The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021.

By Hui Xu, Kieran Donovan, and Bianca Lee

On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (PIPL), the first legislation dedicated to protecting personal information in China. PIPL will take effect on November 1, 2021. PIPL previously underwent two revisions: the First Draft in October 2020 and the Second Draft in April 2021. Prior to PIPL, personal information in China was protected largely by the Network Security Law (which took effect in June 2017), the Civil Code (which took effect in January 2021), various provisions in other laws, and the Data Security Law, which was adopted in June 2021 and took effect on September 1, 2021. Collectively, these legislative sources will provide a comprehensive legal framework for protecting personal information in China.

Key Points:

  • Extraterritorial effect: PIPL applies to those who process personal information about Chinese individuals inside China as well as those who process personal information about Chinese individuals outside China.
  • Legal basis: PIPL expands the legal bases for processing personal information to seven, including where it is necessary for the performance of a contract with the individual.
  • Data transfer restrictions and localization requirements: Critical information infrastructure operators (CIIOs) and those who exceed the threshold of personal information processed set by the Cyberspace Administration of China (CAC) must store personal information in China unless they pass a CAC security assessment. PIPL also imposes more stringent requirements on cross-border data transfers, e.g., consent of the individual is always required.
  • Fines: Those who violate PIPL may face fines of up to 5% of annual revenue of the previous year or CNY50 million.

Read the full Client Alert.