What is PIPL China? (The Only Guide You Need)
Ever puzzled over what PIPL China is and how it's reshaping the digital landscape? Fasten your seat belt for a journey through one of China's most intriguing laws.
This guide will provide an in-depth overview of China’s PIPL law. It will also cover the principles that the law provides for Chinese citizens and explain the penalties of what could happen if those principles are broken.
Let's dive in on China’s Personal Information Protection Law abbreviated to PIPL.
- PIPL was made to help give Chinese consumers personal data protection, ushering in an era of stricter rules and implications for companies dealing with consumer information. This development also signifies a shift towards empowering individuals by ensuring their digital privacy.
- PIPL took effect on November 1st, 2021, and provides several principles businesses must follow, like the right to be informed and the right to delete.
- Failure to follow guidelines can result in massive fines or a potential ban from participating in China’s economy.
What is PIPL China?
PIPL is a collection of articles made to improve China’s Personal Information Protection Law. This law was enacted to protect individuals' personal data information from being collected and misused by businesses.
Before this law was implemented, there were fewer restrictions on how a business could collect and use personal data. Businesses did not have to consent to their subjects (customers/employees, etc.) and were free to collect personal information for their own purposes.
Without this data protection law, businesses would misuse customer data without penalties. Website information, such as location, health, political affiliation, and browsing habits, could be passed around for commercial or potentially life-threatening scenarios.
With the PIPL implemented, China’s mainland residents are better protected from predatory business practices. Customers must now consent before businesses take data, and businesses must follow the PIPL compliance framework that offers several data subject rights.
China’s PIPL gives individuals their right to better privacy and data security. If a business’s breaches or fails to comply with the data protection law, it will face harsh fines and penalties that could put it on a blacklist or even shut down.
When Did China’s PIPL Take Effect?
China’s PIPL was first introduced on October 13, 2020. The first draft was created and submitted to the National People’s Congress. The article would later be published and opened for public opinion on October 20, 2020.
The PIPL later was enacted on August 20, 2021. There was a short grace period to give businesses enough time to comply.
The PIPL later became effective on November 1, 2021. With it in effect, businesses must now tread carefully with all the customer’s data. Businesses can protect customer data by using compliance services.
China’s PIPL Territorial Scope
The Personal Information Protection Law (PIPL) in China has a broad territorial scope, like the GDPR. It applies to all organizations and individuals that process the personal data of individuals located in mainland China, regardless of whether they themselves are situated within or outside of Chinese territory.
This means international businesses conducting operations or offering products or services to consumers based out of Mainland China will be governed by PIPL's regulations.
This applies even when these entities don't have any explicit physical presence within the country but hold, process, or sell Chinese consumer data.
Exemptions from the PIPL
The Personal Information Protection Law (PIPL) in China does not apply to certain situations including:
Anonymized data refers to information that has been stripped of any identifiers or details, ensuring it cannot be associated with a specific individual.
This method is typically used in research and statistical studies where personal identification isn't necessary, but the general trends are essential for analysis purposes. Anonymization safeguards users’ privacy by making it nearly impossible to trace back and identify these individuals from the collected data.
Some activities, such as national security activities and law enforcement activities, are not protected under China’s PIPL.
A natural person is exempt from this law if they are handling personal information for their own use or family affairs.
This simply means that individuals do not need to follow data privacy rules when using private details like contact numbers or addresses of friends and family members on an individual basis. However, spreading such data without consent falls outside these exemptions.
Rights of Chinese Citizens Under PIPL
The PIPL guarantees every Chinese resident data protection rights, and businesses must ensure consumers have these rights for corporate compliance. These subject access rights are made to ensure that the Chinese people can have access to and control over their personal data when having accounts with businesses.
Right to be Informed
- The identity and contact details of the data handler.
- The purposes and methods of the handling.
- The type of personal information to be handled and the storage period.
- The methods and procedures for data subjects to exercise their rights.
- Other information that is required to be informed by laws and regulations.
- Any new changes that occurred at a later time.
Right to Restrict and Refuse Data Handling
Article 44 of the PIPL states that all Chinese data subjects have the right to allow or not allow handling of how their personal data is being processed. They have the right to restrict data and refuse certain activities they can participate in with their personal data unless otherwise stated by law.
Right of Access and Request a Copy of Personal Information
Articles 45 gives Chinese data subjects the right to request copies of personal information provided to any business. They can request updates or corrections to their personal data on file. PIPL will exempt data handlers who work in government or law enforcement sectors from this protection.
Right to Rectify and Supplement
Article 46 Of the PIPL gives data subjects the right to reach out to data handers and make immediate corrections or edits to personal information in a timely manner.
Right to Delete
Article 47 of the PIPL gives all data subjects the right to request the deletion of personal information only if the data handler fails to do the following:
- Data handling has been achieved or has failed to be achieved, or it is no longer necessary for achieving the purposes.
- Data handlers have ceased to provide the products or services, or the agreed storage period has expired.
- Data subjects have withdrawn their consent.
- Data handlers have violated applicable laws or regulations or any agreement relating to handling personal information.
- Any situations regarding government or law regulations.
Right of Portability
Article 45 grants the ability to request that data subjects transfer their personal information to another data handler of tier choice as long as it satisfies certain conditions by the Cyberspace Administration of China (CAC). Currently, the exercise of this right is still unclear and is still in development for clarity.
Right to Automated Decisions
Article 24 gives all data subjects the right to question automated decisions handled by data handlers. Data handlers must provide explanations of automated decisions, and the data subjects have the right to allow or refuse such use of their personal data.
