PIPL China

What is PIPL of China?

The Personal Information Protection Law (PIPL) is a comprehensive regulation governing organizations’ processing of personal information in China. It aims to safeguard individuals’ data privacy rights and promote responsible handling of personal data. It mandates transparency, consent, and accountability in data processing practices and imposes strict requirements on organizations to ensure the lawful and secure processing of personal information.

Overview of PIPL

Law: Personal Information Protection Law
Region: China
Signed into Law: 01-11-2021
Industry: All industries that do business in China

Personal Data Under The PIPL

The PIPL broadly defines “personal information” as any data that can identify a person. This encompasses many data points, including names, phone numbers, email addresses, medical information, financial information, location data, and browsing history.

Data Protection Principles

The PIPL adheres to several core data protection principles, including:

Accuracy: Personal information must be accurate and up-to-date.
Accountability: Organizations are accountable for ensuring compliance with the PIPL.
Purpose Limitation: Personal information must be collected for specific, legitimate purposes and used only for those purposes.
Data Minimization: Organizations should collect and process only the minimum personal information necessary for the stated purposes.
Transparency: Organizations must maintain transparency regarding their data collection methods and secure informed consent from individuals.
Security: Organizations must implement appropriate technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, or destruction.

Rights Under PIPL of China

Under the act, individuals possess several rights concerning their data. These include the right to be informed about the usage of their data, access to their data for review and correction, the ability to request the deletion of their data, and the right to revoke consent for data processing.

Who Needs to Comply?

The Personal Information Protection Law (PIPL) has a broad reach and applies to any organization that fulfills at least one of these criteria:

Location of Organization: Organizations located in China that process the personal information of individuals in China must comply with the PIPL. This applies to all businesses, regardless of size or industry.
Location of Individuals: Even foreign companies operating outside China must comply with the PIPL if they process the personal information of individuals in China. This includes companies offering goods or services to individuals in China, even if their servers are located elsewhere.

Noncompliance Fines

The PIPL imposes hefty fines for non-compliance. Here’s a breakdown:

Organizations: Fines can reach up to RMB 50 million (approximately USD 7.8 million) or 5% of the organization’s annual revenue from the prior year, whichever is higher.
Individuals: Responsible individuals within non-compliant organizations can face fines ranging from RMB 100,000 (approximately USD 15,600) to RMB 1 million (approximately USD 156,000).

Compliance Authority for PIPL of China

The Cyberspace Administration of China (CAC) is the primary regulatory authority overseeing compliance with PIPL. It can conduct investigations, impose penalties, and supervise organizations’ implementation of data protection measures.

In conclusion, China’s Personal Information Protection Law (PIPL) sets stringent regulations to safeguard individuals’ data and holds organizations accountable for their data processing practices. To comply with PIPL, organizations must implement robust data protection measures, obtain consent, and prioritize individuals’ privacy and data security rights.

FAQ

Does PIPL regulate cross-border data transfers?

Yes, PIPL imposes strict regulations on cross-border data transfers, requiring organizations to obtain consent and undergo security assessments before transferring personal information outside China.

Are there any exemptions for small businesses under PIPL?

No, PIPL does not provide specific exemptions for small businesses. Regardless of size, all organizations must comply with its provisions regarding processing personal information.

Does PIPL apply to non-digital forms of personal data?

Yes, PIPL applies to all forms of personal data, whether processed electronically or in non-digital formats, as long as it pertains to individuals within China’s jurisdiction.

Cloud Data Management Solutions

Featured Resources

Related Terms

PIPL China

What is PIPL of China?

Overview of PIPL

Personal Data Under The PIPL

Data Protection Principles

Rights Under PIPL of China

Who Needs to Comply?

Noncompliance Fines

Compliance Authority for PIPL of China

FAQ

Does PIPL regulate cross-border data transfers?

Are there any exemptions for small businesses under PIPL?

Does PIPL apply to non-digital forms of personal data?

Cloud Data Management Solutions

Featured Resources

Related Terms

PCI

NIS 2 Directive

Data Risk Assessment

PHI

Data Tagging

Data Breach

Information Lifecycle Management

End-to-end encryption

Data Profiling

Data Security

Data Privacy

Role-Based Access Control

Retention Management

Subject Right Request

Right to Data Portability

Right to Access

Right not to be Profiled

Right to Rectification

Right to Object

Right to be Forgotten

Data Minimization

DPPR

APEC Privacy Framework

VCDPA

PSD2

APPI Japan

DPDP India

IDPC

EU Cookie Law

Colorado Privacy Act

FIPPA

LIL

PIPA BC

NYDFS

HITECH Act

PIPEDA

HIPAA

Personally Identifiable Information (PII)

Sensitive Information

Sensitive Data Discovery

Hashing

Redaction

Noise Addition

Data Shuffling

Format Preserving Encryption

COPPA

GLBA

DPA 2018

LGPD

CPRA

CCPA

GDPR

Sequential Masking

Parallel Data Masking

Referential Masking

Data Nulling

Data Substitution

Encryption

Tokenization

Pseudonymization

Statistical Obfuscation

On-the-Fly Data Masking

Deterministic Data Masking

Dynamic Data Masking