grants them the right to know what data is being gathered and transparency over how automatic decisions affect them.
However, it is important to note that the Personal Information Protection Law does not provide the right to data portability, which is a key component of the GDPR.
Not only do these rights apply to Chinese citizens, but they also extend to the deceased – their next of kin may leverage the PIPL to protect their loved one’s privacy. If someone wishes to exercise their rights, they must follow the processes established by the data controller.
The reasoning must be provided any time that the request is denied.
Let’s review these rights in greater detail:
Right of Knowledge, Decision, Restriction, and Objection | PIPL
Under the Personal Information Protection Law, individuals have the right to know – and make decisions regarding – the processing of their private data. Similarly, they can restrict or object to the collection or processing of that information.
A business must clearly inform individuals about their data-processing efforts to comply with these measures. The language must be easily understandable and include the following details:
- The purpose and method of the data collection, including the retention period
- How the individuals can exercise their rights under the PIPL
- The contact details of the personal information controller
- Any other matters that relate to privacy laws and consent
For example, apps may use a pop-up window to notify data subjects and give them a chance to opt out. Transparency is key here!
Right to Access and Copy | PIPL
The PIPL grants Chinese citizens the right to access and copy the data held by organizations. When the access request is made, entities must respond promptly. This right to access ensures that data subjects are aware of what personal data has been gathered and processed.
The exception to this is when providing access would violate relevant laws and regulations.
Right to Rectify Information | PIPL
Another right that the Personal Information Protection Law provides is the ability to rectify the information. If a data subject feels that the information held by an entity is inaccurate or incomplete, they can request to correct it.
Again, companies must perform relevant verification or corrections in a timely manner to ensure compliance with PIPL.
Right to Delete Data | PIPL
Just as data subjects have the right to access, copy, and rectify information, they can also choose to have those details deleted. However, several conditions must be met for this right to be imposed:
- The purpose of providing that data is no longer relevant or has already been achieved
- Consent has been withdrawn
- The data processer has violated the agreement or applicable regulations
- The retention period has expired, or the information processor is no longer providing services
- Any other circumstance described by administrative laws
If any of these circumstances apply, the entity that controls the information must delete the data. However, if the personal information controller does not take the initiative, the data subject can request the deletion.
When the legal retention period has not expired – or if it is unreasonably difficult to delete the data – then the company can choose to stop processing the data and simply store it until that time comes.
Right to Transparency Regarding Automated Decision Making
Article 25 of the Personal Information Protection Law requires businesses to be transparent about what data is used to make automatic decisions. The goal is to ensure the reasonableness and fairness of processing and give individuals the opportunity to obtain an explanation.
Enforcing the PIPL
The new privacy law in China will apply to all data processing activities that occur in the nation. Likewise, the PIPL will apply to entities outside of the country – if they gather information about individuals that live in China. That includes the context of selling goods and services or researching individual behavior.
The CAC, State Council, and local government departments will be responsible for implementing and enforcing the provisions of the PIPL. For example, they will have supervisory, planning, and administrative duties under the new regulation.
If an entity does not comply with the Personal Information Protection Law, it will be subject to significant penalties. Fines can range anywhere from 50 million RMB to 5% of the company’s prior year revenue, so compliance is essential!