PIPL Fines: What Non-Compliance Can Cost You
The Personal Information Protection Law (PIPL) went into effect on November 1, 2021, and regulates many businesses that operate in or with China.
With this, PIPL established fines for anyone found to be non-compliant. These PIPL fines can be devastating to any business hit by them.
You’ll want to know how you can successfully comply with all standards set in place by the PIPL to avoid these harsh fines.
This article will cover who must follow the PIPL’s regulations, the fines for non-compliance, and tips for your business to avoid these severe consequences and remain compliant.
Let’s dive in.
- The PIPL applies to any business that processes data of anybody in China. The regulation applies to you even if your business is not located in China.
- The PIPL has a maximum fine of 50 million yuan (~$7 million dollars) or 5% of a business’s annual revenue. Specific individuals can also face fines and penalties that vary depending on the severity of the violation.
- Your business can avoid these hefty fines by understanding the PIPL, obtaining explicit consent from consumers, implementing appropriate security measures, and enlisting the help of Captain Compliance.
Who Does China’s PIPL Apply to?
The Personal Information Protection Law (PIPL) applies to all businesses that process data of Chinese residents (this includes Chinese citizens and anyone else who resides in China). Your business is required to follow the PIPL if you have any clients or consumers in China.
Even if your business is located outside China, you are still subject to the PIPL’s regulations. The criteria for being required to follow the PIPL are as follows:
- Your business is processing personal information from anybody in China
- You are selling a good or service to Chinese consumers
- You collect the personal information of Chinese citizens and track their behavior
The PIPL defines personal information as any information that corresponds to a consumer's identity in China. With such broad definitions and scope, the PIPL compliance framework regulates many businesses that have a Chinese consumer base.
PIPL Fines for Non-Compliance
The PIPL hands down severe fines for businesses that do not comply with its regulations. First offenses often result in a warning and a strict order for a business to change its policies and align with the PIPL’s requirements.
After receiving a warning, if a business still does not comply with the PIPL, the personal information protection authorities will charge businesses fines of varying degrees.
A business can face a fine of up to 1 million yuan ($150,000) for minor violations; in some cases, specific individuals in charge will be fined.
The PIPL charges individuals responsible (often the data protection officer) are typically subject to fines between 10,000 to 100,000 yuan ($1,500-$15,000) for minor violations.
In more severe cases, businesses can be fined up to 50 million yuan (~$7 million) or up to 5% of their previous year’s revenue. The person in charge can also face up to 1 million yuan for the most severe cases.
Other Consequences of Non-Compliance with PIPL
The consequences for businesses that don’t comply with the PIPL are not limited to harsh fines. There are several possibilities of suffering reputational and legal damage as well. Here are the other potential consequences of non-compliance with the PIPL.
Low Social Credit Score
In addition to fines, a business may suffer another significant blow for not complying with the PIPL, which is a hit to its social credit score. For a Chinese business, a low social credit score offers several consequences itself.
A business with a low social credit score will have difficulty purchasing or renting property, continuing regular operations, and utilizing any credit or loans.
For many businesses, this effectively means that they most likely will not be able to continue.
Criminal and Civil Cases
A PIPL violation can also land a business in court, facing criminal and civil penalties. In civil cases, the burden of proof falls on the business. This means a business must instead prove its compliance or efforts to comply with the PIPL to avoid liabilities instead of proving that it did not violate the PIPL.
It’s worth noting that in civil cases, there is no limit to the liabilities that a business will face. They would be fined as much as the court deems necessary for their violation.
In severe violations of the PIPL, businesses may face complete suspension of all activities. The suspension may be direct or result from revoking licenses and permits. These suspensions will often cause significant and permanent damage to a business.
Disciplinary Action and Potential Imprisonment
Another potential consequence applies to individuals responsible for not complying with the PIPL. Executives, leaders, or data protection officers responsible for non-compliance can face fines of up to 1 million yuan (~$150,000) and up to seven years in prison.
Example of Recent PIPL Violation
One very well-documented example of a PIPL violation in recent times is the case of the ridesharing app Didi. Didi was suspected of collecting excessive amounts of data from consumers’ phones, such as contact information, location data, and photos.
