Banner with the Chinese flag where the red background includes data processing. There's a text overlay that says China's PIPL

Who Needs to Comply with China’s PIPL?

Organisations are getting used to the extraterritorial scope of privacy laws enacted in other countries, including the GDPR, California’s privacy law, and the recent Thai privacy law. And for privacy professionals, querying whether a new privacy law impacts their operations (no matter where it comes into effect) is now almost a reflex. So, we’ve been fielding questions about who must comply with China’s PIPL in Australia. This post will provide some guidance. 

Who Must Comply with China’s PIPL: What the Law Says 

Information about the applicability of China’s PIPL, and who must comply, are contained in Article 3.  

Broadly, China’s PIPL states that the law applies to organisations that handle the personal information about China’s residents.  

Stanford’s translation of the PIPL text provides: 

Article 3: This Law applies to the activities of handling the personal information of natural persons within the borders of the People’s Republic of China. 

Where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well: 

    1. Where the purpose is to provide products or services to natural persons inside the borders; 
    2. Where analyzing or assessing activities of natural persons inside the borders; 
    3. Other circumstances provided in laws or administrative regulations. 

In Practice: The Businesses That Must Comply with China’s PIPL 

Entities Operating in China Covered by the PIPL

As you would expect, China’s PIPL applies to entities operating in China and that collect personal information about residents of China to provide a product or service or to analyse their behaviour.  

Foreign Entities That Collect Personal Information About China’s Residents 

China’s PIPL also applies to foreign entities that collect personal information about China’s residents to analyse their behaviour or to supply products or services. The law is broad and applies even if that organisation does not have a business presence in China.  

This means that China’s PIPL may apply to businesses that use Google Analytics or similar software to analyse the behaviour of China’s residents. 

The text of the PIPL also leaves scope for the Cyberspace Administration of China (CAC) to require other entities to comply with the PIPL. 

It is Mandatory for Certain Processors to Store Data in China 

Article 40 of the PIPL requires critical information infrastructure operators and personal information handlers who process a certain volume of personal information about China’s residents to store the data in China. The volume is to be decided by the Cyberspace Administration of China (CAC).  

Based on the Proposed China SCCs, the organisations that will need to store data in China include:  

  • Critical information infrastructure operators.  
  • PI Handlers that process personal information belonging to over one million individuals.  
  • PI Handlers that have transferred the personal information of more than 100,000 individuals since January 1 of the previous year. 
  • PI Handlers that have transferred sensitive information of 10,000 individuals since January 1 of the previous year. 

Organisations that don’t fall within these criteria may rely on China’s SCCs to transfer data outside of China. 

 Additional Resources On China’s PIPL  

PIPL Compliance With Privacy 108  

If you need assistance navigating privacy compliance and the PIPL, reach out. Our privacy consultants and lawyers would love to help.   

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.

Tags: