IDC Names Securiti a Worldwide Leader in Data PrivacyView
China has passed a comprehensive data protection law that is considered to be at par with other major global data privacy laws such as the GDPR and CCPA. The Personal Information Protection Law (the “PIPL”) is China’s primary data protection law that aims to:
The PIPL came into effect on November 1, 2021. The PIPL and China’s Data Security Law are big steps towards strengthening China’s regulatory framework for privacy and data protection.
The PIPL applies to both the public and private sectors. The PIPL does not apply to natural persons handling personal information for personal or family affairs.
The PIPL provides seven legal basis for the processing of personal information. These legal basis are:
Where data processing is based on an individual’s consent, the PIPL requires the consent to be clear, voluntary, and well-informed. Following are specific consent requirements for certain situations:
Individuals also have the right to withdraw consent. Personal information handler shall not refuse to provide products or services on the basis that an individual does not consent to the processing of personal information or withdraws his/her consent, except in those situations where the processing of personal information is “necessary” for the provision of products or services.
Personal information handlers must provide individuals an explicit privacy notice “before handling” of their personal information. This notice should include relevant information including the identity and contact method of the personal information handler, any subsequent third party handlers, the purpose and methods of personal information handling, the categories of handled personal information, the retention period, and procedures for individuals to exercise their individual rights under the PIPL.
All individuals may invoke the following rights (Data Subject Rights “DSR”) by sending a request to the personal information handler. These rights can be exercised under certain situations and also have limitations:
As per the obligation set out under the Chapter V of the PIPL, personal information handlers should have a data protection program in place. The PIPL also provides a non-exhaustive list of specific program measures, such as:
Personal information handlers are required to appoint Personal Information Protection Officers ( also called DPOs) in specific situations, depending on the volume of personal information processed. Personal information handlers shall disclose the methods of contacting DPO and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Personal information handlers outside the borders of China are required to establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they handle. Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the PIPL.
Personal information handlers must conduct a personal information protection impact assessment before the processing in the following scenarios:
The content of the personal information protection impact assessment shall include:
Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.
In the event of a security breach, the PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Where adopted measures can effectively avoid security breach harms, personal information handlers do not have to notify individuals.
If personal information handlers engage entrusted parties for the handling of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.
Entrusted parties shall handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist personal information handlers in fulfilling the obligations provided in the PIPL.
The PIPL requires personal information handlers that provide internet platform services to a “large” number of users and have complex business models to:
For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.
Personal information handlers are also required to meet one of the following conditions:
Operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.
If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.
For the automated decision making, the PIPL prescribes the following strict requirements for the personal information handlers:
The PIPL does not create an independent regulatory authority to oversee its compliance. The Cyberspace Administration of China is the primary body responsible for data protection enforcement, but there are several other state council departments that may also regulate the PIPL.
Non-compliance involves unlawfully processing personal information or failure to adopt proper necessary security protection measures in accordance with further regulations. The departments fulfilling data protection duties may order a correction, confiscate unlawful income, and issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:
Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.
PIPL stands for Personal Information Protection Law (PIPL). It is a comprehensive data protection law enacted in China to regulate the collection, processing, and use of personal information. The law aims to enhance individuals' data privacy rights and establish rules for businesses handling personal data.
Yes, PIPL applies to China. It is a data protection law specifically designed to govern the processing of personal information within the country's borders.
While both GDPR (General Data Protection Regulation) and China's PIPL share common principles of protecting personal data, they have differences in terms of scope, requirements, and enforcement. GDPR applies to the European Union and its residents, while PIPL applies to China and its citizens.
The PIPL (Personal Information Protection Law) applies to all individuals whose personal information is processed within China, including Chinese nationals and non-nationals residing or operating within China.
Examples of personal information covered under PIPL include names, identification numbers, contact details, financial information, health data, online identifiers, and other information that can be used to identify individuals.
The term "PI" refers to "personal information" in the context of the Personal Information Protection Law (PIPL) in China. It encompasses various types of data that can identify an individual.
The Personal Information Protection Law (PIPL) in China is enforced by multiple authorities, including the Cyberspace Administration of China (CAC) - the primary body responsible for its enforcement, and other relevant government agencies. These authorities oversee compliance with data protection regulations and investigate potential violations.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128