Chinese PIPL: China’s strict privacy and data protection laws
3 mins reading time
- Are you an Australian entity doing business in China?
- Do you sell products or services to Chinese nationals?
- Do you have Chinese employees?
- Do you have access to, or process the personal data of Chinese nationals (regardless of whether your business is located in Australia or China)?
- Does a Chinese business transfer personal data cross-border to you?
If so, the Chinese Personal Information Protection Law 2021 (PIPL) is relevant.
What is the PIPL?
The PIPL was introduced on 1 November 2021 and contains very strict privacy and data protection obligations. Some consider it in some aspects comparative to or exceeding the known stringent requirements of the EU General Data Protection Regulation (GDPR).
The PIPL is also supported by two other pieces of Chinese legislation (the Data Security Law (DSL) and the Cyber Security Law (CSL)), which together:
- implement 9 principles for the processing and protection of personal data;
- give enforceable legal rights to data subjects;
- Prescribe a framework for cross-border transfers of personal data; and
- mandate requirements for data localisation, the conduct of cybersecurity assessments and cybersecurity controls.
What happens if my business breaches the PIPL?
The Chinese legislative regime is extremely complex. Businesses should seek proper legal and cybersecurity advice, guidance and support for compliance.
Consequences of breach can include:
- fines of up to RMB 50 million (approx. AUD $10.5M) or revenue confiscation of up to 5%;
- termination of any licences to operate in China; and
- personal (individual) liability.
The Cyberspace Administration of China (CAC) has already fined ride-share operator, Didi Global Co., Ltd, RMB 8 billion (approx. AUD $1.7 billion) for breaches of the PIPL.
What actions should I take?
There are a few options for getting your business across PIPL and related laws. You can:
- contact one of our Privacy experts;
- read our explanatory article on China’s new Privacy law; and/or
- review this informative brochure by global privacy alliance – PrivacyRules.
Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and tech and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.
Macpherson Kelly has a China Focus Group which advises and assists Australian individuals or businesses doing business in China as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state owned and private enterprises as well as foreign residents for significant transactions, investment and commercial structuring.
You can find translated information on our China focus group here.
more
insights
stay up to date with our news & insights
Chinese PIPL: China’s strict privacy and data protection laws
- Are you an Australian entity doing business in China?
- Do you sell products or services to Chinese nationals?
- Do you have Chinese employees?
- Do you have access to, or process the personal data of Chinese nationals (regardless of whether your business is located in Australia or China)?
- Does a Chinese business transfer personal data cross-border to you?
If so, the Chinese Personal Information Protection Law 2021 (PIPL) is relevant.
What is the PIPL?
The PIPL was introduced on 1 November 2021 and contains very strict privacy and data protection obligations. Some consider it in some aspects comparative to or exceeding the known stringent requirements of the EU General Data Protection Regulation (GDPR).
The PIPL is also supported by two other pieces of Chinese legislation (the Data Security Law (DSL) and the Cyber Security Law (CSL)), which together:
- implement 9 principles for the processing and protection of personal data;
- give enforceable legal rights to data subjects;
- Prescribe a framework for cross-border transfers of personal data; and
- mandate requirements for data localisation, the conduct of cybersecurity assessments and cybersecurity controls.
What happens if my business breaches the PIPL?
The Chinese legislative regime is extremely complex. Businesses should seek proper legal and cybersecurity advice, guidance and support for compliance.
Consequences of breach can include:
- fines of up to RMB 50 million (approx. AUD $10.5M) or revenue confiscation of up to 5%;
- termination of any licences to operate in China; and
- personal (individual) liability.
The Cyberspace Administration of China (CAC) has already fined ride-share operator, Didi Global Co., Ltd, RMB 8 billion (approx. AUD $1.7 billion) for breaches of the PIPL.
What actions should I take?
There are a few options for getting your business across PIPL and related laws. You can:
- contact one of our Privacy experts;
- read our explanatory article on China’s new Privacy law; and/or
- review this informative brochure by global privacy alliance – PrivacyRules.
Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and tech and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.
Macpherson Kelly has a China Focus Group which advises and assists Australian individuals or businesses doing business in China as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state owned and private enterprises as well as foreign residents for significant transactions, investment and commercial structuring.
You can find translated information on our China focus group here.