The People’s Republic of China had August 20, 2021 ratified a new data privacy law that will regulate how tech companies operate in the East Asian country.
The law, officially dubbed the Personal Information Protection Law of the People’s Republic of China (PIPL), will be the first national data privacy statute ever passed in the country.
The PIPL, a model of the ‘General Data Protection Regulation’ of the European Union has the capacity to foist protections and restrictions on China’s companies (inside and outside) collection of data and its transfer. The law will be majorly focused on applications that use personal information in targeting customers, offering them varying prices on products and services, thereby preventing the relay of personal info to other countries that have little security protection.
The enacted law, which will take effect on the 1st of November 2021, may be too short a notice as it does not give companies ample time to prepare for its take-off. But companies that have already followed the General Data Protection Regulation (GDPR), especially if they have implemented it extensively will find it seamless adapting and complying with the new China law. Other firms that have not implemented the GDPR will need to tow the same method.
Companies in the United States will also need to take into cognizance the new restrictions, in personal information transfer from China to the U.S.
We’ll take a look into the enacted PIPL law and its implication for tech firms:
- Requirements for New data handling
The new law arguably institutes the most rigorous standards for the protection of data privacy throughout the universe as it has in its fore special requirements that relates to processing personal information by government agencies. The law chiefly relates to all information type, either recorded electronically or by other means, related to identifiable or identifiable natural persons, excluding anonymous information.
Here are some of the major requirements for handling people’s personal information in China that will affect tech businesses:
The Chinese law Extra-territorial application
China’s regulations have in the past been only applicable to activities outside the country but the PIPL is akin to applying the law to personal information handling in the Chinese borders. But similar to the GDPR it models, the PIPL application also expands to personal information handling outside China provided the following information are met:
- Where the purpose is to provide products or services to people inside China.
- Where analysing or assessing activities of people inside China.
- Other circumstances provided in laws or administrative regulations.
For instance, a U.S.-based company selling products to consumers in China may be subjected to the China data privacy law even if they do not have a facility or operations there.
The principles of Data handling
The Personal Information Protection Law in hindsight introduces transparency, purpose and minimization of data. Personal information can be collected by companies for distinguished, clear, reasonable and disclosed purposes, with the data retained only for the period in use. Recipients or handlers of such information will be also be required to ensure accuracy and completeness of the data in his/her care to forestall negative impacts on personal rights and interests of the owners of the information data.
It is hoped that the new law will adequately address privacy concerns of citizens of the East Asian country, while we also look forward to the legislation of data protection laws in other countries. User data must be safe and in trust!