Breaking down data rules from around the globe

Privacy laws

Pipl

China's Personal Information Protection Law (PIPL): A Guide for Global Business

ON THIS PAGE

China’s Personal Information Protection Law went into effect on November 1, 2021.

Read about the obligations it imposes on businesses and the rights of Chinese citizens in protecting their Personal Information.

What Is China's Personal Information Protection Law (PIPL)?

China’s Personal Information Protection Law (PIPL) is the first comprehensive national data privacy law in the People’s Republic of China, safeguarding the privacy and Personal Information of Chinese citizens.

The PIPL went into effect on November 1, 2021.

Covering 74 articles across eight chapters, the law broadly aligns with the EU’s GDPR but introduces notable differences tailored to China’s unique legal and political environment.

The Cyberspace Administration of China is the main regulatory authority under PIPL.

Various departments of the State Council, such as the Ministry of Public Security, the State Administration for Market Regulation, and the Ministry of Science and Technology, are also authorized to enforce the law.

Who Does the PIPL Apply to?

Both Chinese entities and foreign companies that collect and process personal data of Chinese citizens must take measures to comply with this law.

Inside China

This PIPL applies to all organizations and individuals processing the personal information of natural persons within Mainland China.

Outside China

The law also applies to organizations outside mainland China that process the personal information of individuals within mainland China when:

  • Providing products or services to individuals in mainland China.
  • Analyzing or evaluating the activities of individuals in mainland China.
  • Other situations stated in laws and regulations.

Exemptions

Hong Kong, Macau, and Taiwan are not covered by the PIPL.

Personal Information and Personal Information Handlers in China’s PIPL

PIPL defines personal information as information related to identified or identifiable individuals recorded electronically or by other means. Anonymized information is not considered personal information.

Personal information covers many fields of data, including:

  • Name
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Social security number
  • Financial information
  • Medical information
  • Location data
  • Biometric data
  • Internet browsing history
  • Social media posts.

Anonymized information, i.e. information that cannot be used to identify an individual, is not considered personal information under the PIPL. For example, if a company collects data on the income, gender, or average age of its website visitors, this data would be considered anonymized information because the company couldn’t track individual users.

Like GDPR, PIPL also has a separate category of personal information- sensitive personal information. Article 28 of the PIPL defines sensitive personal information as “Personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons or the security of their person or property."

The PIPL explicitly lists the following data as sensitive personal information:

  • Biometric data (e.g., facial recognition, fingerprints)
  • Religious beliefs
  • Specific identities (e.g., ethnicity, political affiliation)
  • Medical and health information
  • Financial account data
  • Location tracking data
  • Personal information of minors under 14 years of age.
  • Other data, depending on context and risk of harm.

PIPL sets special data protection measures to handle sensitive personal information.

Disclosure of personal information is prohibited unless organizations have consent or are required by law.

Exemptions from the processing of personal information

There are some exceptions from the processing of personal information, including processing of personal information for the following activities:

  • National security
  • Public security
  • Criminal investigation
  • Judicial prosecution
  • Public health emergencies
  • Scientific research, statistical purposes, or journalistic purposes, provided that certain conditions are met.

Personal information handlers

Under the PIPL, collection, processing, sharing, and storage of personal information are collectively referred to as "data handling.” Accordingly, those who perform the tasks of data handling are called "personal information handlers".

Article 73 of the PIPL defines personal information handlers as "organizations and individuals that, in personal information handling activities, autonomously decide handling purposes." The term personal information handler is similar to the concept of a "data controller" found in the GDPR.

Personal information handlers could be corporate entities, other entities, or natural persons that handle personal data. Personal information handlers have ultimate responsibility for data processing activities and responsibility for data protection and security measures.

However, Article 72 of the PIPL excludes natural persons from personal information handlers if they manage personal information for personal or family-related purposes.

Consent Requirements under the PIPL

PIPL requires data handlers to obtain clear, informed, and voluntary consent from individuals before collecting or using their personal information. This consent requirement applies to both general personal information and sensitive personal information.

Individuals must be informed with clear and concise information about why their personal information is being collected, how it will be handled, and whether it will be shared with third parties.

Individuals must have a real choice to accept or reject consent.

When collecting consent for the use of sensitive personal information, the PIPL requires data handlers to obtain explicit consent that is separate from consent for the collection or use of general personal information.

This means that data handlers must inform individuals with even more detailed information about the purpose for which their sensitive personal information is being collected or used.

