CHINA’S PERSONAL INFORMATION PROTECTION LAW

CHINA’S PERSONAL INFORMATION PROTECTION LAW

Chinas Personal Information Protection Law(PIPL) is a comprehensive data protection legislation that was passed by the Standing Committee of the National Peoples Congress on August 20, 2021, and is set to take effect on November 1, 2021. The law seeks to protect the privacy rights of individuals and regulate the collection, use, storage, transmission, and processing of personal information by entities in China.

Here are some of the key provisions of the PIPL:

Definition of Personal Information:The PIPL defines personal information broadly as any information that can be used to identify an individual, including name, date of birth, ID number, biometric data, and online identifiers.

Consent Requirements:Entities that collect personal information must obtain consent from the individual and clearly inform them of the purpose, method, and scope of the data collection.

Cross-border Data Transfer:The law imposes restrictions on cross-border transfer of personal data, requiring entities to conduct a security assessment before transferring data outside of China.

Rights of Individuals:The law grants individuals the right to access, correct, delete, and withdraw consent for the use of their personal information. Data Protection Officers:Entities that process large amounts of personal information are required to appoint a dedicated data protection officer.

Enforcement:The law establishes fines and penalties for violations, including up to 50 million yuan (approximately $7.7 million USD) or 5% of the previous years revenue, whichever is higher.

Overall, the PIPL places significant obligations on entities that collect and process personal information and aims to strengthen the protection of individuals privacy rights in China. Chinas Personal Information Protection Law(PIPL) and the European Unions General Data Protection Regulation (GDPR) have some similarities and differences. Similarities:

Both laws are designed to protect the privacy rights of individuals and regulate the collection, use, storage, transmission, and processing of personal information. Both laws require entities to obtain the individuals consent for the collection and use of personal information.

Both laws provide individuals with the right to access, correct, delete, and withdraw consent for the use of their personal information. Both laws impose restrictions on cross-border transfer of personal data. Differences: Territorial Scope:The GDPR applies to all entities processing personal data within the EU and entities outside the EU if they offer goods or services to EU residents. In contrast, the PIPL applies to entities that process personal data within China. Legal Basis:The GDPR requires entities to have a lawful basis for the processing of personal data, while the PIPL only requires entities to obtain the individuals consent. Data Protection Officers:

The GDPR requires certain entities to appoint a data protection officer, while the PIPL requires entities that process large amounts of personal information to appoint a dedicated data protection officer. Enforcement:The GDPR imposes fines of up to 20 million or 4% of the entitys global revenue, whichever is higher. In contrast, the PIPL imposes fines of up to 50 million yuan or 5% of the entitys previous years revenue, whichever is higher. Overall, while the PIPL and GDPR have some similarities, there are also significant differences in their scope, legal basis, and enforcement mechanisms.

Click here to read more about Chinas Personal Information Protection Law


Davies Parker

24 Blog posts

Comments