China’s (‘PIPL’), New Comprehensive Data Privacy Law

China’s Personal Information Protection Law (‘PIPL’) is a comprehensive data protection and personal privacy law that was passed in China in November of 2021. In conjunction with China’s Personal Information Security Specification, as well as the nation’s Cybersecurity Law, the PIPL is the foremost law that regulates the numerous forms of personal information that citizens within China submit to businesses, organizations, law enforcement agencies, etc. To this point, the law establishes the legal framework that data controllers and processors within China must adhere to when managing the personal information of the more than one billion people that reside within the country.

How is personal data defined under the law?

Under China’s Personal Information Protection Law, personal data is defined as “any information relating to an identified or identifiable natural person constitutes personal information.” On the other hand, the law defines sensitive personal data to include “personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.”

What requirements were established in the law?

Much like other comprehensive data privacy laws that have been passed in countries around the world in recent years, including the EU’s GDPR law, along with many others, China’s PIPL requires data controllers and processors within the nation to collect and process personal data in accordance with a number of different data protection principles. These data protection principles include:

• Lawfulness- All personal data must be collected and processed in a manner that is legal, legitimate, necessary, and done so in good faith. Moreover, personal data may not be collected or processed in a manner that is coercive, fraudulent, or misleading.
• Purpose limitation- Personal data may only be collected and processed for a reasonable and specific purpose, or another purpose that is directly related to said specific purpose.
• Data minimization- The collection of personal data must be limited to the minimum scope of what is necessary to achieve the purpose for which it is to be processed. Furthermore, the collection of personal data must not be excessive.
• Storage limitation- The period for which a data controller or processor stores the personal information of data subjects may not be longer than what is necessary to achieve the purpose for which said data was collected.
• Transparency- all personal data must be collected and processed in a manner that is both open and transparent.
• Data security- Data controllers and processors are responsible for taking the steps necessary to protect any personal data that is in their possession.

What are the rights of Chinese citizens under the PIPL?

The PIPL affords Chinese citizens a wide range of data protection and personal privacy rights. These privacy rights include:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object or opt-out.
• The right to data portability.
• The right not to be subject to automated decision-making.
• The right to request a copy of their data.
• The right to restrict the processing of their personal data.

In terms of the enforcement of the law, China does not have a single regulatory authority that is in charge of governing the multitude of provisions that were set forth in the PIPL. Instead, there are a number of smaller organizations and entities that regulate the law with respect to the industry in which a data controller or processor operates within. Nevertheless, businesses and individuals alike that are found to be in violation of the PIPL are subject to various different punishments. For instance, a data controller that collects personal data via electronic means may have these means suspended if the said controller fails to comply with the provisions of the law. What’s more, data controllers and processors within China that are found to have violated the law repeatedly are also subject to a monetary penalty of up to RMB 1 million (137,166).

As laws pertaining to the protection of the personal information of the citizens that reside within a particular country have become far more stringent in the past few years, the nation of China has joined the trend of enacting legislation that works to provide individuals with personal privacy protections. Due to the sheer number of people that live within the country, the passing of the PIPL was very much needed, as there is perhaps no other country in the world that boasts more consumers or online users than the nation of China. With all this being said, there is great hope that the provisions of the PILP will provide Chinese citizens with the means to protect themselves from the adverse effects of being involved in a data breach, as well as other related cybersecurity incidents.