China’s Personal Information Protection Law – How does it affect your business?

31 March, 2022

One of the most significant events in the area of data management in China in 2021 was that the Chinese Personal Information Protection Law (PIPL) took effect on November 1. As the first comprehensive privacy law in China, the PIPL will inevitably transform the business landscape in the People’s Republic. This article summarizes the law’s key contents.

Who is bound by the PIPL?

The law applies to any processing of personal information that takes place in the territory of China, regardless of the jurisdiction of the data processor or data subjects. Similar to the European Union’s General Data Protection Regulation (GDPR), the PIPL has extraterritorial effects under one of the following circumstances:

  • if the data processor is providing a product or service to individuals located within China;
  • if the data processor is analyzing or assessing the behaviors of individuals located within China; and/or 
  • in other circumstances as stipulated by laws or administrative regulations.

PIPL establishes legal basis for personal data

The PIPL lays down seven legal bases for processing personal information. Data processing is lawful if:

  • the data subject has given his or her consent, which must be provided separately in certain scenarios;
  • it is necessary for the conclusion or performance of a contract, or necessary for carrying out HR management under an employment policy or collective contracts;
  • it is necessary for performing statutory duties or obligations;
  • it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of a natural person in case of emergencies;
  • it is used for news reporting or public interest purposes; 
  • it takes place in cases which personal information has been disclosed by the individual or otherwise legally disclosed; or
  • it takes place in other circumstance as stipulated by laws or administrative regulations.

Requirements for cross-border transfer of personal information

Under the PIPL, data processors may provide personal information to a recipient outside China for business reasons after satisfying at least one of the following conditions:

  • a security assessment organized by the authority has been passed;
  • a certification of personal information protection has been conducted by a professional institution;
  • a contract has been concluded with the overseas recipient based on the standard contract provided by the national cyberspace authority, specifying the rights and obligations of both parties.

In addition, critical information infrastructure (CII) operators are required to store within China the personal information collected or generated by them in domestic business operations. Non-CII operators are subject to the same data localization requirements if the processed personal information reaches the threshold amount of personal information prescribed by the national cyberspace authority. 

Obligations of data processors

The PIPL imposes a number of obligations on data processors, including:

  • The relevant data processors are required to appoint a data protection officer (DPO) to supervise the data processing and oversee the protection measures if the processed personal information reaches the prescribed threshold. 
  • Foreign companies without a business presence in China will need to set up a special agency or appoint a representative in China to deal with data protection matters, if the data processing outside of China is subject to the PIPL.
  • A personal information protection impact assessment is necessary to process sensitive personal information, to use personal information in automated decision-making, to subcontract the data processing and to transfer personal information out of China, etc. The data processor must also keep a record of such assessments.

High penalties loom

Any person with direct responsibility will be fined up to RMB 1 million and may also be banned from serving as a director, supervisor, senior officer or personal information protection officer at the relevant company for a certain period of time.

Companies should consider the following suggestions as they review their activities for compliance with the PIPL:

  • review the organization’s personal information processing activities to assess the life cycle of personal information;
  • carry out risk assessments for personal information processing activities to identify potential risks, determine risk levels, and prioritize remedial actions;
  • review and evaluate the current data processing activities, and develop a compliance mechanism and rectification plans; and
  • organize the implementation of compliance and rectification plans by reviewing and updating the relevant documentation.
Follow us

Contact us

Thomas Heck

Thomas Heck

Partner, PwC USA Business Group Leader & China Business Group, PwC United States

Tel: +49 175 9365782

Dr. Katja Banik

Dr. Katja Banik

Redaktionsleitung, PwC Germany

Tel: +49 151 14262429