China passed a major data protection law on Friday, August 20th. The Personal Information Protection Law (PIPL) unifies and strengthens piecemeal legislation around data privacy into a set of rules regulating data collection, processing, and protection. Many companies that were exempt from the GDPR and CCPA may need to comply with PIPL. So what is China’s new privacy law and how will it affect your business? Read on to learn about the basics of PIPL, who the law applies to, and how to comply.
PIPL applies to organizations that handle the Personal Information of natural persons inside of China’s borders, as well as those that handle the Personal Information of persons inside of China’s borders while outside of China if in some situations:
- Purpose is to provide goods/services to persons in China
- Analyzing or assessing activities of persons in China
- Other circumstances provided in laws or administrative regulations
What is “Personal Information?”
All kinds of information, recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization. Personal Information Handling includes PI collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
Under PIPL it is prohibited to handle PI in ways that are “misleading or coercive.”
Penalties and fines
Regulators in China will aggressively enforce PIPL, and violations may result in confiscation of income associated with PIPL violations, suspension of service in China, compensation in the amount of loss to the individual or gain to the company, and even possible criminal liability.
Uncorrected Violations may result in a fine of up to 1 million Yuan for the organization and a fine of 10,000-100,000 Yuan for responsible personnel. “Grave Violations” — flagrant, intentional, and/or repeated violations —will incur fines up to 50 million Yuan or 5% of the offending organization’s annual revenue and fines of 100,000-1 million Yuan for responsible personnel, as well as prohibition on them holding high positions.
SixFifty Can Help
PIPL has many aspects that are similar to other privacy laws so that businesses already in compliance or aware of other laws will be familiar with many of these new requirements. However, there are enough differences, in exemptions and compliance, that consulting a data privacy expert is highly recommended if you conduct any business in China. SixFifty has released a PIPL compliance tool to help businesses create the policies, contracts, and other documents they need to have in place by November 1, 2021.
Subscribe to SixFifty’s blog for more updates. We’ll be publishing helpful information about China’s new privacy law up until the November 1 deadline.
Download our free PIPL ebook and schedule a demo at sixfifty.com/china