China's Draft Personal Information Protection Law (PIPL)

China's Personal Information Protection Law (PIPL) is designed to protect personal information and is being characterized by some as "China's GDPR." The European Union's General Data Protection Regulation (GDPR) is considered the gold standard in terms of data protection and privacy laws worldwide.

In this article, we'll go over the main provisions of PIPL and see what companies doing business in China must do to comply.

PIPL at a Glance

China put out the first draft of its Personal Information Protection Law (PIPL) on October 21, 2020. Since then, the country's Standing Committee of the National People's Congress of China (NPC), the top legislative body for the nation, released a second draft. It was published on April 29, 2021 and the law officially took effect on November 1st, 2021.

Together with the Data Security Law and the Cybersecurity Law, PIPL will make up one of three foundational laws designed to protect data within China. The official text of PIPLE (in Chinese) can be found here.

You can find a full English translation by the DigiChina Project, based at the Stanford University Cyber Policy Center, here.

PIPL's Definitions

Personal Information

As with other data privacy laws around the world, PIPL states that to be considered personal information, data must be related to an individual who is identified or identifiable. It must have been recorded in one manner or another, but primarily through electronic means. It does not include anonymized data.

Additionally, PIPL goes on to define personal information as data, which, if negligently or maliciously divulged and misused, could cause discrimination or the endangerment of an individual or their property.

PIPL lists the following as some types of data that are personal information:

• Personal location
• Financial accounts
• Medical health
• Biometric data
• Religious beliefs
• Race
• Ethical beliefs

The list above is not exhaustive and, interestingly, is shorter than that of the EU's GDPR.

Moreover, PIPL's list is broader in scope and may be interpreted by courts in a loose, expansive manner. With that in mind, companies doing business in China should be prepared to consider all potential consequences should the data they collect ever be compromised.

Information Processing

The following activities constitute information processing under PIPL:

• Data collection
• Data storage
• Data use
• Data processing
• Data transmission
• Data provision
• Data disclosure

Information processing is an area where PIPL and the EU's GDPR slightly diverge. For instance, PIPL doesn't have "data controllers" but rather "personal information processors." These personal information processors under PIPL can delegate data processing to other parties. It is those parties, which are more akin to the GDPR's definition of a data processor.

Application of PIPL Outside of China

Suppose your company does business in China but is physically located beyond China's borders. In that case, PIPL will still apply to you if you process the personal information of individuals residing in China.

The law applies to you under the following conditions:

• If you process data with the purpose of providing either products or services to individuals in China
• If you process data with the purpose of evaluating or analyzing an individual's conduct in China, and
• If you process data in any other circumstances provided for in any other Chinese regulation or law

Under all the above circumstances, your company must appoint a specific representative in China or establish a specialized, legal entity in China, that is responsible for handling all issues related to the protection of personal information. Further, you must provide the name and contact information of the representative or entity to the relevant Chinese authorities.

PIPL and Privacy Rights

Rules concerning consent provide more protections to individuals. For example, companies must:

• Acquire consent that is clear, voluntary, and well-informed. Any individual can revoke their consent at any time and for any reason. Further, if your company changes anything in regards to the type of personal information you collect, how you handle that data or the reasons why you collect that data, then you must obtain user consent all over again.
• Acquire consent from individuals even if their information is publicly available. There are caveats, but in general, you must get consent.

A fail-proof way of obtaining consent is by having users check a box next to a statement that shows they will know they are giving contsent:



• Never withhold either products or services under any circumstances in the event that an individual does not wish to provide you with their personal information or revokes consent.
• Provide the name and contact information of the company's personal information handler.
• Provide information on the location data will be transferred to when a transfer takes place from the personal information handler to a third party.
• Provide the name and contact information of any third party that receives personal information.
• State what kind of personal information is collected, why it is collected, how it is stored, the length of time the information is stored, and
• Provide individuals with a list of their rights under PIPL and how they can exercise their rights.

The last two points can be disclosed in a Privacy Policy. Include relevant clauses, like so:

And this clause outlines user rights:

Interestingly, while PIPL stipulates all of the above, it does not demand that a company comply within any specified time frame when it comes to obtaining consent. With that said, the law does imply that providing the above information to individuals must be done in a "timely manner," although it doesn't specify what "timely" means.

Processing Personal Information

In addition to the need to acquire consent, companies must be aware that they can only process personal information under a strict set of circumstances.

These include times when:

• Processing is necessary to enter into a contract or carry out the obligations of a contract to which the individual is a party
• Processing is necessary to carry out obligations and responsibilities that are legal in nature (if that's the case, you do not have to obtain consent)
• Processing is necessary to protect the safety of an individual's health or property in an emergency situation or in response to a public health emergency
• Processing is necessary to report the news accurately or to monitor public opinion in the public interest
• Processing is necessary to comply with any other law or regulation in China

Cross-border Transfer of Personal Information

Be aware that if your company transfers data obtained in China outside the country's borders, it must sign the government's "standard contract," which is published by the Cyberspace Administration of China (CAC).