Right of the Deceased
Article 49 states that close relatives of a deceased data subject may be allowed to access, copy, rectify, or delete the deceased's personal data. This can be exempt if the deceased person has set up an arrangement before the deceased person’s death that states that it is prohibited for close relatives to access the data.
Principles Under PIPL China
The PIPL provides basic principles on what it hopes to achieve and expect from its personal information protection laws. Below are the six principles that the PIPL establishes:
Lawfulness, Fairness, Necessity, and Good Faith
Article 5 of the PIPL states that all personal data for its citizens must be handled legally and meet regulations. Every subject has the right of fairness and transparency between them and the data handlers.
Personal data should only be collected to achieve fair and legitimate purposes of the business establishment and only collect what is deemed absolutely necessary. Both data subjects and businesses must also act in good faith between each other and have no illegal intentions when both parties work together.
Purpose Limitation and Data Minimization
Article 6 states that businesses should refrain from collecting unnecessary personal data. Only gather what is necessary. Minimization must be practiced to reduce the overall scope of the amount of data needed from subjects for data security purposes.
Openness and Transparency
Article 14 states that all data handlers must be open to disclosing the purpose of collecting data from data subjects and elaborate on what it will be intended for.
Data handlers must be transparent and use clear and concise language to explain the purpose of processing sensitive personal information. They should also provide notices of any changes in terms of services and how the personal information processors will use the data with the new policies.
Accuracy and Completeness
Article 8 states that all data collected should be accurate, and businesses should take extra procedures to verify the accuracy of the data. All data should also be relevant to the intended purpose of collection and should collect only what is needed to complete the purpose.
Security and Accountability
Article 9 emphasizes the principle of data security and how businesses must implement security measures to prevent personal data breaches. If a breach occurs, the business should disclose the details of the breach to all data subjects with a solution for what to do next.
Businesses should also be accountable for following all data protection laws and regulations. This involves following data protection compliance rules established by the PIPL.
Limited Data Retention
Article 19 states that business should be limited to how long the subject's data should be kept. After a set amount of time or after it is used to achieve its purpose, it should be removed to reduce the risk of the subject getting their personal data breached.
Guidelines to Comply with PIPL China
In order for a business to avoid penalties, it must follow the guidelines that are established by the PIPL as follows:
Ensure Valid Consent
Obtain clear and unambiguous consent from data subjects for the processing of their personal information except where provided by laws or administrative regulations.
The individual should be aware that they have given consent and what exactly they are consenting to.
Ensure Minor Valid Consent
Collecting data from a minor below the age of 14 requires the consent of its parents. Even if the child agrees to consent, it is against the PIPL guidelines to accept it as valid because the data subject is too young to understand the full extent of the business purposes of their data.
International Data Transfer Rules
Businesses must not be allowed to transfer data outside of China without informed consent from data subjects and a completed security assessment. The business must pass one of three requirements:
- Successfully completed a security assessment conducted by the CAC.
- Obtain certification from a CAC-approved professional institution
- Enter into data transfer agreements with all overseas data recipients consistent with the template agreement issued by the CAC.
Manage Data Subject Access Requests
Also known as DSARs, all businesses must have established data compliance solutions for their data subject access requests. These include activities such as responding to access required by the data subject, verifying the subject’s identity, and responding to questions and concerns that the data subject has in a timely manner.
Appoint a DPO
The PIPL requires that all businesses that process a large scale of data to appoint a Data Protection Officer (DPO) to oversee data processing activities. Part of the DPO's duty is to ensure that data handlers follow the data subjects' compliance plans.
Penalties for Non-Compliance with China’s PIPL
Businesses that fail to follow the guidelines and principles of the PIPL will face harsh consequences that can vary depending on the scale of the offense.
The fine for breaking the PIPL compliance is 50 million yuan ($7.8 million). In some cases, the government will apply a 5% annual turnover tax that must be paid. The business will also have a lower social credit score if it is in China, harming its reputation and ability to receive government benefits.
If compliance is broken when handling data overseas, it could result in being put on a blacklist that would ban the handling of all data subjects in China. That could result in a business closure or even potential criminal charges if it were related to national security.
The PIPL is a major law in China that regulates the collection and processing of Chinese consumer data. And non-compliance with the PIPL has not ended well for businesses.
So, if you want to avoid PIPL penalties, Captain Compliance has you covered. We have experts who know all about data protection laws.
We can ensure that your business has all the required data protection measures in place, as per PIPL requirements. So don’t hesitate to contact us or check out our website for more information!
What are the requirements for handling employee personal data under the PIPL?
Employee personal data must only be collected and processed for employment-related purposes. Businesses must also give full disclosure for the reason of collecting employee data, and the employee must give consent.
How can consumers exercise their rights under the PIPL?
Consumers can exercise their rights under the PIPL by submitting requests to companies for access to personal information, rectification or deletion of personal data, and opting out of automated decision-making. They also have the right to lodge complaints with authorities if they believe their rights are being violated.
How is consent obtained under the PIPL?
Consent can be given through several different methods. It could be verbally exchanged, ticking an accept box, or signing an agreement. Valid consent must be transparent and directly communicated to be compliant.
Does the PIPL affect marketing and advertising practices?
Yes, all business practices have to follow the guidelines of the PIPL. That means they must fully disclose that personal data will be used for marketing purposes. Data subjects should have the option to opt in or out and be able to withdraw at any time.