Preparing for China's Personal Information Protection Law (PIPL): Is Your Business Compliant?
China's Personal Information Protection Law (PIPL): Extraterritorial Requirements for Foreign Businesses
The Personal Information Protection Law (PIPL), which came into effect on November 1st, 2021, has introduced new regulations for foreign businesses processing the personal information of individuals located in China.
Under Articles 3 and 27 of the PIPL, foreign entities must comply if they provide products or services to individuals in China, analyze or evaluate the behavior of individuals in China, or engage in other legally prescribed scenarios involving personal information of individuals in China.
To ensure compliance, foreign businesses are required to establish a dedicated legal entity within China or designate a representative located in China. They must submit the representative’s contact information to the relevant Chinese supervisory authority.
When processing or transferring personal data internationally, foreign businesses must obtain clear, informed, and voluntary consent from individuals. If transferring personal data outside China, they must ensure the recipient country offers an adequate level of data protection and implement technical and organizational security measures to protect data during transfer.
Notably, foreign businesses must notify the Cyberspace Administration of China (CAC) regarding international personal information transfers. They must also designate a Personal Information Protection Officer (PIPO) and report this officer to the CAC if the foreign processor handles the personal data of 1 million or more individuals, with reporting deadlines based on when the threshold is met.
When sharing personal information with third parties, foreign processors must inform individuals of the third party details and obtain explicit consent for such sharing.
Under the PIPL, a parent or trustee must provide consent for the handling of information of minors under the age of 14. Personal information, under the PIPL, includes any data that can identify an individual, such as name, email address, IP address, cookie ID, etc.
Sensitive personal information includes biometrics, religion, medical and financial information, individual location tracking, information relating to minors under the age of 14, etc. The PIPL sets restrictions on transferring sensitive personal data outside of China for certain entities and data types.
In all other cases, firms are allowed to transfer personal information under one of three conditions: passing a CAC security assessment, obtaining a CAC certification, or entering a contract with a receiving side standardized by the CAC.
Businesses must also provide users with a consent form that clarifies the purpose of information handling, handling method, retention period, and the individual's rights. They must provide users with an option to refuse cookies or other automated profiling mechanisms.
The PIPL provides individuals with a set of rights relating to their personal information, including the rights to know what personal information is handled, access the information, ask for it to be corrected or supplemented, ask to limit the scope of the information or delete it, and withdraw consent to personal information processing.
Businesses must ensure that users can make decisions relating to their personal information and have the tools to opt out. They must guarantee users' personal information rights and protect personal data from breaches and unlawful usage.
Companies outside China with less than 1 million users must set up a branch or appoint a representative in China to comply with the PIPL. The PIPL equally applies to foreign businesses, including those without a legal entity in China.
Foreign businesses subject to China’s PIPL must comply with these extraterritorial requirements to avoid sanctions such as correction orders, confiscation of unlawful income, provisional suspension or termination of service, administrative fines, and personal administrative fines. Overseas companies that don't comply with the PIPL may be placed on a blocklist or banned from handling the personal information of Chinese citizens.
- In the field of technology, foreign businesses that analyze or evaluate the behavior of individuals in China must comply with China's Personal Information Protection Law (PIPL) when processing personal data.
- A lifestyle change might be necessary for foreign businesses, as they are required to appoint a Personal Information Protection Officer (PIPO) and submit the officer's contact information to the relevant Chinese supervisory authority under the PIPL.
- For those in the education-and-self-development, sports, casino-and-gambling, or general-news sectors, it's important to note that foreign businesses must abide by PIPL regulations when transferring sensitive personal data like biometrics, religion, medical and financial information, or information relating to minors under the age of 14.