In conclusion, there are the following considerations for obtaining valid user consent under the PIPL:

  • Consent must be freely given
    Handlers cannot deceive users or use dark patterns to obtain consent.
  • Individuals should give consent directly to handlers
    Individuals must provide their own consent directly to handlers. Handlers cannot rely on consent obtained from a third party.
  • Consent must be revocable
    Individuals have the right to withdraw their consent at any time.
  • No discrimination
    Businesses cannot refuse to provide products or services if an individual declines to grant consent for processing their personal information or withdraws their consent unless such processing is necessary for providing said products or services.
  • Consent must be recorded
    Handlers must keep a record of the consent obtained for proof of compliance.

Not sure if your website uses cookies? Scan your website for free and see what cookies your website uses:

Retention of Personal Information

Personal information should only be kept for the minimum time needed to fulfill the business obligations and processing purpose unless laws and regulations specify a different retention period.

Principles for Processing Personal Information under PIPL

The PIPL sets these requirements for processing personal information:

  • Collect or process personal information only when necessary. Minimize data collection to only what is necessary for the purpose and do not handle personal information that is not required to perform activities of an entity.
  • Process lawfully, legitimately, and in good faith. Do not use misleading, fraudulent, or other improper means to collect or process personal information.
  • Be open and transparent about the purpose, manner, and scope of processing of personal information.
  • Ensure accuracy and completeness of personal information to avoid harm.
  • Do not illegally collect, use, process, transmit, trade, or disclose national security or public interest.
  • Implement adequate security measures when processing personal information.

Legal Basis for Processing Personal Information Under PIPL

To process personal information, handlers must have a legal basis. Handlers may only process personal information under these circumstances:

  • Handlers have obtained valid consent from the individual.
  • Handlers need to process personal information to fulfill a contract with the individual.
  • Handlers need to process personal information to implement human resource policies, rules, regulations, and collective bargaining agreements.
  • Handlers need to process personal information to carry out statutory duties and obligations.
  • Handlers need to process personal information to respond to public health emergencies or protect the life, health, or safety of an individual.
  • Handlers can use reasonable processing for news reporting or public oversight that serves the public interest.
  • Handlers can use reasonable processing of information that was voluntarily disclosed by the individual or obtained publicly or through other lawful means
  • In other situations, specified in laws, regulations, and rules.

Requirements for International Data Transfers

The PIPL sets the following requirements for international data transfer of personal information outside of China:

  • Handlers must obtain clear and informed consent from individuals before transferring their personal information.
  • Handlers could transfer personal information only to entities in foreign countries that provide an adequate level of protection for personal information.
  • When transferring, handlers must implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, or modification during the transfer.
  • Handlers must notify the Cyberspace Administration of China of the transfer of personal information outside of China.

Joint Processing of Personal Information

When multiple organizations jointly determine the purpose and method of processing, they must agree on their rights and obligations. However, joint processing of personal information should not affect an individual’s rights against any organization.

If joint processing infringes individual rights on personal information or causes damages, the organizations will bear joint liability according to the law.

Personal Information Sharing with Third Parties

To share personal information with third parties, handlers must inform individuals about this practice and obtain explicit consent for data sharing. Data handlers must disclose a third party’s name, contact details, processing purpose, method, and type of information they are intending to share.

The receiving party can only process the information as agreed. If a third party wishes to change the original purpose or method of processing personal information, they must notify the individual and obtain new consent for this purpose or method.

Automated Decision-Making

Automated decision-making is allowed by China's Personal Information Protection Law. However, when implementing automated decision-making for the processing of personal information, handlers must respect these obligations:

  • Ensure transparency, fairness, and non-discrimination in results.
  • For marketing via automated decisions, handlers must provide options based on criteria other than personal characteristics.
  • Handlers must provide options for individuals to opt out of automated decision-making.

If automated decision-making has a significant impact on individual rights, individuals can request an explanation and object to the automated decision.

Data Rights of Individuals under China’s PIPL

PIPL grants the following rights to the individuals:

  • Right to know
    Individuals have the right to know why and how their personal information is processed.
  • Right to access
    Individuals can request to access a copy of their data from an organization, except in specified cases. When requested, organizations must promptly provide the requested information.
  • Right to limit processing
    Individuals have the right to limit or deny third parties from processing their information, except as allowed by laws and administrative rules.
  • Right to data portability
    Individuals have the right to transfer their data to a chosen organization. When requested, organizations must enable the transfer of data.
  • Right to correct inaccuracies
    Individuals have the right to ask the organizations to correct their personal information if it’s inaccurate or incomplete. When requested, organizations must verify and make necessary corrections or add missing information.
  • Right to delete
    Individuals have the right to ask the organizations to delete their personal information. An organization must promptly delete personal information in these cases:
    When the purpose of data collection is achieved or no longer necessary.
    When services or products are delivered or the agreed storage period has finished.
    When an individual withdraws consent.
    When data processing breaches laws or agreements.
  • Right to opt out of automated decision-making
    Individuals have the right to opt out of automated decision-making used for marketing or delivering targeted ads.
  • Right to be explained
    Individuals have the right to ask organizations to explain their personal information processing purpose and methods.

