PIPL China: Is Your Business Ready?

On August 20th, 2021, China passed its new Personal Information Protection Law (PIPL) — the first of its kind to be seen in the East-Asian country. The law creates a new landscape around security and the protection of personal information.\

This personal information protection law will have far-reaching effects on business operations in China, similar to what the European Union’s (EU’s) General Data Protection Regulations (GDPR) has had on the world.

China’s PIPL provides a new set of rules on how businesses can use Chinese citizens’ data, and tech companies, in particular, will be affected; not just in China, but around the world.

From November 1st, 2021, organizations handling Chinese citizens’ data must meet certain conditions laid out in the PIPL. If your SaaS business is already GDPR compliant, you should have an easier time reaching PIPL compliance levels.

However, if you haven’t implemented GDPR practices, your business may have to spend extra time preparing for China’s PIPL. The law adds another layer of complexity to data security compliance for companies doing business in China.

What Is China’s PIPL?

What is PIPL?

China’s PIPL is a data privacy law that imposes new data-handling requirements. It’s perhaps the most stringent set of data laws in the world right now.

The personal information protection law puts into place protections and restrictions on data collection and transfer. In particular, the law focuses on apps that use personal information to target consumers and provide personalized advertising to them.

The PIPL also aims to improve personal information protection by preventing data from being transferred to other countries with less stringent data protection or security policies.

Background to the PIPL

The PIPL is China’s third law aimed at the regulation of technology. In 2017, the Cyber Security Law was enacted, which was then followed in early 2021 by the Data Security Law. Now, the PIPL completes the framework, with a specific focus on personal information protection.

Territorial Scope

The PIPL has extraterritorial applications too. This term means that the regulations don’t only apply to activities within China; under certain conditions, they apply to handling citizens’ personal information outside of Chinese borders too.

These conditions are as follows:

➡️ Where the purpose is to provide products or services to people inside China.

➡️ Where activities of people inside China are analyzed or assessed.

➡️ Any other circumstances provided for in law or administrative regulations.

So, it seems that even without any presence in China, SaaS businesses that process the personal information of Chinese citizens will be bound by this law.

Effectively, this means that almost every major business in the world will need a PIPL compliance strategy. And if your business deals with the personal information of individuals located within China, you’ll need to ensure you’re consistently meeting the requirements of the PIPL.

What is Defined as ‘Personal Information’ and ‘Sensitive Personal Information’ in the PIPL?

Under China’s PIPL, personal information is defined as any information such as video, voice, or image data relating to an identified or identifiable natural person, notwithstanding whether the information is captured via an electronic form or another type of form. This definition excludes any anonymized information.

Beyond this, the PIPL defines sensitive personal information. This term refers to the personal information of which the leakage or illegal use could easily violate the personal dignity of a natural person or harm personal or property safety.

Examples of this kind of information include biometrics, religious information, medical information, home addresses, financial information, and personal information of those under 14 years of age.

Why is the distinction between these types of personal information relevant?

Well, the liability could be on SaaS businesses to keep sensitive personal information separate from other personal information to help mitigate the risk of full records of personal information being shared when consent hasn’t been given.

Also, sensitive information must only be used when it is relevant for achieving a specific purpose, and it must be protected at all costs by the processor.

Find out how PIPL can affect your business and learn the main steps to develop a PIPL compliance strategy on PayPro Global's blog.