Additional requirements include:

• The need to acquire a separate consent from individuals for any cross-border transfer of information
• Conducting an internal risk assessment before any cross-border transfer of information
• Keeping records of all cross-border data transfers, and
• The need to undergo a CAC security assessment or obtain a certification from a CAC approved "professional institution"

Obligations of Processing Entities and Entities Entrusted to Process Personal Information

You must ensure the security and safety of all personal information that you collect. Security measures must be both technical and organizational in nature and must include such things as:

• Implementing encryption measures
• Establishing an internal data management system
• Establishing a special entity in China or appointing a designated representative to take charge of all issues related to the security of personal information

It's possible that if your company entrusts a third party with data processing, then that organization must have an entity or representative in China in order to comply with the obligations outlined above. Be aware that this fact could impact your company in a variety of ways, some of which may not be clear until the PIPL draft becomes law and goes into effect.

Obligations on Large Scale Platforms

If your company is a basic Internet platform service provider with a large user base, then you will need to fulfill the following obligations in addition to those previously listed:

• Your company must establish an external, independent body with supervisory powers. It must be comprised of personnel external to your company. It must be tasked with supervising your company's information processing activities.
• Immediately stop providing services to companies, such as e-commerce platforms that do not adhere to personal information processing requirements under Chinese law, and
• Regularly publish "personal information responsibility reports"

Penalties for Non-Compliance with PIPL

You should be aware that Chinese agencies tasked with investigating violations of PIPL have the authority to investigate, interview, conduct on-site inspections, inspect all items and devices, and demand copies of all documents related to the processing of personal information.

Additionally, Chinese agencies will have the power to demand that you appoint a "professional institution" to perform a compliance audit of they believe your personal information processing activities are risky in nature or if they think a security accident could occur.

Be aware that your company bears all burden of proof if an individual takes you to court as a result of your data processing activities. If you can't prove that you aren't at fault, your business will be liable for tort damages.

Fines Under PIPL

There are many good arguments for why you should pay attention to PIPL's requirements. One of the biggest is due to the hefty fines the law will impose on businesses that do not comply. There are two tiers of penalties, which depend heavily on the "seriousness" of the breach.

If a person or company does any of the following, a penalty provision is triggered:

• If you break the rules of PIPL in any way while handling personal information, or
• If you do not take the steps necessary to protect personal information as required by the law

If you violate anything just mentioned, your company could face a maximum penalty of RMB 1 Million (approx. $152,000 in USD) if you fail or refuse to fix the problem after being warned by the relevant Chinese regulatory body.

If the Chinese regulatory body deems your breach to be "serious" in nature, then you could face sanctions, which could include the following:

• Closure of your business in China without warning
• You could also potentially be subject to a fine of up to 5% of your total revenue from the preceding financial year or up to RMB 50 Million (approx. $7.6 Million)

Unfortunately for companies outside of China, PIPL doesn't elaborate on what "serious" means in this context, which means it is likely to be a matter that Chinese courts will interpret.

Moreover, your company executives, managers, and data protection officers need to be aware and exceedingly cautious because PIPL won't just hold the company accountable. Individuals connected to the relevant infringement will also be held liable by the Chinese government.

Summary and Takeaways

Types of personal information that you must obtain consent for under PIPL include many of the same kinds listed by Europe's GDPR. However, PIPL's list is shorter, not exhaustive, and may be interpreted by the courts in a loose, expansive manner.

Information processing under PIPL includes data collection, storage, use, processing, transmission, provision, and disclosure.

Suppose your company does business in China but is physically located beyond China's borders. In that case, PIPL will still apply to you if you process the personal information of individuals residing in China.

The safety and security of personal information under PIPL is a huge issue. Any security measures you put in place must be both technical and organizational in nature. They must include data encryption, an internal data management system, and PIPL will require you to establish a special entity or representative in China to deal with all security issues related to personal information.

PIPL has the potential to significantly impact your business due to its strict regulations concerning the processing of personal information and its huge fines for non-compliance. Even if your company has put measures in place to comply with Europe's GDPR, it's more than possible that they won't be enough to satisfy the requirements of PIPL.

Your company's personal information processing is likely to come under the scrutiny of Chinese regulatory agencies, and you'll have to obtain specific consent even in situations the GDPR doesn't cover.

If you are wise, you should start reviewing your policies now in preparation for PIPL compliance. Finally, do not be complacent. Remember that even if you are GDPR compliant, there is no guarantee that this will ensure PIPL compliance.