Guest Author: Jasmine Zhao, a student at Loyola Law School.

On August 20, 2021, the Personal Information Protection Law (PIPL), regarded as China’s GDPR, was signed into law, and will become effective on November 1, 2021. The PIPL supplements China’s Cybersecurity Law and the Data Security Law, expanding China’s legal framework for the protection and regulation of data security and personal information. The PIPL has an extraterritorial scope, imposing broad disclosure, consent, and cross-border transfer obligations on organizations that provide products or services to or analyze activities of people within China.

Notable requirements of the PIPL include:

  • Separate Consent Scenarios. The PIPL requires companies to obtain individuals’ separate consent for processing in several scenarios, including (i) when sharing information with third parties, (ii) processing sensitive personal information, and (iii) transferring data outside of China.
  • Expanded Lawful Bases for Processing. Similar to the GDPR, the PIPL requires a lawful basis for processing personal information. Unlike the GDPR, the PIPL does not provide a company’s “legitimate interest” as a lawful basis, but it does include a lawful basis for HR management purposes.
  • Data Subject Rights. The PIPL grants data subjects the rights to: (i) know and data portability, (ii) correct, (iii) delete, (iv) rescind consent, and (v) refuse automated decision making.
  • Strict Cross-Border Transfer Obligations. The PIPL imposes more stringent data transfer requirements than other data protections laws, such as the GDPR. For instance, the PIPL requires verifying data transfers outside of China are “necessary,” obtaining specific consent prior to a data transfer, and, under certain circumstances, storing data on servers in China.
  • Heightened Scrutiny for Big Tech Companies. The PIPL requires critical internet platform providers with a large number of users and a complex business model to comply with additional protection and reporting requirements.
  • Private Right of Action. Under the PIPL, individuals have a private right of action to be compensated for harm suffered from a controller’s processing of personal information. The PIPL places the burden on controllers to prove they are not at fault.

Violators of the PIPL may face severe penalties with fines of up to 50 million Yuan or 5% of annual global revenue. The PIPL also authorizes the government to blacklist violators— restricting or prohibiting entities from receiving personal information from persons in China if it determines the entity infringes the interests of Chinese citizens or harms the public interest of China.

If your company does business in China, we encourage you to seek legal advice to ensure compliance. Given the PIPL’s heightened consent and cross-border transfer requirements, reliance on a GDPR privacy and data security program will be insufficient. A comprehensive review of your business practices in collecting, using, and sharing personal data, as measured against the PIPL requirements, is critical in avoiding legal pitfalls and enforcement actions.