The first draft of the PDPL was unveiled in October 2020. Resembling GDPR, it upgraded China’s CyberSecurity Law with a focus on offshore data privacy and protection rules and regulations. The draft contains various data protection principles, stressing transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy, and accountability.
Although China had two laws in place, with regard to data protection—the CyberSecurity Law and the Data Protection Law—in November 2021 the country passed the Personal Information Protection Law (PIPL) designed to regulate online data and protect personal information. PIPL draws inspiration from the European Union’s General Data Protection Regulation (GDPR) and is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The framework consists of 8 chapters and more than 70 articles. It levies heavy penalties of either $7.7 million or 5% of the previous year’s global profit. The legislation is applicable to all types of business activities relating to data—from the collection, storage, management and usage to the provision, transmission, disclosure, and deletion. All organizations outside the country that provide services and products in China, or organizations and individuals that analyze consumer behavior in the country, must abide by PIPL.
Broadly defined to include “any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.”
Includes “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.”
Personal data must be collected by lawful and fair means. Data subjects must be notified about the purpose of data collection and the classes of persons to whom the data will be transferred. Also, only necessary data must be collected.
Steps should be taken to ensure the personal data is accurate and isn’t stored for longer than necessary.
The data must only be used for the purpose it is collected unless explicit and voluntary consent is given by data subjects.
Data users must take steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use.
Data users must take necessary measures to share and adhere to personal data policies and practices known to the public about the data they hold and how they intend to use it. .
Data subjects must be given access to their personal data and must be allowed to make corrections whenever they think that data is inaccurate.
An individual’s consent to process their personal information is required when:
Article 13 of PIPL allows the following exceptions, allowing personal information to be processed without the individual’s consent when it is: