Preparing Your Business for China's New Personal Information Protection Law (PIPL)

Preparing Your Business for China's New Personal Information Protection Law (PIPL)

Foreign Businesses Face New Data Protection Obligations Under China's Personal Information Protection Law (PIPL)

Foreign businesses operating in China or handling the personal data of Chinese citizens must comply with the stringent requirements of the Personal Information Protection Law (PIPL), which came into effect on November 1st, 2021.

Appointing a Data Protection Officer (DPO)

One of the key requirements is the appointment of a qualified DPO for businesses that process large amounts of personal data in China. This is now a legal obligation, not optional. The DPO must be registered with the Cyberspace Administration of China (CAC) through the PIPO online filing system, providing business identity verification and a formal internal designation of the DPO.

Explicit Consent

Foreign businesses must obtain explicit, separate consent from individuals in China before processing their personal information, especially for data collection, use, and cross-border transfers.

Cross-Border Data Transfers

For cross-border data transfers, foreign businesses must follow one of three pathways:

1. Security assessment led by the CAC — mandatory for "important" or sensitive data involving more than 10,000 individuals.
2. Certification by an accredited body for smaller or less risky datasets.
3. Signing a standard contract with the data recipient abroad when below thresholds and non-sensitive data are involved.

Even when using an approved transfer method, separate explicit consent for cross-border transfers is required from individuals.

Compliance Measures

Foreign businesses must also conduct periodic audits and compliance reviews when processing data exceeding 1 million users, to ensure ongoing adherence to PIPL. It is recommended that businesses align their internal compliance, legal, and IT teams to ensure all reporting responsibilities, deadlines, and procedures under PIPL are met.

Extraterritorial Application

It is important to note that PIPL applies extraterritorially. Any processing of Chinese personal data conducted abroad by foreign entities falls under its jurisdiction, requiring compliance with its stringent consent and protection requirements.

Penalties for Non-Compliance

Failure to comply with PIPL may incur heavy penalties, including fines up to RMB 50 million or 5% of turnover, business suspension, or criminal liability.

Recommendations

Businesses are recommended to develop internal processes and policies for responding to user requests and providing them access to their personal information. This will help ensure compliance with PIPL and build trust with users.

The PIPL affects public and private organizations that handle the personal data of Chinese citizens for activities including collection, storage, usage, transmission, and public disclosure. Foreign businesses, including those without a legal entity in China, are also subject to the PIPL.

• The appointment of a Data Protection Officer (DPO), a legal obligation under China's Personal Information Protection Law (PIPL), is essential for businesses that process large amounts of personal data in China.
• Foreign businesses, under PIPL, must obtain explicit, separate consent from individuals before cross-border data transfers, regardless of the transfer method used.

Read also: