What We Know So Far About China’s PIP Law
On October 21, 2020, China released the first draft of its new Personal Information Protection (PIP) law. The goal of this law is to protect the personal information of Chinese citizens, as well as control those who have access to that information.
The first incarnation of the law was open to public comment through November 19, 2020. More recently, on April 29, 2021, the country released its second draft of the law, also open to public comment.
What are the major differences between the first and second drafts of the PIP law? What does this new law mean for companies that operate in China but may be based outside the country?
Breaking down the basics of the PIP law
In the draft of China’s PIP law, personal information is defined as “any information relating to identified natural persons recorded by electronic or other means, excluding anonymized information.” This is similar to the definition the European Union uses in their General Data Protection Regulation, which went into full effect in 2018. The only major difference is the inclusion of the addendum referring to anonymized information that can’t be used to identify a specific person.
In addition to protecting personal information, the PIP law helps to lessen the previously placed restrictions on cross-border transfers of this same data. There are some caveats, such as the company must pass a security assessment and meet any other requirements set forth by the Cyberspace Administration of China (CAC), but it is significantly easier than it used to be.
There are many things in the first draft of this law that still need some work. It’s lacking information on overseas adequacy determinations for data transmission, as well as data localization requirements, among other things.
Differences between the two PIP law drafts
On April 29, 2021, China released the second draft of the PIP law, which contained numerous changes and amendments. Draft two added, among other things, a new legal basis for processing personal data, and reworked the rules regarding how that information can be used. It also made it easier for individuals to withdraw their consent and adjusted the wording surrounding the practice of automated decision-making.
There are also amendments that help clarify the responsibilities of those entrusted to process this data, as well as how the personal information of deceased users is handled and protected. This isn’t a comprehensive list of the changes made to the second draft — you can find a full English translation of the draft online for study.
What does China’s PIP law mean for international businesses?
While we haven’t yet seen the final version of the PIP law and likely won’t for some time, one thing we know for sure is that it will absolutely affect international companies, even those that might not have a legal presence in the People’s Republic of China. This law will apply to anyone who collects personal information from Chinese citizens, meaning it will likely affect companies around the world in a very similar fashion to the GDPR when it went into effect in 2018.
It will not likely affect companies directly, not in the way things like Proposition 22 in California have affected gig workers. Rather, any companies that operate internationally or work with information from Chinese citizens will need to make any necessary adjustments once the law goes into effect.
We saw something similar during the lead-up to the GDPR, with companies sending out mass emails asking their subscribers to confirm once again that they wanted to be contacted, or giving them the opportunity to opt out if they didn’t, all to ensure the company was in compliance with the EU’s law.