aacrao-logo_transparent

China's Personal Information Protection Law (PIPL)

On August 20, 2021, the top legislative body in the People's Republic of China, the Standing Committee of the National People's Congress, passed the Personal Information Protection Law (PIPL). The law went into effect November 1, 2021.

Applicability

The PIPL applies to entities both within and outside of China that process personal information on natural persons within the territory of China. The measure impacts U.S. institutions with a physical site in China, particularly regarding how they have to register and engage in connection to data sharing. It also impacts any college or university in the U.S. that processes personal information of Chinese residents for the purposes of providing products or services to individuals in China; "analyzing" or "assessing" the behavior of individuals in China; or, as provided in Article 3 of PIPL, for other purposes to be specified by laws and regulations.

China's PIPL vs. EU's GDPR

The sweeping law, which draws some parallels to the European Union's General Data Protection Regulation (GDPR), imposes heightened safeguards for the protection of personal information of its residents with extraterritorial scope. Serving as China's first comprehensive law in the personal information protection area and based on China's Constitution, the PIPL aims to protect the rights and interests of individuals, regulate personal information processing activities, and facilitate reasonable use of personal information (Article 1). From a broader cyber and data security governance perspective, the PIPL, the Cybersecurity Law, and the Data Security Law will form an over-arching framework to govern data protection, cybersecurity, and data security in China for years to come.

Analyzing China's PIPL and how it compares to the EU's GDPR (SOURCE: IAPP)

Updates

1280px-United_States_Census_Bureau_Wordmark.svg

Resources

THE INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (IAPP) Resource Center hosts a "China" topic page, and links to in-language and English translations of the PIPL can be found in the IAPP's "Global Privacy Law and DPA Directory"