In this guide:
Overview of China’s Personal Information Protection Law (PIPL)
China’s Personal Information Protection Law (PIPL) is a major data privacy regulation implemented on November 1, 2021. It is the strictest, most comprehensive data privacy law in China, and it applies to all entities that process personal information belonging to the citizens of the People’s Republic of China. The law builds upon China’s previous laws, the Cybersecurity Law (CSL) and Data Security Law (DSL), and grants consumers specific rights with regard to their personal data privacy. What results is a key piece of the global legislative framework that continues to expand today.
The PIPL is notably similar to exemplary data privacy laws around the world, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. However, the PIPL also has some unique features, such as its focus on national security and its strict requirements for the transfer of personal information outside of China.
For Chinese citizens, the PIPL grants the following rights:
- The right to access personal information held by an organization.
- The right to copy personal information from an organization and port it to another location.
- The right to review and update personal information, including correcting inaccuracies and supplementing existing data.
- The right to object to the processing of their personal information.
- The right to request deletion of their personal information.
Thus, the PIPL regulates the collection, storage, use, disclosure, and transfer of personal information by organizations in general. It has a significant impact on all organizations that process personal information belonging to the Chinese citizens, so every entity must ensure they comply with the PIPL’s requirements in order to avoid fines and other penalties.
International organizations that do business in China must also be aware of the provisions within the PIPL. They are required to comply with the PIPL policies as well, even if they are not located in China. The impact of this legislation is thereby considered extraterritorial since its scope extends outside the country’s borders.
Additional key provisions within the PIPL include:
- Collection and storage: Organizations must obtain the consent of individuals before collecting or storing their personal information. They must also only collect and store personal information for specific and legitimate purposes.
- Use and disclosure: Organizations must only use personal information for the purposes stated before collection. This disclosure must be easy to find and understand for the consumer.
- Security measures: Organizations are required to implement reasonable security measures to protect personal data. This includes conducting risk assessments, establishing internal data protection policies, and appointing a dedicated individual responsible for data protection. Organizations must also report data breaches promptly.
- Data localization: The law requires critical information infrastructure operators and organizations processing large amounts of personal data to store such data within China’s borders. This is intended to ensure data protection and enable regulatory oversight.
- Transfers: Organizations must obtain explicit consent from individuals before transferring personal information outside of China. They must also take steps to ensure that the personal information is protected when it is transferred. Chinese authorities have already stated compliance with this requirement is mandatory today, and regular audits will continue to regulate companies more closely moving forward.
- Enforcement: The PIPL is primarily enforced by the Cyberspace Administration of China (CAC), but enforcement is decentralized and the Ministry of Public Security also plays a role. Regardless, authorities have the power to investigate violations of the PIPL and to impose fines on organizations that violate the law.
Because it has been years since this law was implemented, enforcement is currently in full effect and organizations are expected to be in full compliance. Any business found to be noncompliant can face fines up to RMB 50 million or up to 5% of a company’s turnover from the previous financial year, typically whichever is higher.
The PIPL is a significant piece of legislation that reflects China’s commitment to protecting personal information and enhancing data security. The broad applicability and stringent requirements included will have profound implications for both businesses and individuals. Companies must adapt to ensure compliance, while individuals stand to benefit from greater control and protection of their personal information.
New supporting rules are likely to come in the near future as China’s cybersecurity, data security, and personal information protection framework continues to evolve. It’s vital for every business to stay abreast of the latest developments to ensure ongoing compliance.
Ensure business compliance
Despite posing numerous challenges for businesses, the PIPL also presents some opportunities. By complying, businesses can demonstrate their commitment to protecting customer privacy and build trust with consumers. Going above and beyond to remain compliant can also help businesses avoid costly data breaches and expensive fines.
To be more specific, the PIPL has a number of potential impacts on businesses including:
- Increased costs of compliance: Companies may need to invest in new systems and processes to comply with the PIPL’s requirements.
- Reduced agility: The PIPL’s restrictions on data collection, processing, and transfer could make it more difficult for businesses to innovate and adapt to changing market conditions.
- Increased risk of penalties: Businesses that fail to comply with the PIPL could face significant fines and other penalties, including the suspension or revocation of their operating licenses.
