Takes Effect November 1
On November 1st of this year, China’s National People’s Congress passed the Personal Information Protection Law (PIPE). They aim this new consumer protection law at improving data security and providing legal data rights for citizens of China.
Personal Information Protection Law (PIPL) Basics
They passed the law in response to research taken by The Cyberspace Administration of China (CAC). This group found it did not streamline data collection policies across the board. They also found several instances of the mishandling of personally identifying data of Chinese citizens.
Sometimes, the findings of the Cyberspace Administration of China (CAC) caused the shut-down or removal of popular apps from mobile devices. These mobile apps appeared to be collecting and storing personal data without oversight or disclosure of how the data is being used.
What Businesses Does PIPL Affect?
PIPL affects businesses that collect personally identifying information from customers online via websites, mobile devices, apps, and other electronic means. The law calls for PIPES to follow new guidelines and standards that include certification for private data handling.
Personal Information Processing Entities or PIPES are businesses and individuals who collect, store, and manage consumer data. Businesses that collect consumer information to provide products and services to China’s citizens are required to abide by the new data collection laws or suffer harsh penalties for non-compliance.
Similar Legislation Examples
China’s PIPL operates much like the EU’s GDPR, which requires business entities to disclose their data handling practices.
One of the most important provisions of GDPR gives users the option to not have their data shared. This means users can “opt-out” of data sharing when using products and services online.
PIPL applies to companies who do business with Chinese citizens where data collection is involved, regardless of if they are within the country. The law applies to cross-border data information transfers. The penalties for non-compliance also apply to cross-border companies that collect and use personal data.
Cross-Border Enforcement and Penalties for Violating China’s PIPL
Requires companies outside of the country who manage consumer data are now required to pass a state-mandated data security inspection. The new law applies to all cross-border entities that transmit personally identifying data in and out of the country.
As it is currently written, the PIPL only applies to personally identify data. It is unclear whether PIPL provisions cover anonymized data.
The law affects business transactions that originate within the country and extend to territories outside of the area. According to top officials, companies found to be in breach of the new legal requirements can face registration warnings and hefty fines. In extreme cases, companies found to be in violation of the new restrictions can be fined as much as 5% of their annual revenue.
Serious violators can see even more extreme penalties up to being placed on the government’s blacklist – which prohibits them from doing business inside and outside of the country.