A significant recent privacy law development is China’s enactment of a comprehensive privacy law (Personal Information Protection Law), effective November 1, 2021. Similar to other privacy laws, (e.g., the PIPL sets forth rules for the collection, use and storage of personal data), there are some differences that set the PIPL apart from laws like the GDPR and CCPA. The PIPL applies not just to companies located within China, but may also reach companies located outside China under certain circumstances (like the GDPR). There are limitations on transfers of personal data outside of China (e.g., to the U.S.), and such transfers may have to be submitted first to the Cyberspace Administration of China, the nation’s cyber and data protection regulator, for approval.
If a processing entity violates the requirements under the PIPL, the regulators may take various actions, include issuing warnings, ordering corrective actions, confiscating illegal income, suspending services or issuing a fine. The fine can be up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year. It is unclear whether the annual revenue refers to the worldwide turnover or only to revenue generated in China. Violations may also be recorded in credit files of the violator under China’s national social credit system. Additionally, entities processing personal information will be liable for tort damages in cases of infringement of individuals’ rights, and if the infringement involves the rights and interests of a large number of individuals, the People’s Procuratorate and other designated organizations may file public interest lawsuits.
Companies with establishments in, or who otherwise do business in China, need to focus on compliance with the PIPL.