News & Insights

China has implemented further cyber and data security legislation to protect the rights and interests of individuals, regulate personal information processing activities, and facilitate reasonable use of personal information.

The introduced legislation, “China’s Personal Information Protection Law” (PIPL), was introduced on 1 November 2021 and can be seen as somewhat comparative to the European Privacy Laws (GDPR). The obligations imposed by the PIPL are substantial, and if not complied with, businesses may face significant penalties. It is important that businesses operating in China have appropriate policies and procedures in place to comply with the PIPL.

three pillars of legislation

When it comes to cyber and data security, China is now regulated by three pieces of legislation:

1. The Personal Information Protection Law (2021) (PIPL);
2. The Data Security Law (2021); and
3. The Cybersecurity Law (2017).

the personal information protection law (PIPL)

the PIPL has been introduced to:

• define personal information;
• implement nine basic principles for personal information processing;
• set out the rights of personal information subjects;
• provide rules on data localisation and cross-border transfer; and
• set out the personal information processor obligations.

how does the introduction of PIPL affect businesses?

The introduction of PIPL will affect businesses as:

• it gives data subjects more rights over the use of their data;
• there are larger requirements on data sharing and cross-border data transfers;
• there are penalties and fines for breaches;
• businesses will need to implement mandatory cybersecurity controls when storing and processing personal information;
• businesses will have obligatory data localisation requirements if thresholds are met.

If businesses have not already considered how these changes will affect them, we strongly suggest that they put privacy as their key focus and implement appropriate policies and procedures.

For additional information about how this new legislation may affect businesses, please see here the PrivacyRules information brochure.

how macpherson kelley can help

For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and tech and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelly has a China Focus Group which advises and assists Australian individuals or businesses doing business in China as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state owned and private enterprises as well as foreign residents for significant transactions, investment and commercial structuring.

Click here for translated information on our China focus group.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.