Securiti announces a $75M Series C Funding Round
ViewChina has passed a comprehensive data protection law that is considered to be at par with other major global data privacy laws such as the GDPR and CCPA. The Personal Information Protection Law (the “PIPL”) is China’s primary data protection law that aims to:
The PIPL came into effect on November 1, 2021. The PIPL and China’s Data Security Law are big steps towards strengthening China’s regulatory framework for privacy and data protection.
The PIPL applies to both the public and private sectors. The PIPL does not apply to natural persons handling personal information for personal or family affairs.
The handling of personal information shall ensure the quality of personal information, and avoid adverse effects on individual rights and interests from inaccurate or incomplete personal information.
Personal information handlers shall bear responsibility for their personal information handling activities, and adopt the necessary measures to safeguard the security of the personal information they handle.
Personal information handling shall have a clear and reasonable purpose, and shall be directly related to the handling purpose.
The collection of personal information shall be limited to the purpose of personal information handling (data minimization).
The principles of openness and transparency shall be observed in the handling of personal information, disclosing the rules for handling personal information, and clearly indicating the purpose, method, and scope of handling.
The principles of lawfulness, propriety, necessity, and sincerity shall be observed for personal information handling.
The PIPL provides seven legal basis for the processing of personal information. These legal basis are:
Where data processing is based on an individual’s consent, the PIPL requires the consent to be clear, voluntary, and well-informed. Following are specific consent requirements for certain situations:
Individuals also have the right to withdraw consent. Personal information handler shall not refuse to provide products or services on the basis that an individual does not consent to the processing of personal information or withdraws his/her consent, except in those situations where the processing of personal information is “necessary” for the provision of products or services.
Personal information handlers must provide individuals an explicit privacy notice “before handling” of their personal information. This notice should include relevant information including the identity and contact method of the personal information handler, any subsequent third party handlers, the purpose and methods of personal information handling, the categories of handled personal information, the retention period, and procedures for individuals to exercise their individual rights under the PIPL.
All individuals may invoke the following rights (Data Subject Rights “DSR”) by sending a request to the personal information handler. These rights can be exercised under certain situations and also have limitations:
The individuals have a right to know, decide, refuse, and limit the handling of their personal information by others unless laws or regulations stipulate otherwise.
The individuals have a right to access and copy their personal information in a timely manner, except when the laws and regulations require confidentiality.
The individuals have a right to correct or complete inaccurate personal information in a timely manner.
The individuals have a right to request handlers explain their personal information handling rules.
The individual has a right to deletion of his/her personal information if (i) the agreed retention period has expired, or the handling purpose has been achieved; (ii) personal information handlers cease the provision of services; (iii) the individual rescinds consent where the processing of personal information was based on the individual’s consent; (iv) the information is handled in violation of laws, regulations or agreements.
The individuals can request a personal information handler to transfer their personal information to another personal information handler. Specific conditions for porting data will be determined by state cybersecurity and information departments.
As per the obligation set out under the Chapter V of the PIPL, personal information handlers should have a data protection program in place. The PIPL also provides a non-exhaustive list of specific program measures, such as:
Personal information handlers are required to appoint Personal Information Protection Officers ( also called DPOs) in specific situations, depending on the volume of personal information processed. Personal information handlers shall disclose the methods of contacting DPO and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Personal information handlers outside the borders of China are required to establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they handle. Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the PIPL.
Personal information handlers must conduct a personal information protection impact assessment before the processing in the following scenarios:
The content of the personal information protection impact assessment shall include:
Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.
In the event of a security breach, the PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Where adopted measures can effectively avoid security breach harms, personal information handlers do not have to notify individuals.
If personal information handlers engage entrusted parties for the handling of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.
Entrusted parties shall handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist personal information handlers in fulfilling the obligations provided in the PIPL.
The PIPL requires personal information handlers that provide internet platform services to a “large” number of users and have complex business models to:
For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.
Personal information handlers are also required to meet one of the following conditions:
Operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.
If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.
For the automated decision making, the PIPL prescribes the following strict requirements for the personal information handlers:
The PIPL does not create an independent regulatory authority to oversee its compliance. The Cyberspace Administration of China is the primary body responsible for data protection enforcement, but there are several other state council departments that may also regulate the PIPL.
Non-compliance involves unlawfully processing personal information or failure to adopt proper necessary security protection measures in accordance with further regulations. The departments fulfilling data protection duties may order a correction, confiscate unlawful income, and issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:
Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.
Get all the latest information, law updates and more delivered to your inbox
July 16, 2020
Overview The 25th of May, 2018, was a red-letter day in the history of data protection and privacy. This was the day that the...
July 16, 2020
After the promulgation of the General Data Protection Regulations (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) was the next...
August 4, 2020
Overview In 2016, the European Commission replaced its long-existing Data Protection Directive with a modernised version, the General Data Protection Regulation (GDPR). The GDPR...
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128