Does the new Chinese PIPL law apply to you?

3 Nov 2021 | News, Security

If you do business in China, you need to know about the “PIPL”

It’s the Chinese equivalent of the GDPR from the EU – and your responsibility to protect the data privacy of the Chinese.

The law came into being relatively quickly and has already taken effect as at November 1st 2021. However, as this stage it appears to be mainly a framework and there will be further regulations emerging across specific sectors that relate back to these requirements.

If you are already working in Europe and complying with the GDPR, then you probably just need to apply those regimes to data that relates to Chinese citizens as well. (“all information related to identified or identifiable natural persons”)

We’ve taken the following table from an excellent analysis at the International Association of Privacy Professionals (IAPP)

Rights under the GDPRRights under the PIPL
Right to information
Right to access
Right to correction/rectification
Right to erasure
Right to object to and restrict the processing of an individual’s data
Right to data portability√ (but needs to satisfy conditions stipulated by the Cyberspace Administration of China)
Right not to be subject to automated decision-making
Right to withdraw consent
Right to lodge a complaint with the regulator

As with other data privacy regimes, it is important to consider the information you hold, and the obligations on it.

Do you know :

  • What data you hold?
  • Why you hold it? (Is there data you hold that is ‘nice to have’ rather than necessary)
  • Where it is held?
  • Who should have access to it, and who does have access to it?
  • Do the people with access understand their obligations?

These considerations, and others, are part of the data governance considerations of a FlightPlan – contact your account manager for more information.