On 20 August 2021, the thirtieth meeting of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China passed the long-awaited Personal Information Protection Law (PIPL), which will come into force on 1 November 2021.
In this alert, the first in a series which we at Reed Smith will be producing, we provide a brief introduction to the key rules in the PIPL, focusing on the requirements that multinational companies with operations in China need to be aware of.
In our subsequent alerts, we will also address the particular challenges that companies across different sectors (such as TMT, health care, automotive, and financial services) may face in the context of the PIPL.
What is the PIPL?
The PIPL is China’s first dedicated and comprehensive law that sets forth detailed rules with respect to data privacy and the protection of personal information in China. The PIPL complements and further enhances the general principles set out in China’s Cybersecurity Law (see our earlier alert on the Cybersecurity Law). Prior to the promulgation of the PIPL, the rules on the protection of personal information in China were somewhat patchy, and liabilities for non-compliance, unclear.
The PIPL comprises 74 articles over eight chapters. Those of us who are familiar with the GDPR may notice that many provisions in the PIPL mirror those in the GDPR, although there are still some minor differences. In contrast, the PIPL adopts an overall more stringent standard than the California Consumer Protection Act (CCPA) in the United States.
Who and what activities are covered by the PIPL?
All activities relating to handling the personal information of natural persons within China are subject to the PIPL. An exception to this would be where an individual processes any personal information that relates to their personal or family affairs. In addition, the PIPL has extraterritorial effect and applies to foreign companies or offshore processing activities outside of China in any of the following circumstances set forth in article 3 of the PIPL:
- for the purpose of providing products or services to natural persons within China;
- to analyse and assess the conduct of natural persons within China; or
- in any other situation provided for by law or administrative regulations.
‘Personal information’ is defined as any type of information that is recorded electronically or by other means and identifies or can identify natural persons, but excludes anonymised information (information that cannot be used to identify a specific natural person and cannot be restored after being so anonymised).