Obligations on Data Handlers

Organizations that handle the processing of personal information must follow certain rules related to data handling.

  • Implement data security measures
    Organizations handling personal information must implement adequate security measures to protect personal information. Use security techniques like encryption to protect the data.
  • Classify data
    Group the data based on its sensitivity (personal information vs sensitive personal information).
  • Establish rules for the international transfer of personal information.
  • Internal policies and training
    Create rules and procedures for managing data internally. 
    Regularly train employees about data security measures. Have plans in place in case of a data breach.
  • Designate a responsible person
    Organizations must appoint a Data Protection Officer (DPO) when thresholds are met. Make this person’s contact information public so that interested parties can reach him when there are concerns about data security.
  • Conduct Personal Information Protection Impact Assessments
    When handling sensitive info, automated decisions, cross-border transfers, or large-scale data handling, perform DPIAs and evaluate potential risks and vulnerabilities.
  • Conduct regular audits
    The PIPL requires to conduct regular audits for data handlers who manage data for over 10 million individuals. External audits must be performed after breaches affecting more than 1M users or more than 100k sensitive records.
  • Keep records
    Data handlers must keep records of personal information when:
    Handling sensitive personal information.
    Using information for automated decisions.
    Sharing personal information with third parties.
    Transferring personal information outside the country.
    Engaging in other activities that significantly impact individuals’ rights and interests.
  • Data breach reporting
    If a data breach occurrs or there’s a risk that personal information has been leaked, accessed, or lost, the organizations or individuals handling that information must immediately contact the responsible authorities and the affected individuals. Data handlers must provide the following information related to a data breach:
    Why did the violation occur and what is the potential harm it could cause?
    What steps is the organization handling personal information going to take to fix the issue and lessen the harm?
    Contact details of the organizations.

Organizations must keep records for at least three years.

Requirements for Large-Scale Service Providers

The PIPL also sets obligations for platforms with many users and other large-scale service providers, that must:

  • Develop protection systems for personal information that comply with government regulations. Establish an independent group to safeguard this information.
  • Establish clear and transparent internal guidelines for handling personal information. Platforms must set the responsibilities of businesses using the platform to protect this information.
  • Stop providing services to businesses on the platform that seriously or repeatedly violate personal information handling rules.
  • Regularly publish reports on personal information data protection practices and make these reports publicly available.

The Fines and Penalties for PIPL Violations

In the case of violating the rules of the PIPL, the Cyberspace Administration of China can impose fines of up to RMB 1 million on the data processor, along with potential suspension of services.

In severe cases, fines can reach up to RMB 50 million or 5% of the previous year’s turnover, with business suspension and permit revocation. Responsible individuals may face fines from RMB 10,000 to RMB 1 million and potential bans from specific roles within the organization.

Responsible authorities, consumer groups, or agencies appointed by the Cyberspace department have the right to sue data handlers in court.

Use CookieScript CMP to comply with China's Personal Information Protection Law and avoid fines:

Register for free Show pricing plans

Frequently Asked Questions

What is China's Personal Information Protection Law?

China’s PIPL is the first comprehensive national data privacy law in the People’s Republic of China, safeguarding the privacy and personal information of Chinese citizens. It provides Chinese citizens with data privacy rights and sets obligations on data handlers for lawful data handling. The PIPL went into effect on November 1, 2021.

Does China's Personal Information Protection Law apply only to Chinese companies?

No. Besides organizations and individuals processing personal data within mainland China, the PIPL also applies to organizations outside China that handle data on Chinese citizens. Therefore, if you collect or process personal data of Chinese individuals, you must comply with the law, regardless of where your business is based. Use CookieScript CMP to comply with the PIPL.

Does China's Personal Information Protection Law have exemptions?

Yes. The PIPL does not cover Hong Kong, Macau, and Taiwan. Use CookieScript CMP to comply with the law.

What is sensitive personal information according to the PIPL?

The PIPL explicitly lists the following data as sensitive personal information: biometric data, religious beliefs, specific identities like ethnicity or political affiliation, medical and health information, financial account data, location tracking data, personal information of minors under 14 years of age, and other data, depending on context and risk of harm. To handle sensitive personal information, organizations must obtain explicit user consent.

What are the consent requirements under China's Personal Information Protection Law?

The PIPL sets the following requirements for user consent: consent must be clear, informed, and voluntary, revocable, recorded, and direct. Handlers cannot rely on consent obtained from a third party. Businesses can’t discriminate against individuals if they refuse to grant consent. CookieScript CMP could be used to deliver a cookie notice and obtain user consent.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.