Skip to content

Illustration by Security Management

China's New Data Privacy Law Goes Into Effect

China’s new data privacy law went into effect this week, and it is already sending shockwaves through the global economy as international firms reassess how they will continue to do business in the country.

The Personal Information Protection Law (PIPL) went into effect on Monday, 1 November, just two months after lawmakers approved it, making China one of the world’s largest economies with an omnibus privacy law. There is still some confusion, however, surrounding the law because regulators have been delayed in issuing implementation regulations.

The measure has been compared to the European Union’s General Data Protection Regulation (GDPR), with requirements for companies doing business in China to obtain user consent for data gathering and exercise data minimization, according to analysis by the International Association of Privacy Professionals (IAPP). 

With the enactment of the PIPL, companies are now required to obtain “informed and separate consents from the data subjects” for collecting, processing, and cross-border transferring their personal data, a lawflash from Morgan Lewis reports. Companies classified as critical information infrastructure operators—or that process personal data above a certain threshold—are also required to store personal data on servers in China. 

“The law grants statutory rights to data subjects, such as the right to withdraw and modify consents, the right of data portability, and the right to refuse automated decision-making,” the lawflash explains. “The PIPL also imposes a number of new administrative requirements on the data controllers, including, among others, designating a data protection officer, signing data processing agreements with data processors, preparing data breach notices, conducting a personal information impact assessment, or in some cases obtaining regulatory approval for certain data processing transfer activities.”

Additionally, the PIPL limits the use of facial recognition technology, as a means of protecting personal biometric information. Under the new law, facial biometrics should only be “used for specific purposes and only when sufficiently necessary,” and a risk assessment should be done in advance to make that determination, according to Yue Zhongming, spokesman for the Legislative Affairs Commission of China’s legislature. 

The decision to regulate the use of facial recognition technology in China comes after its rapid deployment in the country, according to IAPP.

“The proliferation of the surveillance technology has prompted a number of legal cases in China, including among building residents and visitors who had to verify their identify via facial recognition,” the IAPP notes. “Last month, the PRC’s highest court ruled that building managers should offer alternatives to tenants who do not want to submit their biometric information for facial recognition.”

The PIPL also has implications for human resources teams because employee data and HR management are now considered protected personal information in China, according to analysis by the Society of Human Resource Management (SHRM)

“This means personal information related to employment and HR, including compensation and performance review information, cannot be sent out of China unless it is anonymized or informed consent has been given by the employee,” SHRM reports. “This has implications for companies that might have a parent company and HR department based outside of China.”

Violations of the law could result in penalties between $7.7 million or up to 5 percent of the previous year’s business revenue. Companies also risk having their business license revoked for violations, and executives—including directors, supervisors, senior managers, or data protection officers—could be prohibited from serving in their roles.

The PIPL does not prevent the People’s Republic of China’s central government from accessing user data and is “closely linked” to the China’s national security interests building upon previous laws, WIRED reports. 

“Overseas companies that don’t fall into line with PIPL or harm the national security of China may be placed on a blacklist, which could effectively ban them from processing Chinese personal data—opening the door to international tit-for-tat retaliation against businesses,” according to WIRED. “On the day the law was introduced, Yahoo shut down the few remaining services it was operating in China, citing an ‘increasingly challenging business and legal environment.’ LinkedIn pointed to the same concerns when it withdrew from China in October.”