Passed in August, the Personal Information Protection Law takes effect on November 1, spelling out rules around data collection, use, and storage, as well as what international companies must do when they transfer data out of the country.
China’s Personal Information Protection Law (PIPL) is now in force, laying out ground rules around how data is collected, used, and stored. It also outlines data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities. Multinational corporations (MNCs) that move personal information out of the country also will have to obtain certification on data protection from professional institutions, according to the PIPL. The legislation was passed in August, after it went through a couple of revisions since it was first pitched in October last year. Effective from November 1, the new law was necessary to address the “chaos” data had created, with online platforms over-collecting personal data, the Chinese government then said. Personal information is defined as all types of data recorded either electronically or other forms, which relates to identified or identifiable persons. It does not include anonymised data. The PIPL also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data. The new legislation encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct “personal information protection impact assessments”, according to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD). They also will need to obtain separate consent from individuals pertaining to the transfer of their personal information and meet one of several requirements.
