Who Needs to Comply with China’s PIPL?
Organisations are getting used to the extraterritorial scope of privacy laws enacted in other countries, including the GDPR, California’s privacy law, and the recent Thai privacy law. And for privacy professionals, querying whether a new privacy law impacts their operations (no matter where it comes into effect) is now almost a reflex. So, we’ve been fielding questions about who must comply with China’s PIPL in Australia. This post will provide some guidance.
Who Must Comply with China’s PIPL: What the Law Says
Information about the applicability of China’s PIPL, and who must comply, are contained in Article 3.
Broadly, China’s PIPL states that the law applies to organisations that handle the personal information about China’s residents.
Stanford’s translation of the PIPL text provides:
Article 3: This Law applies to the activities of handling the personal information of natural persons within the borders of the People’s Republic of China.
Where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well:
- Where the purpose is to provide products or services to natural persons inside the borders;
- Where analyzing or assessing activities of natural persons inside the borders;
- Other circumstances provided in laws or administrative regulations.
In Practice: The Businesses That Must Comply with China’s PIPL
Entities Operating in China Covered by the PIPL
As you would expect, China’s PIPL applies to entities operating in China and that collect personal information about residents of China to provide a product or service or to analyse their behaviour.
Foreign Entities That Collect Personal Information About China’s Residents
China’s PIPL also applies to foreign entities that collect personal information about China’s residents to analyse their behaviour or to supply products or services. The law is broad and applies even if that organisation does not have a business presence in China.
This means that China’s PIPL may apply to businesses that use Google Analytics or similar software to analyse the behaviour of China’s residents.
The text of the PIPL also leaves scope for the Cyberspace Administration of China (CAC) to require other entities to comply with the PIPL.
It is Mandatory for Certain Processors to Store Data in China
Article 40 of the PIPL requires critical information infrastructure operators and personal information handlers who process a certain volume of personal information about China’s residents to store the data in China. The volume is to be decided by the Cyberspace Administration of China (CAC).
Based on the Proposed China SCCs, the organisations that will need to store data in China include:
- Critical information infrastructure operators.
- PI Handlers that process personal information belonging to over one million individuals.
- PI Handlers that have transferred the personal information of more than 100,000 individuals since January 1 of the previous year.
- PI Handlers that have transferred sensitive information of 10,000 individuals since January 1 of the previous year.
Organisations that don’t fall within these criteria may rely on China’s SCCs to transfer data outside of China.
Additional Resources On China’s PIPL
- China’s New Data Security Law (DSL): Another piece in a complex puzzle
- China’s New Personal Information Protection Law: Yet another piece in a complex puzzle
- China’s PIPL: A guide to what’s covered
- China’s Proposed SCCs Released
PIPL Compliance With Privacy 108
If you need assistance navigating privacy compliance and the PIPL, reach out. Our privacy consultants and lawyers would love to help.