PIPL. What is the Personal Information Protection Law?

Buildings in Beijing at night. Photo by Zhang Kaiyv

The Chinese Personal Information Protection Law (PIPL) is a comprehensive data privacy law that regulates the collection, use, and storage of personal information by organizations operating within China.

Enacted and commenced in 2021, the PIPL aims to protect the personal information of Chinese citizens and residents and establishes strict requirements for organizations that handle personal information. The PIPL also grants individuals certain rights with respect to their personal information, such as the right to access, correct, and delete their personal information.

In this article, we provide a deep overview of the key provisions of the PIPL, including its scope, requirements for data controllers, and penalties for non-compliance.

We will also discuss the implications of the PIPL for businesses operating in China, and for international organizations with operations or customers in China.

Key provisions of Chinese PIPL

The Personal Information Protection Law of China contains several key provisions that regulate the collection, use, and storage of personal information by organizations operating within China. These provisions include:

  • Scope of the law: The PIPL applies to all organizations that collect, use, or store personal information within China, regardless of whether they are based in China or not. The law applies to personal information in both electronic and paper form, and covers a wide range of information, including but not limited to names, ID numbers, addresses, biometric data, and credit information.
  • Data controller responsibilities: The PIPL requires data controllers (organizations that collect, use, or store personal information) to obtain explicit consent from individuals before collecting, using, or storing their personal information. Data controllers are also required to implement appropriate security measures to protect personal information and prevent data breaches.
  • Data Subject Rights: The PIPL grants individuals certain rights with respect to their personal information. These include the right to access, correct, and delete their personal information. Individuals also have the right to file a complaint with the relevant authorities if they believe their rights have been violated.
  • Penalties for non-compliance: The PIPL includes penalties for organizations that violate its provisions. These penalties can range from fines to suspension of business operations. Organizations that intentionally or negligently cause damage to individuals as a result of non-compliance with the PIPL may also be held liable.
  • Cross-border data transfer: The PIPL also regulates cross-border data transfer and requires organizations to comply with additional requirements when transferring personal information out of China. Organizations are also required to appoint a data protection officer (DPO) who is responsible for ensuring compliance with the PIPL.

Overall, the PIPL establishes a strict regulatory framework for organizations handling personal information within China and has significant implications for businesses operating in the country. Companies must understand and comply with the PIPL to avoid penalties and protect the personal information of Chinese citizens and residents.

Scope of the Personal Information Protection Law

The scope of the Personal Information Protection Law is broad and applies to all organizations that collect, use, or store personal information within China, regardless of whether they are based in China or not. The law applies to personal information in both electronic and paper form, and covers a wide range of information, including but not limited to:

  • Names: The PIPL applies to any information that can be used to identify an individual, including their name, address, telephone number, email address, and other contact information.
  • ID numbers: The PIPL applies to any information that can be used to verify an individual’s identity, including ID numbers, passport numbers, and driver’s license numbers.
  • Biometric data: The PIPL applies to any information that can be used to identify an individual based on their physical characteristics, such as fingerprints, facial recognition data, and DNA information.
  • Financial information: The PIPL applies to any information that can be used to assess an individual’s creditworthiness or financial status, such as credit card numbers, bank account numbers, and salary information.
  • Health information: The PIPL applies to any information related to an individual’s physical or mental health, including medical records, medication prescriptions, and health insurance information.
  • Location data: The PIPL applies to any information that can be used to determine an individual’s location, such as GPS data, IP addresses, and Wi-Fi access point information.

The law also covers personal information of legal entities, including company registration number, tax number, company’s contact information, etc.

In summary, the PIPL applies to a wide range of personal information and organizations must take appropriate measures to protect personal information of individuals and legal entities in compliance with the law.