The Cyberspace Administration of China (CAC) issued Didi a warning previously. However, after Didi did not adjust their practices, they violated the PIPL, CSL, and DSL data protection standards.
In August of 2022, the CAC fined Didi a total of 8 Billion Yuan or around $1.18 billion, as there were 64.7 billion pieces of information illegally processed with warnings before.
This amount is around 4.4% of the previous year’s revenues, as it did $24.87 billion in revenue for 2021.
The chairman and president at Didi were also fined 1 million Yuan or $137,000 each - the maximum fine.
While this is one of the most prominent examples of PIPL fines to date, many other smaller-scale violations happen regularly. Your business may not even realize it violates the PIPL.
To avoid fines for your business, you can outsource the help of our team of compliance professionals at Captain Compliance. We offer a full suite of compliance services and compliance solutions to ensure your business remains compliant with the PIPL and all other relevant data protection frameworks.
Tips to Avoid PIPL Fines
The PIPL has a wide range of controls, strictly regulating data processing for businesses worldwide. It can be challenging to manage all the requirements outlined in its framework and avoid the penalties for failing to do so. To help you, we have compiled a list of the best tips to ensure your business avoids hefty PIPL fines.
The first tip is the most fundamental but also the most essential. To ensure your business complies with the PIPL and all its personal data regulations, you must thoroughly research and understand the PIPL.
Your business can only create effective policies and changes when you know the exact requirements outlined in the PIPL.
Obtain Explicit, Informed Consent
Your business should always practice obtaining explicit, informed consent from consumers before collecting their data to avoid suspicious or shady data processing accusations. Not only will your business avoid the hefty fines for illegal, nonconsensual personal information processing, but you’ll foster consumer trust.
Minimize Data Collection
Since the PIPL covers so many consumers and their personal data, your business may get in trouble for data you collect unnecessarily. Your business should limit the personal information you collect and store from Chinese citizens and residents to decrease the chances of non-compliance.
Implement Security and Response Measures
Part of the PIPL dictates that businesses must have sufficient data security and breach response measures. Your business can seek help from a data protection compliance service to create response procedures that meet the requirements of the PIPL.
Respect Data Subject Rights
Similar to the GDPR and CCPA, the PIPL grants consumers specific data subject rights over their personal information. Your business should prioritize providing these rights to data subjects when requested without issues or complicated processes to avoid violating the PIPL.
Appoint a DPO & Chinese Representative
A DPO is a privacy law expert who can assist your business in creating effective compliance training programs and conducting regular security assessments to ensure continued compliance, among other things.
The Chinese Representative should be someone who can act as a local resource and contact for Chinese authorities in case of inquiries or investigations.
Enlist the Help of a Compliance Expert
The final tip is to enlist the help of compliance experts like Captain Compliance. Compliance professionals will use their knowledge to ensure your business meets all personal data regulations.
Our team of experts at Captain Compliance offers a wide range of services and can help your business create a compliance plan. We can equip your business with the best compliance solutions to stay informed of PIPL regulations and data security requirements.
The PIPL is one of the world's most extensive data protection regulations. Businesses all over the world process data of consumers in China and are subject to the long list of PIPL requirements.
To successfully navigate these requirements and avoid the significant fines the PIPL imposes for non-compliant businesses, you can enlist the help of Captain Compliance.
Our team of compliance superheroes will use our years of experience to ensure your business remains compliant with all aspects of the PIPL. We offer a full suite of PIPL compliance services to secure every part of your business so you don’t have to. Get in touch today!
What is the Maximum Fine For PIPL?
The maximum fine for PIPL is 50 million yuan (~$7 million dollars), or 5% of the business’s total revenue of the previous fiscal year.
How Much Did Didi Get Fined For PIPL?
The ridesharing business DiDi was fined 8 billion yuan or $1.2 billion dollars for their major PIPL violation.
What Are Examples of PIPL?
Examples of PIPL regulations include required regular security assessments, data subject rights, explicit consent for all data collection, and minimal acceptable response times for breaches.
What is the Main Rule of the PIPL?
The PIPL states that businesses must have a lawful basis to process data of any Chinese resident or citizen.