Guide to China’s Personal Information Protection Law (PIPL)
The long-expected and widely-concerned Personal Information Protection Law of the People’s Republic of China (“PIPL”) was adopted on 20 August 2021, at the 30th Session of the Standing Committee of the 13th National People’s Congress.
As a basic law for personal information protection in China, the PIPL clarifies the rules for processing personal information, the obligations of personal information handlers (and processors), and the rights of personal information subjects. Notably, the PIPL provides serious punishment for violations of this law, which includes a fine of up to CNY 50 million (about USD 7,690,000) or 5% of annual turnover of the previous year.
The PIPL will come into effect as of 1 November 2021. During the grace period, organizations operating in China and those established outside China but having to be subject to the extraterritorial effect of the PIPL, are suggested to carry out data compliance work in accordance with the PIPL to get prepared for the upcoming law.
This Guide aims to highlight the main principles and provisions under the PIPL. It is intended to be used by organizations as an aid to find gaps in compliance and take possible steps required in practice
Each section of this Guide describes an important rule or requirement under the PIPL. We also provide “Actions” suggested to be considered and/or adopted for ensuring compliance. Please note that the relevant supporting rules and regulations of the PIPL are expected to be promulgated and implemented accordingly, which is advisable to be paid close attention to. Also, other relevant laws and regulations, as well as department rules shall be taken into consideration when assessing compliance.