China’s Personal Information Protection Law (PIPL) and Where it Applies
Here’s a Q&A style summary of the key points of PIPL aiming to help you with a better understanding of PIPL’s applicability.
PIPL is the first comprehensive data protection law and will play a major role in China’s emerging data protection regime, together with the Cybersecurity Law and Data Security Law.
Does PIPL apply to my organization?
The PIPL applies to the following processing activities:
-
Processing individuals’ personal information within the borders of China.
-
Processing individuals’ personal information outside China, if the purpose is:
-
provide product or services to individuals in China;
-
to analyze or assess the behavior of individuals in China
-
-
Processing is very broad and includes “collection, storage, use, transmission, provision, disclosure, deletion, etc.
If your organization operates in China or processes the personal information of individuals in China or analyze the behavior of individuals in China, then PIPL likely applies to your organization. For example, if your organization only has offices in US, such as a wealth management firm, but you have individual clients in China, then you need to comply with PIPL.
How is PIPL different from the GDPR?
PIPL and GDPR have many similarities: for example, both have extraterritorial effects and both offer multiple legal basis for processing personal information out of the consent mechanism. Similar to GDPR, PIPL protects public personal information to a certain degree, and spells out individual rights.
However, there are some major differences as well.
One difference is that unlike the GDPR, PIPL does not allow “legitimate interest” as a means of lawful data processing. Instead, PIPL clarifies that consent is the main legal basis for personal information process.
Another difference is that PIPL does not have concepts of controllers and processors, instead they are called personal information handler and entrusted party. Both have some obligations under the PIPL.
Additionally, PIPL requires that if your organization processes a certain amount of personal data exceeding the volume threshold established by the Cybersecurity Administration of China (CAC), then the personal data must be stored within China. At the time of creating this video, there has not yet been an exact amount of personal data specified to trigger this data localization requirement. If your organization meets the threshold, you must not transfer such personal data to any foreign countries unless you pass a security assessment organized by the CAC.
What do I need to do?
We recommend that you start with creating a data inventory to determine what type of data your organization processes, data subjects’ residence, and data storage location, as well as data maps so you can visually see the data flows from country to country. If you already have data inventories and data maps, great, in that case you should easily see whether your organization processes the personal information of individuals in China.
For organization established outside of China, if you determine that PIPL applies to your organization based on your review of the data inventories and data maps, then one of the first steps you should take is to appoint a representative within China to be responsible for matters related to the personal information they handle.
What can we help you?
We help organizations with their efforts to become compliant with PIPL, such as prepare data inventory, draft policies and procedures, etc. Reach out today and see what we can help you.
*** This is a Security Bloggers Network syndicated blog from "Ask Aleada" Blog - Aleada Consulting authored by "Ask Aleada" Blog - Aleada Consulting. Read the original post at: https://www.aleada.co/ask-aleada-blog/2022/4/20/chinas-personal-information-protection-law-pipl-and-where-it-applies
