Personal Information Protection Law

01

Get a free downloadable materials when you sign up on our newsletter!
• PIPL briefer
• PIPL checklist
• Data comparison : GDPR vs PIPL
• And more

Background

What does PIPL cover? When was it in effect?

The Personal Information Protection Law (PIPL) aims to “protect personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information.” (Art. 1)

The PIPL was passed on August 20, 2021 and came into effect last November 1, 2021.

Parties

Who are the stakeholders in PIPL?

Cyberspace Administration of China (CAC): central internet regulator, censor, oversight, and control agency for the People’s Republic of China

Individual departments at the local level: afforded enforcement powers for PIPL such as local provincial/government units

Personal Information (PI) handlers: an organization or individual that determines autonomously the purposes and methods of personal information handling activities

Entrusted persons: An entrusted person is when a PI processor/Handler (company) employs a 3rd party company to process personal information on their behalf. This is typically conducted with a vendor contract.

Data Subject: A data subject is an identifiable natural person within China.

Trustee: A trustee is a person(s) that process or handle personal information. These are directly accountable under PIPL.

Coverage

GDPR vs PIPL?

GDPR and PIPL are very similar with exception to the following:

 • GDPR and PIPL both have extraterritorial effect. However, China has not identified Third Countries nor Adequacy Countries. Rules are based on volumes and sensitivity of individuals identified, i.e. those identified as critical information infrastructure operators are expressly forbidden to be transferred outside of PRC. (Refer to Chapter 3 of PIPL, Article 40).

GDPR

 • GDPR identifies a Data Controller (Company) whereas PIPL refer to them as Personal Information Processors (Company).
 • GDPR identifies a Personal Information Processors (individuals handling data) whereas PIPL refers to them as trustees. (Article 21)

 • GDPR data subject rights stop when a person becomes deceased. PIPL extends data subject rights to their next of kin.

PIPL

 • PIPL also does not provide legitimate interests as a lawful basis for processing. However, it does state in Article 13 when data can be processed:

• Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts;

• Necessary to perform legal responsibilities or obligations;

• Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property;

• To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests;

• Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with the PIPL; and

• Other circumstances as required by laws.

Up to $1M

Penalties

Non-compliance to PIPL shall result in an imposition of a fine of ¥100,000 up to ¥50 million or 5% of annual revenue, with select cases leading to a criminal charge. (Article 66)

Administrative penalties typically begin with a warning leading to rectification until severe incompliance results in the suspension of business, revocation of permits or licenses and/or re-organization.

Be #QTSupervised

How to align company to PIPL?

Company Policies

Companies may use different names but ideally:

 • Information Security Policy
 • Personal Information Protection
 • Impact Assessment Policy
 • Personal Data Protection Policy
 • Data Classification Policy Data Retention and Disposal Policy
 • Data Breach Procedure
 • Training
    • Regular compliance audits by processor
    • DPIA Assessments (Article 55)
    • Regular and routine data risk assessments IAW governing bodies & CAC
    • Cybersecurity training

Data Processing Protocols

 • Is data processed outside of China? (Article 2 DSL)
   • For personal data, obtain explicit consent (Article 39 PIPL):

• Data localization requirement if Critical Information Infrastructure Operators (CIIOs) or processing an amount of data deemed to have passed the threshold (Article 30 PIPL) + Appointment of local Data Privacy Officer (Article 52)
• If lower than adopted threshold, then appoint a representative. Similar to GDPR.

Multi-Level Protection Scheme

 • Conduct security assessment (Article 21 CSL, Article 27 DSL)
 • Effective December 2019

• GB/T 22239-2019 Basic Requirements for the Multi-Level Protection of Information Security Technology
• GB/T 25070-2019 Information Security Technology Cybersecurity Multi-Level Protection Security Design Technical Requirements
• GB/T 25070-2019 Information Security Technology Cybersecurity Multi-Level Protection Security Design Technical Requirements

• Effective March 2020

• GB/T 25070-2019 Information Security Technology Cybersecurity Multi-Level Protection Security Design Technical Requirements

Clarify Business Data

 • Core Data:

• Data Localization: CAC assessments required

 • Important Data:

• Data Localization: Ministry of Industry and Information Technology will comment around November 28th

 • Ordinary Data:

• Ministry of Industry and Information Technology will comment around November 28th

Audit

 • Conduct vulnerability assessments
   • Aged operating systems
   • System Patching
   • Firmware Patching
 • Conduct penetration tests
   • Regular/routine penetration tests
 • Conduct assessment management audits
   • Licensing
   • Identify data touch points

Proposal

Is there an IT partner with PIPL solutions?

QTS Global is an American IT company based in Asia Pacific for over a decade with a mission to vanquish needless IT suffering wherever our clients operate in APAC, UAE, and Germany.

We embrace a seamless, drama-free approach to IT problem-solving.

We work within the nuances of different cultures, companies and people, not around them.

We help centralize your IT in APAC while ensuring control remains at your Global headquarters.

As such, we can help end your DSL woes and more:

  • CSL/DSL/PIPL audit
  • Translations of DSL, Data Guidance, DSL checklist
  • Support options via phone, email and on-site visits
  • SLA escalation process
  • Breadth of hardware and software knowledge
  • Initial pay by incident or work hours cost model
  • Flexible to adapt to client growth and expansion within region

Let’s Connect!

Patricia Erica Acuña
patricia.acuna@qtsglobal.com

The ability to operate at the level of multinational corporations calls for partners that operate with the same set of core principles to have a smooth and harmonious relationship.

Efficient, interoperable, cost-effective with integrity, QTS Global has been a committed partner.

Want more information?
Contact us.

Want more information?
Contact us.

Subscribe to get 15% discount