China’s Personal Information Protection Law (PIPL) is a comprehensive data protection legislation that was passed by the Standing Committee of the National People’s Congress on August 20, 2021, and is set to take effect on November 1, 2021. The law seeks to protect the privacy rights of individuals and regulate the collection, use, storage, transmission, and processing of personal information by entities in China.

Here are some of the key provisions of the PIPL:

Definition of Personal Information: The PIPL defines personal information broadly as any information that can be used to identify an individual, including name, date of birth, ID number, biometric data, and online identifiers.

Consent Requirements: Entities that collect personal information must obtain consent from the individual and clearly inform them of the purpose, method, and scope of the data collection.

Cross-border Data Transfer: The law imposes restrictions on cross-border transfer of personal data, requiring entities to conduct a security assessment before transferring data outside of China.

Rights of Individuals: The law grants individuals the right to access, correct, delete, and withdraw consent for the use of their personal information.

Data Protection Officers: Entities that process large amounts of personal information are required to appoint a dedicated data protection officer.

Enforcement: The law establishes fines and penalties for violations, including up to 50 million yuan (approximately $7.7 million USD) or 5% of the previous year’s revenue, whichever is higher.

Overall, the PIPL places significant obligations on entities that collect and process personal information and aims to strengthen the protection of individuals’ privacy rights in China.

China’s Personal Information Protection Law (PIPL) and the European Union’s General Data Protection Regulation (GDPR) have some similarities and differences.

Similarities:

Both laws are designed to protect the privacy rights of individuals and regulate the collection, use, storage, transmission, and processing of personal information.

Both laws require entities to obtain the individual’s consent for the collection and use of personal information.

Both laws provide individuals with the right to access, correct, delete, and withdraw consent for the use of their personal information.

Both laws impose restrictions on cross-border transfer of personal data.

Differences:

Territorial Scope: The GDPR applies to all entities processing personal data within the EU and entities outside the EU if they offer goods or services to EU residents. In contrast, the PIPL applies to entities that process personal data within China.

Legal Basis: The GDPR requires entities to have a lawful basis for the processing of personal data, while the PIPL only requires entities to obtain the individual’s consent.

Data Protection Officers: The GDPR requires certain entities to appoint a data protection officer, while the PIPL requires entities that process large amounts of personal information to appoint a dedicated data protection officer.

Enforcement: The GDPR imposes fines of up to €20 million or 4% of the entity’s global revenue, whichever is higher. In contrast, the PIPL imposes fines of up to 50 million yuan or 5% of the entity’s previous year’s revenue, whichever is higher.

Overall, while the PIPL and GDPR have some similarities, there are also significant differences in their scope, legal basis, and enforcement mechanisms.

Click here to read more about China’s Personal Information Protection Law