CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

PIPL: How Does It Affect Your Data?




On August 20, 2021, China’s National People’s Congress enacted a new law titled the Personal Information Protection Law (PIPL) and it will go into effect on November 1, 2021.


The new law is one of many data protection laws countries are creating and enforcing in a world where digital technology rules. Governments must intervene and take specific measures to protect its citizens’ personal data.


The PIPL has both similarities and differences concerning the EU data privacy law known as the General Data Protection Regulation (GDPR). The PIPL also includes some provisions mandating companies to use data minimization and user consent strategies.


Because of the similarities, many companies worldwide will remain PIPL compliant if they’ve been compliant with the GDPR. However, it’s crucial companies also take time to review the PIPL and implement new plans and procedures to remain compliant.


How Will the PIPL Impact Your Organization?


Companies that operate on a global scale need to comply with these laws to protect their assets and avoid potential fines or being placed on a government blacklist.


Here are some ways the PIPL may affect your organization and how you use your data.


● Data subjects can exercise more control over their data. Citizens can request to edit, remove or restrict the use of data, as well as withdraw consent that’s been given previously.

● More stringent requirements on data transfer and sharing. Your organization or third-party controllers may need to implement data-related assessments.

● PIPL includes penalties and fines for data breaches. Includes increased fines up to 50 million RMB, revenue confiscation up to 5% of annual revenue and business cessation.

● Security controls are mandatory when storing and processing PII (personally identifiable information) and training staff handling PII.

● Mandatory data localization when the amount of data exceeds the Cybersecurity Administration of China’s (CAC) threshold.


The PIPL has four main objectives:


  1. Protect rights and interests of individuals

  2. Regulate the processing of personal information

  3. Protect the lawful and orderly flow of information

  4. Promote reasonable use of personal information


China prioritizes national security and citizen protection in the PIPL. Organizations that operate in China need to be aware of the conditions they must meet to remain compliant with the PIPL.


How Does the PIPL Compare to the GDPR?


Below we’ll explore some of the main differences between the PIPL and GDPR that organizations should consider when formulating their compliance strategies.


Data Localization


The law requires a controller for large-scale personal data or a critical information infrastructure controller (CIIO) to manage data storage in China. Anytime data is transferred cross-border is subject to security assessments by the CAC.


The PIPL recognizes legitimate approaches when it comes to cross-border data transfers. This may include entering a standard contract with the overseas data recipient. Data controllers also must obtain the consent of data subjects and perform a data protection impact assessment (DPIA) before any data transfers.


Consent of Data Subjects


The PIPL doesn’t define “standalone consent” but implies that controllers must obtain consent from their subjects under certain circumstances. For instance, if an organization transfers data or processes sensitive personal data, subjects must give consent.

Rights of Data Subjects

The rights of data subjects are very similar to the GDPR. However, the right “to be forgotten” is included in the GDPR and not in the PIPL.


DPIA


The PIPL requires data controllers to complete DPIA under these conditions:

● Cross-border data transfers

● Contracting a third party for data processing

● Providing personal data to other controllers and making personal data publicly available


Data Breach Notification


The GDPR does set timelines for when controllers need to notify government authorities about data breaches, but the PIPL does not. Organizations need to be aware that they need to send notifications within 72 hours of the data breach.


It’s crucial to keep these guidelines in mind, especially if your organization collects and processes data in China.


Remain PIPL Compliant


Because the PIPL was only recently passed in China, there’s still some uncertainty over how organizations operating in China can remain compliant. As more information regarding the PIPL is released, organizations need to stay updated to make the appropriate decisions on how to follow these guidelines and avoid facing penalties or fines.