The comprehensive Personal Information Protection Law (PIPL), which takes effect on November 1, 2021, includes many new provisions on the handling of personal information (PI) and gives formal legal effect to various existing draft regulations and guidelines. While the PIPL has some similarities to the European Union’s General Data Protection Regulation (GDPR), it is an integral part of China’s active legislation agenda on data security, which includes the Cybersecurity Law (CSL) effective June 2017 and the Data Security Law effective September 1, 2021, focusing on data security relating to national security and the public interest.
The PIPL’s provisions are complex and wide-ranging. In general, key points include:
Though the provisions of the PIPL have some similarities to those of the GDPR (which has become the de facto model for data privacy regimes around the world, due in large part to the size of the EU market and the GDPR’s global reach), differences with the GDPR are substantive; any company doing business in China should conduct close legal and procedural analyses of the PIPL. Employers — in and outside of China — that handle PI of persons covered by the new data privacy regime should work with their legal counsel to ensure understanding of and compliance with the new rules.