The Chinese Personal Information Protection Law (PIPL)

On Aug 20, 2021 China's Standing Committee of the National People’s Congress voted to pass a new personal information protection law, which will take effect on November 1st, 2021.
This new data protection law is called the Personal Information Protection Law, or PIPL for short, and is meant to protect the data of Chinese citizens.

According to Xinhua News Agency, this law requires app creators to provide users with options on how to use or not use their information, such as not targeting for marketing purposes or the ability to market based on personal characteristics.

It also requires data processors to obtain personal consent in order to process sensitive types of data, such as biometrics, medical and health data, financial information, and location data.

PIPL Overview

PIPL aims to improve the current legal framework on Chinese data privacy and promises to clarify rules and restrictions on cross-border transfers of personal information. It will also better define the rights of the individuals whose data is being collected and the obligations of the data

processors, and clarify the legal bases for image collection and identification in public places.

According to Latham & Watkins LLP, who have translated and examined the PIPL in more detail, the individuals’ rights in regards to their personal data being processed (Articles 44 to 48 of PIPL) include the following:

• Know and decide on the processing of their personal information
• Restrict or refuse the processing of their personal information
• Access and copy their personal information from personal information processors
• Obtain and reuse their personal information for their own purposes across services (i.e., data portability)
• Correct and delete personal information.

International companies and organizations doing business in China that involves the processing of personal data of citizens must deal with the extraterritorial jurisdiction of the law, which means that foreign companies will face regulatory requirements, such as the need to appoint local representatives and report to Chinese regulators.

As shown in this table (Source), the core elements of China’s new data protection system seem to reflect the ones in the GDPR, which provide citizens with a set of personal data rights, including setting similarly high standards for the consent to the processing of “special categories of data” referred to in the EU law. 

But some may argue that the background of China's PIPL is more than meets the eye, taking into consideration how the Chinese communist government continuously runs data collection procedures to monitor and supervise the behavior of its citizens.

PIPL Conjecture

Any restrictions that PIPL may impose on the Chinese government's ability to collect citizen data may simply become a foil for the Chinese Communist Party (CCP) to continue to collect data. How the CCP uses the new data protection rules to further regulate, or even suppress, the power of its national IT sector remains to be seen.

“Government control and access in China were major concerns before PIPL. Those concerns may become more significant with this new legal framework put in place.” said Gary Kibel, a partner at Davis & Gilbert LLP.

TechCrunch states that PIPL provides the Chinese regime with more attack surfaces to restrict local technology companies and that it will not waste any time attacking the common data-mining practices of both international and national technology giants.

Reuters pointed out that the Chinese Congress officially marked the passage of this law by publishing a column in the official media outlet "People's Court Daily".  Quoting the article, it wrote: "Personalization is the result of a user’s choice, and true personalized recommendations must ensure the user’s freedom to choose, without compulsion. Therefore, users must be given the right to not make use of personalized recommendation functions.”

“If previous data regulations weren’t already a wake-up call for ad tech companies to transition toward first-party data, the new PIPL law surely will be once the law goes into effect,” said Charles Farina, head of innovation at Adswerve. “China’s decision to pass its new ruling is a direct result of consumers becoming frustrated with the mass collection of their data.”