These impacts are a result of the obligations placed on businesses to obtain explicit consent before collecting information, provide access to that information, establish processes to delete it, implement effective security methods, and report breaches promptly. If you are a business that collects, processes, or stores personal information of Chinese residents, it is important to understand your obligations under the PIPL and take steps to comply immediately if you have not already.
It’s recommended all businesses consider the following tips to ensure compliance:
- Conduct regular audits and risk assessments to identify all of the personal information that you collect, process, and store.
- Develop and implement a personal information protection policy and procedures, with the policy posted prominently on the company website for easy public viewing.
- Obtain explicit consent from individuals before collecting, processing, or sharing their personal information, and make the method for opting out clear.
- Provide individuals access to their personal information and the right to request its deletion in a timely manner.
- Implement robust security measures to protect personal information from unauthorized access, use, disclosure, modification, or destruction.
- Report data breaches promptly to the relevant authorities, with clear documentation to show the proactive steps taken to mitigate breach risk.
- Document all actions taken to protect personal data including for cross-border transfers, especially in light of recent comments from authorities.
- Review data sovereignty requirements, which can be especially challenging for multinational companies.
Companies that can demonstrate compliance with the PIPL may be able to gain a competitive advantage in their marketing efforts. Compliance can be a selling point, as customers are increasingly concerned about the protection of their personal information. Either way, it’s clear there’s only one way forward to organizations today: ensure compliance of data privacy legislation or fall behind the global industry.
How Privacy Bee helps today
Nowadays, businesses providing online services must protect their customers’ personal data and educate employees about how data is used. New regulations are emerging around the world, requiring stricter opt-in and opt-out policies and granting consumers more rights. Because consumers can now scrutinize and delete their personal data, organizations must be more accountable for data protection and create processes to handle these new mandates.
Despite these regulations, individuals are still primarily responsible for carefully monitoring, evaluating, and requesting the removal of their personal data from wherever it may be scattered across the internet. This task becomes even more daunting when scaled to account for an entire organization, making it practically impossible for a single person or small team to manage without professional assistance.
However, identifying and removing personal data is crucial for deterring cybercriminals. It significantly reduces a company’s attack surface and mitigates the looming threat of a data breach. This is where Privacy Bee comes in. Our service simplifies the time-consuming process of monitoring and removing employee personal data for business leaders, which is especially useful for executives who are highly visible to the public.
Privacy Bee not only minimizes the spread of your organization’s personal data across the digital landscape, but extends its protective umbrella to vendors, helping you ensure that third-party partners do not become the weak link in your security defenses. Even if you are already conducting risk assessments and vendor surveys, it is important to remember that a vendor is most vulnerable to a breach due to poor data privacy management, which you would not want to flow down the line and compromise your organization.
Privacy Bee’s proactive approach fights back against the exploitation of your most sensitive data, fortifying your security defenses on multiple fronts.
In the ever-expanding, billion-dollar surveillance industry, data brokers and people search sites play pivotal roles, reaping profits by trading your organization’s information with obscure and uncontrollable entities. The consequences of private data exposure are far-reaching and pose significant threats when obtained by malicious hackers. A single data breach can lead to lost productivity, expensive remediation efforts, and recurring breach incidents—a predicament that plagues the majority of businesses after an initial breach. The first data breach sets off a chain reaction that not only inflicts short-term damage to your bottom line but also erodes brand value and customer trust over time. Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching and a substantial decline in productivity due to more sophisticated spam outreach.
Privacy Bee combats external threat actors lurking beyond your organization’s perimeters. By meticulously pinpointing every nook and cranny of the internet where your data resides and swiftly purging it, Privacy Bee closes the data security gap. Dark web monitoring is included along with timely data breach notifications if another company falls victim and potentially exposes your information in the process.
The driving motivation behind our service is the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable by compelling data brokers, people search sites, and more than 150,000 additional websites to delete your stored data and opt out of further data collection.
Privacy Bee’s protective umbrella extends over a wide range of potential threats, including:
- Data breaches
- Social engineering attacks
- Identity theft
- Spam emails
- Telemarketing calls
Our service is a powerful tool for business leaders who want to protect their employees’ and customers’ data. In today’s world, where privacy is more important than ever, Privacy Bee is your trusted partner in the fight to preserve personal and organizational integrity.