Requirements for data controllers

The PIPL includes several requirements for data controllers, which are organizations that collect, use, or store personal information within China. These requirements include:

  • Obtaining explicit consent: Data controllers are required to obtain explicit consent from individuals before collecting, using, or storing their personal information. This consent must be given freely, and must be specific, informed, and unambiguous. Data controllers must also inform individuals of the purpose of collecting, using or storing their personal information, the types of personal information that will be collected, the retention period, and the data subjects’ rights, such as the right to access, correct and delete their personal information.
  • Implementing appropriate security measures: Data controllers are required to implement appropriate security measures to protect personal information and prevent data breaches. These measures may include technical measures, such as encryption and firewalls, as well as organizational measures, such as staff training and incident response plans.
  • Appointing a Data Protection Officer (DPO): Data controllers are required to appoint a Data Protection Officer (DPO) who is responsible for ensuring compliance with the PIPL. The DPO must be an individual with the necessary expertise and authority to carry out their responsibilities and must be able to communicate effectively with the relevant authorities.
  • Providing notice of data breaches: Data controllers are required to provide notice of data breaches to the relevant authorities within 14 days of discovering the breach. This notice must include information on the nature and scope of the breach, the number of individuals affected, and the measures taken to address the breach.
  • Implementing cross-border data transfer measures: Data controllers are required to comply with additional requirements when transferring personal information out of China. This includes obtaining explicit consent from individuals and implementing appropriate security measures to protect the personal information during transfer.
  • Keeping records: Data controllers are required to keep records of personal information collection, use and storage activities, including the records of consent, data protection impact assessments, data security measures, and data breaches.

In conclusion, the PIPL imposes strict requirements on data controllers, including obtaining explicit consent, implementing appropriate security measures, appointing a DPO, providing notice of data breaches, implementing cross-border data transfer measures, and keeping records. Organizations must understand and comply with these requirements to avoid penalties and protect the personal information of Chinese citizens and residents.

Penalties for non-compliance

The Personal Information Protection Law includes penalties for organizations that violate its provisions. These penalties can range from fines to suspension of business operations. The penalties for non-compliance with the PIPL include:

  • Fines: Organizations that violate the PIPL may be subject to fines. The amount of the fine depends on the nature and severity of the violation. For example, failure to obtain explicit consent from individuals before collecting their personal information can result in a fine of up to RMB 1 million (around €136,000).
  • Suspension of business operations: In severe cases, organizations may have their business operations suspended. This can include suspension of specific business activities, such as collecting or using personal information, or suspension of the entire business.
  • Liability for damages: Organizations that intentionally or negligently cause damage to individuals as a result of non-compliance with the PIPL may be held liable for damages. This can include compensation for losses suffered by the individual, as well as damages for emotional distress.
  • Administrative penalties: The PIPL also allows administrative penalties to be imposed on organizations that fail to comply with the law. Administrative penalties can include fines, suspension of business operations, and revocation of business licenses.
  • Reputation damage: Organizations that violate the PIPL can also suffer damage to their reputation. This can occur if the violation becomes public, and can lead to lost business, negative publicity, and loss of trust from customers and other stakeholders.

It’s important to note that the PIPL also grants the authorities the power to impose penalties on the data controllers, processors and on the DPO, if they are found to have violated the law.

In summary, the PIPL includes a range of penalties for non-compliance, including fines, suspension of business operations, liability for damages, administrative penalties, and reputation damage. Organizations operating in China must understand and comply with the PIPL to avoid these penalties and protect the personal information of Chinese citizens and residents.

Implications of the PIPL for companies and organizations

There are several significant implications of the Personal Information Protection Law for businesses operating in China, as well as for international organizations with operations or customers in China. These implications include:

  • Compliance costs: Businesses operating in China will need to invest time and resources to ensure compliance with the PIPL. This can include developing and implementing appropriate data protection policies and procedures, training staff, and appointing a Data Protection Officer (DPO).
  • Risks associated with cross-border data transfer: Businesses operating in China will need to take additional measures to protect personal information when transferring it out of the country. This can include obtaining explicit consent from individuals and implementing appropriate security measures to protect the personal information during transfer.
  • Liability for data breaches: Businesses operating in China will be liable for any data breaches that occur as a result of non-compliance with the PIPL. This can include liability for damages suffered by individuals, as well as penalties imposed by the relevant authorities.
  • Potential reputational damage: Businesses operating in China may suffer damage to their reputation if they are found to have violated the PIPL. This can lead to lost business, negative publicity, and loss of trust from customers and other stakeholders.
  • New opportunities: The PIPL also creates new opportunities for businesses. Companies that can demonstrate compliance with the PIPL may be able to differentiate themselves from competitors and gain a competitive advantage.
  • Impact on international organizations: International organizations with operations or customers in China will also be affected by the PIPL. They will need to comply with the same requirements as Chinese businesses and may need to take additional measures to protect personal information when transferring it out of China.

