Doing Business in China? What to Consider With PIPL

What To Consider When Doing Business In China After The Personal Information Protection Law Pipl Takes Effect

In August 2021, China passed the Personal Information Protection Law (PIPL), which took effect in November 2021. The new data protection law PIPL, is a fundamental element in the mosaic of regulations relating to data protection  and cyber security in China. Although there are similarities between PIPL and GDPR, it is crucial to consider the differences if your company wants to do business in China.

To better understand the new challenges posed by the PIPL, we highlighted a few key differences between the PIPL and GDPR to help companies 

PIPL Has a Heavy Focus on Consent

From the European Data Protection Directive in 1995 to nowadays, the data protection regulations around the world are slowly shifting from a heavily consent-based system to one that allows for a different legal basis for the processing of personal data. Accountability and transparency gain strength, while the effects of consent fatigue are broadly recognized.

China’s PIPL, on the other hand, is heavily focused on consent. Separate consent is mandatory for  sharing personal data (article 21). It is the only legal basis for processing of sensitive personal data (article 29). And as a rule, it is also needed for data disclosure (article 23). It is also worth noting that in PIPL, legitimate interest doesn’t exist as a legal basis. Because of that, it is fair to say that China has one of the strictest data protection laws in the world.

However, in PIPL it is possible to handle information that has been previously disclosed by the individual, except if there is a major influence on individual rights and interests, in which case consent will still be required (article 27).

China at the forefront of the privacy debate?

Similar to the GDPR, PIPL considers sensitive data personal information that can cause harm to the dignity of the individual. But in addition, PIPL also considers sensitive data that could threaten the security of private property, such as financial accounts data.

Other peculiarities of the PIPL are specific articles related to the equipment of image collection (article 26); the data subject rights of deceased people by their next of kin (article 49), which, for instance, directly impact the debates around social media accounts;  and specific obligations for “important internet platform services” (China is not messing around with big tech regulation!) (article 58).

Although heavily influenced by GDPR in certain aspects, the law is much more strict and is attentive to the recent impacts and issues related to emerging technologies. It should be interesting to see how the singularities in PIPL influences other legislation around the world.

What to consider when doing business in China? 

The PIPL may apply to your business not only if you do business in China directly, but also when you process personal information of individuals residing in China. So now more than ever, it is essecial to develop a data protaction approach to your business strategy.

First, there is the need for all personal information handlers outside the borders of China to designate an entity or representative within the borders (article 53). From the beginning of your China expansion strategy, you should consider a playbook to address foreign regulators’ requests.

If your company is GDPR compliant, it should be easier to be PIPL compliant, although, without a roadmap for addressing the changes between the two, you won’t go far. Here are a few steps you can take for compliance:

  1. Conducting a new data mapping;
  2. Prepare the documentation and change the legal basis for which you use personal data;
  3. You will also need to do a deep data gap analysis; 
  4. Review your contracts; 
  5. Prepare new policies; 
  6. And know the different regulators and their respective responsibilities.

If you need help to get compliant with global data protection regulations, book a free consultation with us today!

Image Side Banner 01 1 Jpg

Future-proof
your company’s
information
security.

Get our Free Guide to the ISO
27001 Certification today!

Future-proof
your company’s
information
security.

Get our Free Guide to the ISO
27001 Certification today!

Related Posts