China’s new privacy law goes into effect on November 1, 2021. While there are similarities with existing privacy laws, like the GDPR and CCPA, organizations with customers or employees in China will need to take action in order to comply with the new law. How do PIPL’s Data Minimization, Consent, and Notice requirements impact your business, and what do you need to do?
Data Minimization
Something that PIPL has in common with the GDPR European privacy law is the concept of data minimization. Under PIPL, Personal Information Handling Must Have a clear & reasonable purpose, be directly related to handling purpose, and collection must be limited to smallest scope for realizing its purpose to the organization collecting it. Excessive Personal Information collection is prohibited, and organizations must use methods with the smallest influence on individual rights & interests.
Additionally, organizations collecting Personal information must have a legal basis for handling it. This means that the Personal Information must be collected with the individual’s consent, and should only be collected for these reasons:
- If it’s necessary to fulfill a contract where individual is an interested party
- Necessary for human resources management
- Fulfill statutory duties/obligations
- Respond to public health incidents or protect person’s lives, health, or property in emergencies
- News reporting, public opinion supervision, & other public interest activities
- Already disclosed by the individual or otherwise lawfully & reasonable in scope
- Other circumstances as provided by law
Consent
Since consent is a key factor in an organization’s legal basis for handling personal information, let’s cover how PIPL defines it.
- Given knowingly with full information
- Voluntary
- Explicit
- Must be re-obtained if the purpose, method, or categories of Personal Information change
- Individuals have the right to rescind
- Companies must provide convenient process for rescission
- Can’t refuse services if individual refuses consent unless handling of Personal Information is necessary to providing the service
Notice
Organizations handling personal information must provide the following in their notices to consumers under PIPL:
- Name & contact of the Personal Information Handler
- Purpose of handling
- Handling methods
- Categories of Personal Information
- Retention period
- Procedures for exercising PIPL rights
- Other notifications required by law
- Changes in previous notice
- Disclosures shall be public & convenient to read & store