In summary, the PIPL has significant implications for businesses operating in China, as well as for international organizations with operations or customers in China. These implications include compliance costs, risks associated with cross-border data transfer, liability for data breaches, potential reputational damage, new opportunities and impact on international organizations. It is important for these organizations to understand the implications of the PIPL and take appropriate measures to ensure compliance with the law.

PIPL impact on data privacy and security

The PIPL has a significant impact on data privacy and security for individuals and organizations operating within China. The law aims to protect the personal information of Chinese citizens and residents and establishes strict requirements for organizations that handle personal information. The key impact of PIPL on data privacy and security can be summarized as follows:

  • Greater transparency and control for individuals: The PIPL grants individuals certain rights with respect to their personal information, such as the right to access, correct, and delete their personal information. This gives individuals greater transparency and control over how their personal information is collected, used, and stored.
  • Increased obligations for data controllers: The PIPL imposes strict obligations on data controllers, including obtaining explicit consent from individuals before collecting, using, or storing their personal information, implementing appropriate security measures to protect personal information, and providing notice of data breaches. This will help to ensure that personal information is handled in a secure and responsible manner.
  • Enhanced data security: The PIPL requires organizations to implement appropriate security measures to protect personal information and prevent data breaches. This includes technical measures such as encryption and firewalls, as well as organizational measures such as staff training and incident response plans. This will help to reduce the risk of data breaches and protect personal information from unauthorized access and misuse.
  • Stricter cross-border data transfer requirements: The PIPL regulates cross-border data transfer and requires organizations to comply with additional requirements when transferring personal information out of China. This includes obtaining explicit consent from individuals and implementing appropriate security measures to protect the personal information during transfer. This will help to ensure that personal information is protected even when it is transferred outside China.
  • Greater enforcement and penalties: The PIPL includes penalties for organizations that violate its provisions. These penalties can range from fines to suspension of business operations. Organizations that intentionally or negligently cause damage to individuals as a result of non-compliance with the PIPL may also be held liable. This will help to ensure that organizations take the PIPL seriously and take appropriate measures to protect personal information.

As we see, the PIPL has a significant impact on data privacy and security for individuals and organizations operating within China. The law aims to protect personal information of Chinese citizens and residents, through stricter requirements for data controllers, enhanced data security, stricter cross-border data transfer requirements and greater enforcement and penalties. This will help to ensure that personal information is handled in a secure and responsible manner and that organizations take appropriate measures to protect personal information.

Summary

In conclusion, the Personal Information Protection Law of China is a comprehensive data privacy law that regulates the collection, use, and storage of personal information by organizations operating within China. The PIPL has significant implications for businesses operating in China, as well as for international organizations with operations or customers in China. Compliance with the PIPL requires organizations to invest time and resources to ensure compliance with the law, which includes obtaining explicit consent from individuals, implementing appropriate security measures, appointing a Data Protection Officer, providing notice of data breaches, implementing cross-border data transfer measures, and keeping records.

It is important for organizations to understand the PIPL and take appropriate measures to ensure compliance with the law. In order to achieve this, organizations can consult with experts in Media Scope Group who can provide guidance on how to comply with the PIPL and assist with the implementation of data protection policies and procedures.

Our experts are familiar with the latest developments in data protection laws and regulations and can provide tailored advice to help organizations navigate the complexities of the PIPL. By consulting with Media Scope Group experts, organizations can ensure compliance with the PIPL and protect the personal information of Chinese citizens and residents.

Contact us today to learn more about how we can help your business stay compliant and protect personal information.

Are you interested to learn how data protection works in the European Union? If so, check out our article about the General Data Protection Regulation (GDPR).

You can also check our overview of advertising laws and consumer protection in China or learn what is ICP license, why it is necessary to obtain it to legally operate websites within China and how to obtain it.


You can find more Dawid Wiktor’s speeches and writings on his Executive Profile.

This work by Dawid Wiktor is licensed under Creative Commons Attribution-ShareAlike 4.0 International.