Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Blog » Privacy

10 major changes in China’s finalized PIPL

By Privacy Research Team

Published on October 11, 2021

Key Changes Under the Finalized PIPL

1. Legal basis of processing

Under the finalised version of the PIPL, there are seven legal basis of the data processing:

Consent;
Contractual necessity or necessity arising from the human resources management implemented in accordance with the labour rules and regulations of the employer formulated according to the law or collective contracts signed according to law;
Compliance with legal responsibilities or obligations;
Responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
Processing personal information that is already made public within the reasonable scope and in accordance with the requirements of the PIPL;
For purposes of carrying out news reporting and public opinion monitoring for public interests; and
Other circumstances permitted by laws and regulations.

The only substantial change made from the second draft is the addition of the clause of contractual necessity in the finalized PIPL. This is a specific reference to labour governance rules that are signed in accordance with laws. This new addition will have a huge impact in the employment context.

2. Consent

Consent requirements under the finalized PIPL remain consistent with previous PIPL drafts. Furthermore, similar to the previous drafts, the term “separate consent” is not yet defined under the final form of the PIPL.

Compared with the second draft, article 28 of the finalized PIPL purports data of minors aged under 14 as “sensitive personal information”, and requires need to obtain separate consent from the minor's guardian before processing their data.

3. Cross-border data transfers

The finalized PIPL enhances its cross-border data transfer system, as compared to the second draft, introduces 3 changes:

PIPL states that cross-border treaties concluded by China may prevail over other treaties.
All personal information processors are required to adopt measures to ensure that processing activities of the destination country have an equivalent level of protection provided in the PIPL.
The PIPL requires organizations to obtain approval from government authorities before transferring data to foriegn organs for international judicial assistance or administrative law enforcement.

4. Data subject rights

The finalized version of the PIPL brings the following changes to data subject rights:

Deceased data subject rights: Next of the kin of the deceased data subject can request a copy, amendment and erasure of their relatives data.
Data portability: A data subject has the right to request a data processor to have his data transferred to another data processor provided that such transfer follows the requirements set by the Cybersecurity Administration of China (“CAC”).
Redress: If a data processor refuses to comply with a DSR, the data subject may seek redress in court of law.

5. Personal Information Processing

Organizations tend to collect personal information for different purposes, such as to understand customers’ behavior patterns and interests. However, sometimes, it is specifically collected for the purpose of sending them notification emails, text messages, etc.

In the final revision, under the General Provision section in Article (6), the regulatory authority has specified the restriction on personal information (PI) processing. The PIPL specifies that other than definite and reasonable purpose, the PI processing “be directly related to the purpose of processing.” In addition to that, the collection of personal information should be very limited.

6. Unlawful Personal Information Collection

In the first draft and second draft, the regulatory authorities restricted organizations from processing data which violated the laws and administrative regulations. In the finalized version, the regulatory authority further expanded the unlawful collection and processing of data.

As per the finalized version, organizations are prohibited from collecting and processing data illegally, disclosing it to any third-party, or using it in a way that would result in any damage to national or public interest.

7. Personal Information Processing of Minors

As per Article (15) of the second draft, PI processors were required to obtain the consent of the parent or a guardian before processing. The final version of PIPL merges Article (15) with Article (31), specifying that special processing rules should be created by the PI processor for data subjects under the age of 14.

8. Automated Decision Making

The second draft of the PIPL required automated decision-making systems to be transparent, fair, and reasonable. It also gave individuals the ability to inquire further about the decision made by the automated system or reject it altogether.

The final draft of PIPL merges Article (25) with Article (24), additionally requiring PI processors to “not engage in unreasonable differential treatment of individuals in trading conditions,” and prohibiting price discrimination through automated decision-making.

9. Personal Information Protection Impact Assessment

Article (55) of the second draft stated the requirement of assessing risks of certain personal information processing activities in advance and keeping a record of the processing. However, in the finalized PIPL, Article (55) named this risk assessment as “personal information protection impact assessment” and added a separate new Article (56) detailing the scenarios where this impact assessment will be required.

10. Penalties

Upon violations and non-compliance, PIPL penalizes fines of up to 1 million RMB on the processor and up to 100,000 RMB on the person supervising the processor. Serious fines may be imposed on the processor of up to 50 million RMB or 5% of turnover of the previous year.

The revised version of PIPL imposes serious penalties on the liable persons, including the processor and those in charge of the processor, prohibiting them from serving as managers or directors in any organization.

Conclusion

The finalized PIPL is set to go into effect in less than 2 months and organizations are not yet ready to comply with all the requirements set in place. Organizations need to incorporate automation if they hope to improve their processes in time for the enforcement of the PIPL.

Request a demo now to see how robotic automation and artificial intelligence can help you on your road to compliance with China’s PIPL.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Watch a demo

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.