September 15, 2021
China Approves its
Personal Information Protection Law (PIPL)
China has approved the final Personal Information Protection Law (PIPL), and it will come into effect very soon, on November 1, 2021.
Based in part on the GDPR (and both the EU’s and companies’ experiences with it), and building on top of China’s Cyber Security and Data Security laws, the PIPL is a major step forward for personal information privacy in China.
In many ways, the PIPL is the strictest privacy law in the world, as it is very consent-heavy, including separate, specific consent for many processing activities such as sensitive data and moving data off-shore. Consent is also entirely revocable, in addition to the GDPR-style rights of correction, erasure, and view (or portability).
The PIPL also has very broad and open-ended definitions of Sensitive data, including ALL data about children under age 14, which also request parental approval for processing. This will have clear impacts on any systems targeted at, or managing data for, children.
Further, automated processing using personal data comes under the PIPL, including the ability to opt-out of it. In addition, public facial recognition is limited to public safety unless consent is obtained, which should be much limit its use in public spaces.
The PIPL goes into effect in a few weeks, though none of the underlying rules and guidelines have been published. As a result, many law firms have been publishing initial notices and guidelines as the industry gears up for major consulting, implementation, and governance efforts, similar to what was seen in Europe with the GDPR implementation.