Banner with the Chinese flag where the red background includes data processing. There's a text overlay that says China's PIPL

China’s PIPL: A Guide to What’s Covered

China’s privacy law, the Personal Information Protection Law (PIPL), came into effect on November 1, 2021. Enforcement quickly followed, with 38 mobile apps receiving rectification notices within 3 days of the PIPL coming into effect. In December, China’s Ministry of Industry and Information Technology ordered the removal of 106 mobile apps from mobile app stores over PIPL violations. So, what do businesses operating in China need to know about China’s PIPL compliance?  

A 3 Minute Guide to China’s PIPL Compliance 

China’s PIPL contains 74 articles under 8 chapters. They contain:  

Chapter I: General Provisions. 

This includes a definition of personal information, details of entities covered by the PIPL, and general principles of China’s PIPL. 
 

Chapter II: Personal Information Handling Rules.  

Chapter II is comprised of 3 sections relating to:  

  • Ordinary provisions,  
  • Regulations for handling sensitive personal information, and  
  • Special provisions on the handling of personal information by state authorities. 

 

Chapter III: Rules on the Cross-Border Provision of Personal Information.  

This chapter outlines that personal information handlers must meet specific requirements to provide personal information outside of China, amongst other things.  

 

Chapter IV: Individuals’ Rights in Personal Information Handling Activities.  

Chapter IV grants data subjects the right to limit or refuse the handling of their personal information, as well as copy, delete, or request their personal information.   

 

Chapter V: Personal Information Handlers’ Duties.  

This chapter includes the requirement for personal information handlers outside of China establishing a dedicated entity or appointing a representative in China to manage matters related to their handling of personal information, amongst other things.
 

Chapter VI: Departments Fulfilling Personal Information Protection Duties and Responsibilities.  

Chapter VI outlines the role and responsibilities of the State Cybersecurity and Informatization Department.

  

Chapter VII: Legal Liability.  

The legal liability chapter contains the enforcement provisions for China’s PIPL. These are significant and include provision for personal liability for breaches. Article 66 states (with our emphasis):  

Where personal information is handled in violation of this Law or personal information is handled without fulfilling personal information protection duties in accordance with the provisions of this Law, the departments fulfilling personal information protection duties and responsibilities are to order correction, confiscate unlawful income, and order the provisional suspension or termination of service provision of the application programs unlawfully handling personal information; where correction is refused, a fine of not more than 1 million Yuan is to be additionally imposed; the directly responsible person in charge and other directly responsible personnel are to be fined between 10,000 and 100,000 Yuan. 

Chapter VIII: Supplemental Provisions.  

There are three articles contained in the supplemental provisions section of China’s PIPL. They are 

  • Article 72, which states that China’s PIPL does not apply to natural persons handling personal information for personal or family affairs. 
  • Article 73, which defines personal information handler, automated decision-making, de-identification, and anonymization.  
  • Article 74, which outlines that the PIPL becomes law on November 1, 2021.  

You can read China’s PIPL in English here: https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/ 

 

For more information about China’s privacy legislation landscape, the aims of China’s PIPL, and key laws covered by the PIPL, read our earlier blog post.

Achieve Compliance with China’s PIPL with Privacy 108 

Privacy 108’s privacy and data security lawyers work with universities and international organisations and businesses to comply with China’s PIPL, the GDPR, Australia’s privacy laws, and more. If your business needs assistance complying with China’s PIPL, reach out. 

Privacy108 Contact Page Form

  • This field is for validation purposes and should be left unchanged.
Tags: