China’s privacy law, the Personal Information Protection Law (PIPL), came into effect on November 1, 2021. Enforcement quickly followed, with 38 mobile apps receiving rectification notices within 3 days of the PIPL coming into effect. In December, China’s Ministry of Industry and Information Technology ordered the removal of 106 mobile apps from mobile app stores over PIPL violations. So, what do businesses operating in China need to know about China’s PIPL compliance?
China’s PIPL contains 74 articles under 8 chapters. They contain:
This includes a definition of personal information, details of entities covered by the PIPL, and general principles of China’s PIPL.
Chapter II is comprised of 3 sections relating to:
This chapter outlines that personal information handlers must meet specific requirements to provide personal information outside of China, amongst other things.
Chapter IV grants data subjects the right to limit or refuse the handling of their personal information, as well as copy, delete, or request their personal information.
This chapter includes the requirement for personal information handlers outside of China establishing a dedicated entity or appointing a representative in China to manage matters related to their handling of personal information, amongst other things.
Chapter VI outlines the role and responsibilities of the State Cybersecurity and Informatization Department.
The legal liability chapter contains the enforcement provisions for China’s PIPL. These are significant and include provision for personal liability for breaches. Article 66 states (with our emphasis):
Where personal information is handled in violation of this Law or personal information is handled without fulfilling personal information protection duties in accordance with the provisions of this Law, the departments fulfilling personal information protection duties and responsibilities are to order correction, confiscate unlawful income, and order the provisional suspension or termination of service provision of the application programs unlawfully handling personal information; where correction is refused, a fine of not more than 1 million Yuan is to be additionally imposed; the directly responsible person in charge and other directly responsible personnel are to be fined between 10,000 and 100,000 Yuan.
There are three articles contained in the supplemental provisions section of China’s PIPL. They are:
You can read China’s PIPL in English here: https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/
For more information about China’s privacy legislation landscape, the aims of China’s PIPL, and key laws covered by the PIPL, read our earlier blog post.
Privacy 108’s privacy and data security lawyers work with universities and international organisations and businesses to comply with China’s PIPL, the GDPR, Australia’s privacy laws, and more. If your business needs assistance complying with China’s PIPL, reach out.
"*" indicates required fields
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
