Privacy Law at China
China has established a comprehensive legal framework for data protection through the Personal Information Protection Law (PIPL), which came into effect on November 1, 2021. This law is complemented by the Data Security Law (DSL), effective since September 1, 2021, and the Cybersecurity Law (CSL), effective since June 1, 2017. Together, these laws regulate the collection, processing, and transfer of personal and sensitive data, aligning with international standards like the EU's General Data Protection Regulation (GDPR).
📜 Key Provisions of the Personal Information Protection Law (PIPL)
1. Definition of Personal Informationb Personal information is defined as any information related to an identified or identifiable natural person, recorded electronically or by other means, excluding anonymized information-
2. Sensitive Personal InformationSensitive personal information includes data such as biometric characteristics, religious beliefs, medical health, financial accounts, individual location tracking, and personal information of minors under the age of 14 Processing of sensitive personal information requires explicit consent and must adhere to stricter protective measures of the following conditions applies
-The individual's consent has been obtained The processing is necessary for the performance of a contract to which the individual is a party The processing is necessary for compliance with legal obligations The processing is necessary to protect the life, health, or property of individuals in emergencies The processing is for reasonable news reporting in the public interest The personal information is publicly available and processing is reasonableOther circumstances as provided by law
4. Data Subject Rights
Individuals have the right to: -Access and copy their personal informationRequest correction or deletion of inaccurate or incomplete dataWithdraw consent at any timeRestrict or object to automated decision-making processes, Data portability, subject to conditions set by the Cyberspace Administration of China.
5. **Data Protection Officer (DPO)**Organizations processing large volumes of personal information are required to appoint a Data Protection Officer responsible for overseeing data protection strategies and ensuring compliance with the law.
6. Cross-Border Data Transfers The PIPL imposes stringent requirements on the transfer of personal information outside of China Organizations must conduct a security assessment and obtain certification from relevant authorities before transferring data abroad.
7. Penalties for Non-Compliance- Violations of the PIPL can result in
-Fines up to ¥50 million or 5% of the previous year's revenue- Revocation of business licenses Fines up to ¥1 million for individuals directly responsible for the violation, Criminal liability for severe violations
⚖️ Data Security Law (DSL) and Cybersecurity Law (CSL)
Data Security Law (DSL):Focuses on the classification and protection of data, emphasizing the importance of data security and the responsibilities of data processors
Cybersecurity Law (CSL):Establishes requirements for network operators to protect network infrastructure, data, and users' information, and mandates the localization of certain data within China
The Cyberspace Administration of China (CAC) is the primary authority responsible for enforcing data otection laws, conducting audits, and imposing penalties for non-compliance.
✅ Summary
China's data protection framework, comprising the PIPL, DSL, and CSL, establishes a robust legal environment for the protection of personal informatio. Organizations operating in China or handling data of Chinese residents must ensure compliance with these laws to avoid significant penalties and reputational damage.
RELATED Blog
0 comments