Abstract
China's Personal Information Protection Law (PIPL) is a comprehensive law that went into effect on November 1, 2021. It is China's first law that specifically regulates the collection, use, and disclosure of personal information. The PIPL is similar to the European Union's General Data Protection Regulation (GDPR) in many ways.
It gives individuals the right to access, correct, and delete their personal data, and it requires businesses to obtain consent before collecting or using personal information.
The PIPL also includes stiff penalties for non-compliance, including fines of up to RMB50 million (about $7.4 million).
The PIPL applies to all businesses that collect or use the personal information of individuals located in China. This includes both domestic and foreign businesses. The law also applies to businesses that process the personal information of individuals located outside of China, but only if the processing is related to the provision of goods or services to individuals located in China, or if the processing is used to analyze or evaluate the activities of individuals located in China.
Overview
The PIPL sets forth several requirements for businesses that collect or use personal information.
These requirements include:
• Obtaining consent from individuals before collecting or using their personal information.
• Providing individuals with access to their personal information and the right to correct or delete it.
• Taking reasonable security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction.
• Not transferring personal information outside of China without the individual's consent or taking appropriate safeguards.
The PIPL also gives individuals several rights, including:
• The right to access their personal information.
• The right to correct or delete their personal information.
• The right to object to the processing of their personal information.
• The right to withdraw their consent to the processing of their personal information.
• The right to file a complaint with the relevant authorities if they believe their personal information has been mishandled.
The PIPL is a significant development in China's data privacy landscape. It is the first law that specifically regulates the collection, use, and disclosure of personal information in China. The PIPL is similar to the GDPR in many ways, and it is likely to have a significant impact on businesses that collect or use the personal information of individuals located in China.
Key Differences between GDPR and PIPL
Scope:
The GDPR applies to all businesses that process the personal data of individuals located in the European Economic Area (EEA), while the PIPL applies to all businesses that collect or use the personal information of individuals located in China.
Consent:
The GDPR requires businesses to obtain explicit consent from individuals before collecting or using their personal information, while the PIPL allows businesses to collect or use personal information without consent in certain limited circumstances, such as when the processing is necessary for the performance of a contract or for the legitimate interests of the business.
Data subject rights:
The GDPR gives individuals a number of rights with respect to their personal data, such as the right to access, correct, and delete their personal data, and the right to object to the processing of their personal data. The PIPL also gives individuals a number of rights with respect to their personal data, but these rights are not as extensive as the rights under the GDPR.
Penalties:
The GDPR imposes significant penalties for non-compliance, up to €20 million or 4% of global annual turnover, whichever is greater. The PIPL also imposes penalties for non-compliance, but the penalties are not as severe as the penalties under the GDPR.
A Condensed Overview of Each of the Articles
Article 1: Purpose
This law is formulated to protect personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information.
Article 2: Scope of Application
This Law applies to organizations and individuals' handling personal information activities of natural persons within the borders of the People's Republic of China.
Article 3: Definitions
For the purposes of this Law, the following terms shall have the following meanings:
• "Personal information" refers to any information that can be used to identify or contact a natural person, such as name, ID number, address, telephone number, email address, and biometric data.
• "Personal information handling" refers to any operation that collects, uses, stores, transmits, or discloses personal information.
• "Data subject" refers to the natural person whose personal information is being handled.
• "Personal information processor" refers to an organization or individual that handles personal information.
• "Competent authorities" refers to the Cyberspace Administration of China (CAC) and the State Council Information Office (SCIO).
Article 4: Principles of Personal Information Protection
The handling of personal information shall comply with the following principles:
• Lawfulness, fairness, and transparency;
• Purpose limitation;
• Data minimization;
• Accuracy;
• Storage limitation;
• Confidentiality;
• Accountability.
Article 5: Conditions for Personal Information Handling
Personal information may only be handled if the following conditions are met:
• The data subject has given consent;
• The handling is necessary for the performance of a contract to which the data subject is a party;
• The handling is necessary for compliance with a legal obligation;
• The handling is necessary to protect the vital interests of the data subject or of another natural person;
• The handling is necessary for the public interest;
• The handling is necessary for the legitimate interests of the personal information processor, provided that such interests are not outweighed by the interests or fundamental rights and freedoms of the data subject.
Article 6: Rights of Data Subjects
Data subjects have the following rights:
• The right to access their personal information;
• The right to correct inaccurate or incomplete personal information;
• The right to delete their personal information;
• The right to restrict the use of their personal information;
• The right to object to the handling of their personal information;
• The right to port their personal information to another personal information processor;
• The right to file a complaint with the competent authorities;
• The right to seek compensation for damages.
Article 7: Obligations of Personal Information Processors
Personal information processors shall comply with the following obligations:
• Obtain the consent of the data subject before collecting, using, or disclosing the data subject's personal information;
• Take appropriate security measures to protect the personal information from unauthorized access, use, disclosure, alteration, or destruction;
• Respond to data subject requests for access, correction, deletion, or restriction of the use of their personal information;
• Provide information about their personal information handling activities to the competent authorities upon request;
• Cooperate with the competent authorities in the investigation and handling of violations of this Law.
Article 8: Penalties
Organizations or individuals that violate this Law shall be subject to administrative penalties, such as fines, suspension of business, or revocation of business licenses.
Comments