Skip to content

What PIPL Means for Your Data Management In China 

  • by

China’s Personal Information Protection Law (PIPL) came into effect on November 1 2021 and aims to protect people’s personal information

This article shares the frequently asked questions as PIPL is a new area for many businesses in China.

What is the PIPL Law in Simple Terms?

PIPL requires companies in China to ask for permission before using personal information, sets rules for sending data outside China, and lets people control their information. Companies must protect their data well, or face the consequences.

Compared to other places, China’s PIPL is similar to the European Union’s General Data Protection Regulation (GDPR) because both focus on consent and data protection. However, the United States has yet to have one primary law for this. Instead, it has different laws for specific areas, like healthcare and finance, making China’s and the EU’s approach more comprehensive.

Click here to  a description of the laws. 

What Must Business Leaders Know About PIPL – 8 Frequently Asked Questions 

1. Can I use personal data collected before PIPL was enacted without obtaining new consent?

Businesses must review the consent obtained before PIPL came into effect to ensure it meets the new law’s requirements. If the previously obtained consent does not align with PIPL’s explicit and informed consent standards, then you will need to obtain consent again under the new guidelines.

2. How does PIPL affect the transfer of employee data within multinational companies?

PIPL imposes restrictions on the cross-border transfer of personal information. For multinational companies, transferring employee data out of China requires meeting specific conditions, such as passing a security assessment, obtaining certification, or entering into a contract with the data recipient based on standard contract clauses provided by the Cyberspace Administration of China. Employee consent for transferring their data overseas is also crucial.

3. Are there any exceptions to PIPL for small businesses or startups?

PIPL applies to all entities handling the personal data of individuals in China, regardless of the business size. There are no specific exemptions for small businesses or startups. However, the law’s requirements apply proportionately based on the volume and sensitivity of the personal data processed, meaning smaller entities with less impactful data processing activities might face less stringent operational adjustments.

4. Can foreign businesses processing data of Chinese citizens from abroad be subject to PIPL?

Yes, PIPL has extraterritorial reach, meaning that foreign companies processing the personal data of individuals in China to offer goods or services or analyze the behavior of individuals within China must comply with PIPL. This includes appointing a representative or setting up a dedicated office in China to handle data protection matters.

5. How does PIPL treat publicly available personal information? Can it be freely used?

While PIPL allows for publicly available personal information processing, it still imposes limitations. Such data must be reasonable and within the scope that does not violate the original purpose for which the information was made public. If the intended use could significantly impact the rights and interests of the data subject, additional consent may be required.

6. Is anonymized data subject to PIPL regulations, and can businesses use it without restrictions?

According to PIPL, anonymized data is information that cannot be used to identify an individual and cannot be restored to its original state. Once personal data is truly anonymized, it falls outside the scope of PIPL, meaning businesses can use anonymized data without adhering to the law’s consent and processing requirements. However, the anonymization process must ensure that the data cannot be reversed or re-identified, which sets a high standard for what constitutes anonymized data under PIPL.

7. What specific obligations do businesses have when processing the personal data of minors under PIPL?

PIPL has special provisions for processing the personal data of minors under the age of 14. Companies must obtain consent from the minor’s parents or legal guardians before collecting, using, or disclosing the minor’s personal information. Additionally, they must establish specific rules for protecting minors’ data and take appropriate measures to safeguard it. This emphasizes the need for businesses to identify and treat the data of minors with heightened care and protection.

8. How does PIPL address data breach notifications?

In the event of a data breach, PIPL mandates that businesses immediately take remedial measures and notify the affected individuals and the relevant regulatory authorities. The notification must include details about the nature of the breach, the potential risks posed by the breach, the measures the business has taken or will take in response, and advice for individuals on mitigating harm. However, if the business can effectively prevent any harm from the breach, it may be exempt from the requirement to notify the affected individuals, subject to regulatory approval. This provision underscores the importance of prompt action and transparency in handling data breaches under PIPL.

How Businesses In China Can Ensure PIPL Compliance

There are two ways businesses in China can ensure PIPL compliance:

  1. Hire a Data Protection Officer (DPO).
  2. Engage an IT services consultant to conduct a cybersecurity and data audit and develop an in-house data compliance plan.

Both options will help your company with these crucial tasks;

Develop a Data Governance Framework: Establish a structured data governance program that includes policies, procedures, and standards for data management. This framework should cover all aspects of PIPL compliance, including data collection, storage, use, transfer, and deletion.

Implement Robust Data Security Measures: Strengthen your IT infrastructure to protect personal data against breaches. Employ encryption, access control, and other security technologies. Regularly update these measures to guard against new vulnerabilities.

Conduct Regular Data Audits: Perform periodic audits to map out all personal data you collect, process, and store. This helps ensure that you only hold data for which you have obtained consent and are using data in compliance with PIPL requirements.

Ensure Consent Compliance: Develop precise consent forms and procedures to obtain explicit consent from individuals before collecting their data. Set up a separate consent mechanism for processing minors’ data that involves their guardians.

Train Your Team: Educate your employees about PIPL and its implications on your operations. Regular training sessions will help build a culture of privacy and ensure that your team understands their responsibilities in protecting personal data.

Prepare for Data Breaches: Create a comprehensive incident response plan detailing steps to take in the event of a data breach. This plan should include measures for containing the breach, assessing its impact, notifying affected parties, and preventing future incidents.

Handle Cross-Border Data Transfers Carefully: If your business transfers data outside China, ensure compliance with PIPL’s cross-border data transfer requirements. This may involve conducting security assessments and obtaining necessary approvals or certifications.

Manage Anonymized Data with Caution: When anonymizing data, use techniques that irreversibly prevent the identification of individuals. Regularly review your anonymization processes to ensure they meet the standards required by PIPL.

Conclusion

PIPL’s requirements represent a significant shift in how businesses manage personal data. Gone are the days when “anything goes”, with only European companies in China concerned about privacy and data protection because of their GDPR experience.

Today, in China, PIPL matters, and if your compliance is not up to speed, it can impact your brand’s reputation!

CONTACT US

Our experience with cybersecurity and PIPL makes us a one-stop shop for the peace of mind you need. Contact us for your China PIPL needs and all IT services to ensure your business continues uninterrupted and free from IT glitches.