On August 20, China’s Personal Information Protection Law (PIPL) received its final read and formally passed into law. This legislation marks China’s first comprehensive legal attempt to define personal information (PI) and regulate the storing, transferring, and processing of personal information. It has major implications for companies that rely on data for their operations in China. The implementation of the law will provide a legal foundation for the protection of personal information for foreign firms’ operations in China. However, it will also potentially limit cross-border transfer of such information, especially for data related to critical information infrastructure (CII) due to national security implications. The business community needs to understand the law’s impact on their data operations.

Personal Information: Filling a Legal Gap

Before the law was passed, China did not have any comprehensive legislation regulating the protection of personal information. PIPL fills that gap. It offers a detailed definition of “personal information” and clarifies the concept of “sensitive personal information.” Moreover, the law’s flexible auditing requirement makes it easier for companies to implement  proactive internal monitoring to avoid PI-related criminal activities.

Unlike previous laws, such as the Cybersecurity Law, the Civil Code, the Data Security Law, and the E-Commerce Law, PIPL defines the concept and scope of personal information, and introduces the principle of minimization (Article 28-30). The Cybersecurity Law from 2017 does not include specific requirements on the review process information processors should conduct, nor does it stipulate the enforcement mechanism for the regulations. The Civil Code only states the fundamental legal principles of PI protection, but without any details on implementation. The Data Security Law focuses on the general principles regarding data security without specific reference to personal information. The E-Commerce Law only has a narrow focus on e-commerce-related personal information.

In comparison, PIPL clearly defines PI and sensitive PI, and sharpens the focus on information transfers. Moreover, like EU’s General Data Protection Regulation (GDPR), PIPL states that personal information gathered by a company must be limited to the minimum amount necessitated by the purpose of the data (Article 6). This will reduce the likelihood of future abuses of PI.

PIPL’s mandate on companies’ self-review is designed to help companies to prevent PI-related criminal activities. According to the law, companies processing PI should conduct internal audits on a regular basis and assess the risk level when the information is sensitive (Article 54). Regulators are authorized to mandate audits of companies if there is a complaint (Article 61 and 64). This has been necessitated by the unlawful abuse of personal information, especially criminal activities due to the lack of protection of personal information, and the overflow of personal information with the rapid growth of tech giants.

In 2016, a Chinese college-bound student died from cardiac arrest after her family’s savings were emptied by a phone scam facilitated by the leak of her personal information. The case drew widespread attention in China and facilitated the passage of the law amid public demand. PIPL’s auditing requirements allow companies to flexibly construct their self-monitoring systems to avoid such PI leaks.

PIPL will help foreign companies operating in China without cross-border data transfers to develop privacy policies in compliance with the law. Before PIPL, the lack of a domestic PI protection law led to the broad adoption of the EU’s GDPR as a privacy policy among foreign companies. However, the GDPR’s decision-making is based on agreements among EU member states, which does not apply in the case of China. Since PIPL will come into effect in November 2021, foreign firms in China will need to revise their privacy policies to fit the requirements of the new law.

For companies in possession of large amounts of personal information or of data on critical information infrastructure, it will be more difficult to transfer data from China to other countries due to the mandatory security assessment by the Cyberspace Administration of China (CAC). Currently, it is unclear whether such a security assessment, if successfully completed, will grant the company one-time approval for a data transfer or a license for a given period.

Furthermore, the Standing Committee of the National People’s Congress, China’s top lawmaking body, recently opined that protections on PI transferred overseas should follow standards no less vigorous than the domestic standard. This means that if a firm has enrolled in regional voluntary agreements such as Cross-Border Privacy Rules (CBPR), it won’t be able to transfer personal information to any country with lower standards on PI protection because the CAC will not approve such a transfer.