China’s New Data Protection Law – Personal Information Protection Act (PIPL)

Rothwell, Figg, Ernst & Manbeck, P.C.

On August 20, 2021, China passed its first general data protection law, called the Personal Information Protection Law (“PIPL”).  The law is set to take effect on November 1, 2021 (two months away), and it applies to both (1) in-country processing of personal information of natural persons; and (2) out-of-country processing of personal information of natural persons who are in China, if such processing is: (a) for the purposes of providing products or services to those people; (b) to analyze/evaluate the behavior of those people; or (3) other circumstances prescribed by laws and administrative regulations.  Thus, the PIPL will become one more thing that companies have to consider in weighing questions of where to store which user data.

While much of PIPL is similar to GDPR – such as the definitions of “personal information” and “processing”; requiring a legal basis for processing personal information; and providing individuals with various rights with respect to their personal information (e.g., portability, correct and delete, restrict and prohibit, etc.)—there are differences, and companies to whom the law applies should review their policies and practices carefully to ensure compliance.

Two ways in which PIPL stands out from some other general data protection laws are with regard to the data location requirement and the cross-border transfer requirements.

First, the law provides that critical infrastructure information (“CII”) operators (such as government system, utilities, financial system, public health) or entities processing a large amount of personal information must store personal information within the territory of mainland China.  Of note, every company operating in China is suggested to conduct a self-assessment to determine whether it may be deemed a CII operator.  In order for such information to be transferred to points outside of China, the transfer must pass a government-administered security assessment.

Second, cross-border transfer of information is allowed (for non-CII and large-volume companies) if the processor meets one of the following: (i) it passes a security assessment organized by the Cybersecurity Administration of China (CAC); (ii) it is certified by a specialized agency for the protection of PI by CAC; or (iii) it enters into a contract with the overseas recipient under the standard contract formulated by the CAC.  [Of note, it appears that despite the law going into effect in two months, there is not “standard contract” published yet.]

Penalties for violations of PIPL include, inter alia, an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the last year (it is unclear if this refers to local turnover or global turnover).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rothwell, Figg, Ernst & Manbeck, P.C. | Attorney Advertising

Written by:

Rothwell, Figg, Ernst & Manbeck, P.C.

Rothwell, Figg, Ernst & Manbeck, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.