The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021.

Key Points:

..Extraterritorial effect: PIPL applies to those who process personal information about Chinese individuals inside China as well as those who process personal information about Chinese individuals outside China.

..Legal basis: PIPL expands the legal bases for processing personal information to seven, including where it is necessary for the performance of a contract with the individual.

..Data transfer restrictions and localization requirements: Critical information infrastructure operators (CIIOs) and those who exceed the threshold of personal information processed set by the Cyberspace Administration of China (CAC) must store personal information in China unless they pass a CAC security assessment. PIPL also imposes more stringent requirements on cross-border data transfers, e.g., consent of the individual is always required.

..Fines: Those who violate PIPL may face fines of up to 5% of annual revenue of the previous year or CNY50 million.