Personal Information Protection Law (PIPL) China 

    Overview

    The Personal Information Protection Law of the People's Republic of China (PIPL) is a comprehensive regulation aimed at safeguarding the personal information rights and interests of individuals. Adopted on August 20, 2021, and effective from November 1, 2021, it provides a legal framework for the collection, processing, storage, and sharing of personal information. The law sets requirements for both domestic and international entities that process the data of individuals within China, with a focus on transparency, user rights, and the protection of sensitive information.

     

    Regulation Summary

    Timeline
    • Enacted: August 20, 2021
    • Effective: November 1, 2021
    What Businesses Are Affected
    • Organizations and individuals within China processing personal information.
    • Entities outside China providing products or services to Chinese residents.
    • Entities monitoring behaviors of individuals within China.
    Exemptions
    • Personal or household data processing.
    • Processing required for national security or public interest.
    Responsibilities for Businesses
    • Obtain informed, explicit consent for data processing.
    • Conduct personal information protection impact assessments (PIAs) for high-risk activities.
    • Ensure data minimization and transparency in processing.
    • Implement robust security measures to prevent unauthorized access, leaks, or breaches.
    • Notify authorities and affected individuals of data breaches.
    • Localize storage of critical data and conduct security assessments for cross-border transfers.
    • Designate a data protection officer (DPO) for organizations handling significant amounts of personal information.
    Specific Responsibilities for Website Owners
    • Provide clear, accessible privacy policies.
    • Obtain explicit consent for cookies and similar tracking technologies.
    • Ensure individuals can exercise their rights easily, such as access, correction, or deletion.
    Additional Requirements
    • Sensitive Data Protections: Special safeguards for biometrics, health data, financial data, and data of minors under 14.
    • Automated Decision-Making: Transparency in algorithms and options for individuals to contest decisions.
    • Data Localization: Critical data must remain within China unless specific requirements for cross-border transfer are met.
    Data Subject Rights
    • Be informed about data processing activities.
    • Access, correct, and delete their personal data.
    • Restrict or object to data processing.
    • Port their data to another processor.
    • Withdraw consent at any time.
    Enforcement
    • Supervisory Authority: The Cyberspace Administration of China (CAC).
    • Penalties: Fines up to RMB 50 million (~USD 7 million) or 5% of annual turnover for severe violations. Lesser violations may result in fines up to RMB 1 million (~USD 140,000).
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596