China’s Personal Information Protection Law (PIPL) represents the country’s first comprehensive national data protection regulation. Enacted to protect personal information in a digital age, PIPL outlines stringent requirements for how personal data can be collected, processed, and transferred, both within China and across its borders. This law underscores China’s commitment to regulating the digital economy while ensuring that individuals’ personal data remains secure and used responsibly.
China’s Personal Information Protection Law (PIPL) is the country’s first comprehensive data protection law, aimed at regulating how personal information is collected, processed, and stored to safeguard the privacy of individuals.
PIPL applies to both domestic and foreign organizations that process the personal information of Chinese residents or offer services to China, regardless of where the entity is based.
PIPL applies to personal information that can identify an individual directly or indirectly, including names, addresses, phone numbers, health data, and any sensitive personal information like biometric data.
PIPL came into effect on November 1, 2021.
- Legality and Transparency: Data must be processed legally, fairly, and transparently.
- Specific Purpose: Data should be processed only for specific, legitimate purposes.
- Necessity and Data Minimization: Data collected must be necessary for the intended purpose.
- Informed Consent: Data subjects must provide clear and informed consent.
- Security and Confidentiality: Data processors must ensure the security and confidentiality of personal information.
Fines can reach up to ¥50 million (approximately USD $7 million) or 5% of a company’s revenue in China. Enforcement is managed by the Cyberspace Administration of China.