[co-author: Jingwen Hou]
On 20 August 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL). The PIPL has a rapid timeframe for implementation, taking effect on 1 November 2021. The brief transition period will clearly be a challenge for organizations subject to the PIPL – the law represents a seismic shift in data protection regulation in China, and there will be much to do on very short timescales in order to achieve compliance.
Drawing extensively from the European Union's General Data Protection Regulation (GDPR), the PIPL is China’s first comprehensive personal data protection law. The PIPL, together with the Cyber Security Law (CSL) and the Data Security Law (DSL) define China’s approach to regulating its cyberspace and digital economy. The PIPL was first published in draft form on 21 October 2020 (please see our previous briefing here), with a second draft following on 29 April 2021 (please see our previous briefing here). The final version of the PIPL is largely unchanged in terms of overall structure and policy from the second draft.
In this briefing, we recap the key features of the PIPL. The key message is that the law will set a high bar for Chinese data protection, taking revocable consent as its principal basis for processing, introducing extraterritorial effect and restrictions on international data transfers and imposing revenue-based fines as the principal penalty for non-compliance.
Putting the PIPL in context, the law will put China in line with the accountability-driven approach to data pr ..
Support the originator by clicking the read the rest link below.
