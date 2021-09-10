



China enacted a sweeping new data privacy law on August 20 that will have a huge impact on how tech companies can operate in the country. Officially known as the Personal Information Protection Law of the People’s Republic of China (PIPL), the law is the first national data privacy law adopted in China.

Inspired by the European Union’s General Data Protection Regulation, the PIPL imposes protections and restrictions on the collection and transfer of data that companies inside and outside of China will have to adhere to. It particularly focuses on applications that use personal information to target consumers or offer them different prices on products and services, and prevent the transfer of personal information to other countries with less security protections.

The PIPL, which is due to come into effect on November 1, 2021, does not leave companies much time to prepare. Those who already follow GDPR practices, especially if they have implemented it globally, will find it easier to comply with China’s new requirements. But businesses that haven’t implemented GDPR practices will need to consider taking a similar approach. Additionally, US businesses will need to consider new restrictions on the transfer of personal information from China to the United States.

Implementing and complying with the PIPL is a much bigger task for companies that have not implemented the principles of the GDPR.

Here’s a deep dive into PIPL and what it means for tech companies:

New data processing requirements

PIPL introduces perhaps the world’s most stringent set of data privacy requirements and protections (this includes special requirements for the handling of personal information by government agencies which will not be discussed here). The law generally concerns all kinds of information, recorded by electronic or other means, concerning identified or identifiable natural persons, but excludes anonymized information.

Here are some of the key new requirements for handling personal information of people in China that will affect technology companies:

Extraterritorial application of Chinese law

Historically, Chinese regulations have only been applied to activities within the country. PIPL is similar in law enforcement to personal information processing activities within Chinese borders. However, like the GDPR, it also extends its application to the processing of personal information outside of China if the following conditions are met:

When the purpose is to provide goods or services to people within China. When analyzing or evaluating the activities of people inside China. Other circumstances provided for by laws or administrative regulations.

For example, if you are a US-based business selling products to consumers in China, you may be subject to China’s data privacy law even though you do not have a facility or operation there. .

Principles of data processing

The PIPL introduces principles of transparency, purpose and data minimization: companies can only collect personal information for a clear, reasonable and disclosed purpose, and to the smallest extent possible to achieve the purpose, and retain data only for the period necessary to achieve that goal. Any information manager is also required to ensure the accuracy and completeness of the data he processes in order to avoid any negative impact on personal rights and interests.

