China’s Personal Information Protection Law

Organizations greatly use the personal data of the users for their businesses, those organizations are legally obliged to protect those data according to the concerned data protection laws. The increased concern over data privacy has led many countries to pass laws on protecting the data of individuals. Following General Data Protection Regulation (GDPR) many countries have passed their data protection laws. One such law concerning data protection was passed by China.

PERSONAL INFORMATION PROTECTION LAW (PIPL)

China’s Personal Information Protection Law (PIPL) is China’s first comprehensive data protection law that came into effect on 1 November 2021. This protects the personal data of the data subjects of the individuals in China and also the organizations must comply with China PIPL law if the data of the individuals in China are used. PIPL China provides certain rights to the data subjects’ control over their personal data.

The PIPL China generally governs the processing of personal information of the individuals of China and also together with the other laws on Cybersecurity and data protection which are the Cybersecurity law and the Data Security Law.

There are specific industry sectors that are governed, in which there are specific requirements under laws and regulations. The specific industry sectors include telecommunications, finance, network services, transportation, e-commerce, and healthcare.

PIPL CHINA AND GDPR – SIMILARITIES AND DIFFERENCES

China’s Personal Information Protection Law greatly resembles the European Union’s, General Data Protection Regulation (GDPR) which is a comprehensive framework for data privacy and protection.

Definition – The terms “personal information” and “Processing of Personal Information” are defined similarly in GDPR and PIPL. However, there is the usage of different terms when considering GDPR and PIPL, like “entrusted party” in PIPL which refers to the “data processor” in the case of GDPR.

Scope of Applicability – The GDPR and PIPL extend their territorial scope, that is the extraterritorial applicability where the processing activity of personal information is carried out in china as well as conducted outside China.

Cross-border transfer of personal information – Both GDPR and China’s law align with the cross-border transfer of personal information. It also includes some of the additional requirements.

Personal Information Rights – The GDPR provides certain rights to the data subjects in dealing with their personal data, similar to this PIPL also provides information rights. The following are the rights provided:

Right to be informed – In PIPL, before the processing of personal information, the person who is handling the personal information must provide a notice to the individuals, informing them on how the processing of their personal information will take place. A special notice will be provided in the case of processing the personal information of children under 14 years of age.
Right to access – In the case of handling personal information, the individuals are entitled to request the person who is handling the data to access their information in a lawful manner.
Right to rectification – The individual is entitled to request the person who handles the data for rectification in the case of any error in the personal data that has been provided.
Right to erasure – The individuals are provided with the right to the erasure of their personal information, they can request the person who handles their data to delete their personal information when no longer necessary by the organization or the circumstances that are mentioned in the law.
Right to object – Individuals have the right to object to the processing of their personal information.
Right to data portability – The individuals can request the personal information handler to transfer their personal information to the designated person who is handling the personal information, in the case of Personal Information Protection Law, in case of data portability there needs to satisfy the conditions stipulated by the cyberspace administration of China.
Right not to be subjected to automated decision-making – The individuals are provided with the right to object the automated decision-making when the personal information handler adopts the method of automated decision-making.
Right in the case of deceased individuals – The personal information of the deceased individual’s kin may exercise the rights to delete, copy, correct, etc., except when other arrangements are done by the deceased individual before his death.

The legal basis of processing personal information – However GDPR works on the concept of “legitimate interest” with respect to the processing of personal information but this is not applicable in the case of China’s PIPL.

Consent – The definition of consent in GDPR and PIPL is similar, where the essential ingredients are greatly satisfied.

Principles – The GDPR principles are adopted by China’s Personal Information Protection Law, which include lawfulness in processing the information, data minimization, storage limitation on the collected personal information, openness, and transparency in processing the data, accuracy, and ensuring security.

Data Protection Impact Assessment (DPIA) – In GDPR, conducting a data protection impact assessment is mentioned in the provisions as well the same is mentioned in PIPL China.

Appointment of Data Protection Officer (DPO) – The GDPR mandates the appointment of a Data Protection Officer to protect the collected data of the individuals and to comply with the existing privacy laws, in China’s personal information protection law also there is a provision for the appointment of Data Protection Officer.

Effect of non-compliance – When the Organization that collects personal information must generally comply with the privacy laws. If the organization fails to comply in the case of both GDPR and PIPL there are penalties the organization must pay.

COMPLIANCE WITH THE LAW

Compliance with this law includes the implementation of the principles in processing the personal data of individuals.

Mapping data flow by covering the personal information that is processed, based on what, why, and where the personal information is transferred must be mapped. The mapping must include, the categories of the information used, the business activities that are related to the personal information, the lawful basis for handling the personal information, the entire list of the contractors who are involved in the data handling, the physical location of the data storage, the transfer of personal information in the case of overseas transfers to the foreign companies. This final record can be used as a basis for implementing the measures under this law.

Obtaining consent, that is freely given and specifications on for what purposes the personal information is used must be explicitly mentioned.

The organizations must ensure that the users can make decisions that are related to their personal information and the tools for the option to opt out. Reviewing the privacy policies, and notices greatly helps in compliance.

Providing options to refuse the cookies and other automated profiling mechanisms.

These are some of the measures that can be implemented, to comply with China’s PIPL laws, The failure to implement these laws by organizations may subject to a fine of not more than RMB 1 million (approx. €136,260) and a responsible person may be subject to fines between RMB 10,000 (approx. €1,360) to 100,000 (approx. €13,630).

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

China’s Personal Information Protection Law

Checkout Other Whitepapers

GENERATIVE AI AND DATA PRIVACY:NAVIGATING THE INTERSECTION

DIGITAL PERSONAL DATA PROTECTION ACT 2023

The EU Artificial Intelligence Act

Understanding the EU NIS 2 Directive

We’d love to help your organization achieve your Data Protection goals!