China continues to improve data protection with the Personal Information Protection Law (PIPL). The law, along with the Cyber Security Law and the Data Security Law (still in draft form), will further strengthen personal data protection and have a profound impact on companies inside and outside China.
Foreign companies need to pay particular attention to the extraterritorial impact of this law and the regulations on cross-border transfer of personal data. Just like the establishment criterion and the destination criterion of the European General Data Protection Regulation (GDPR), the draft PIPL applies not only to the handling of personal data within China, but also to activities outside the country when a company processes personal data for the purpose of providing products or services to individuals in China or analyzing and evaluating the activities of individuals in China.
In addition, the draft PIPL contains specific requirements for cross-border information transfers, and network operators (Critical Information Infrastructure Operators, CIIOs) and processors of personal data must conduct a security assessment organized by the State Network Information Department. In other cases, cross-border transfers of personal data are subject to certification by professional organizations, or processors must enter into a contract with the recipient abroad.
The ongoing enactment of new laws demonstrates China’s determination to strengthen personal data protection, but this poses additional challenges for companies. They will be forced to constantly monitor Chinese legislation and adapt their compliance strategies.