PIPL China: Is Your Business Ready?

 On August 20th, 2021, China passed its new Personal Information Protection Law (PIPL) — the first of its kind to be seen in the East-Asian country. The law creates a new landscape around security and the protection of personal information.

This personal information protection law will have far-reaching effects on business operations in China, similar to what the European Union’s (EU’s) General Data Protection Regulations (GDPR) has had on the world. 

China’s PIPL provides a new set of rules on how businesses can use Chinese citizens’ data, and tech companies, in particular, will be affected; not just in China, but around the world. 

From November 1st, 2021, organizations handling Chinese citizens’ data must meet certain conditions laid out in the PIPL. If your SaaS business is already GDPR compliant, you should have an easier time reaching PIPL compliance levels. 

However, if you haven’t implemented GDPR practices, your business may have to spend extra time preparing for China’s PIPL. The law adds another layer of complexity to data security compliance for companies doing business in China.

What Is China’s PIPL?

What is PIPL?

China’s PIPL is a data privacy law that imposes new data-handling requirements. It’s perhaps the most stringent set of data laws in the world right now.

The personal information protection law puts into place protections and restrictions on data collection and transfer. In particular, the law focuses on apps that use personal information to target consumers and provide personalized advertising to them. 

The PIPL also aims to improve personal information protection by preventing data from being transferred to other countries with less stringent data protection or security policies.

Background to the PIPL

The PIPL is China’s third law aimed at the regulation of technology. In 2017, the Cyber Security Law was enacted, which was then followed in early 2021 by the Data Security Law. Now, the PIPL completes the framework, with a specific focus on personal information protection.

Territorial Scope

The PIPL has extraterritorial applications too. This term means that the regulations don’t only apply to activities within China; under certain conditions, they apply to handling citizens’ personal information outside of Chinese borders too.

These conditions are as follows:

Where the purpose is to provide products or services to people inside China.

Where activities of people inside China are analyzed or assessed.

Any other circumstances provided for in law or administrative regulations.

 

So, it seems that even without any presence in China, SaaS businesses that process the personal information of Chinese citizens will be bound by this law. 

Effectively, this means that almost every major business in the world will need a PIPL compliance strategy. And if your business deals with the personal information of individuals located within China, you’ll need to ensure you’re consistently meeting the requirements of the PIPL.

What is Defined as ‘Personal Information’ and ‘Sensitive Personal Information’ in the PIPL?Under China’s PIPL, personal information is defined as any information such as video, voice, or image data relating to an identified or identifiable natural person, notwithstanding whether the information is captured via an electronic form or another type of form. This definition excludes any anonymized information.

Beyond this, the PIPL defines sensitive personal information. This term refers to the personal information of which the leakage or illegal use could easily violate the personal dignity of a natural person or harm personal or property safety. 

Examples of this kind of information include biometrics, religious information, medical information, home addresses, financial information, and personal information of those under 14 years of age.

China’s PIPL: 7 Processor Obligations

The PIPL places responsibilities and obligations on the processor of personal information. The processor is required to:

• Formulate internal management systems and operating procedures.
• Implement classified management of personal information protection.
• Adopt technical security measures such as encryption and de-identification.
• Reasonably determine the operational authorizations for personal information and provide regular training and security education for operational staff.
• Formulate and carry out response plans when security incidents related to personal information occur.
• Carry out regular compliance audits.
• Adopt other security measures laid out in laws and regulations.

The PIPL’s sweeping scope and short time frames for implementation have taken many SaaS businesses by surprise. But with careful consideration of the regulations and their applications, it’s possible to put a comprehensive plan for PIPL compliance in place. Read PayPro Global's blog and learn how to become PIPL compliant.