book a virtual meeting Search Search
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Chinese PIPL: China’s strict privacy and data protection laws

16 December 2022
Kelly Dickson
Read Time 3 mins reading time
  • Are you an Australian entity doing business in China?
  • Do you sell products or services to Chinese nationals?
  • Do you have Chinese employees?
  • Do you have access to, or process the personal data of Chinese nationals (regardless of whether your business is located in Australia or China)?
  • Does a Chinese business transfer personal data cross-border to you?

If so, the Chinese Personal Information Protection Law 2021 (PIPL) is relevant.

What is the PIPL?

The PIPL was introduced on 1 November 2021 and contains very strict privacy and data protection obligations. Some consider it in some aspects comparative to or exceeding the known stringent requirements of the EU General Data Protection Regulation (GDPR).

The PIPL is also supported by two other pieces of Chinese legislation (the Data Security Law (DSL) and the Cyber Security Law (CSL)), which together:

  • implement 9 principles for the processing and protection of personal data;
  • give enforceable legal rights to data subjects;
  • Prescribe a framework for cross-border transfers of personal data; and
  • mandate requirements for data localisation, the conduct of cybersecurity assessments and cybersecurity controls.

What happens if my business breaches the PIPL?

The Chinese legislative regime is extremely complex. Businesses should seek proper legal and cybersecurity advice, guidance and support for compliance.

Consequences of breach can include:

  • fines of up to RMB 50 million (approx. AUD $10.5M) or revenue confiscation of up to 5%;
  • termination of any licences to operate in China; and
  • personal (individual) liability.

The Cyberspace Administration of China (CAC) has already fined ride-share operator, Didi Global Co., Ltd, RMB 8 billion (approx. AUD $1.7 billion) for breaches of the PIPL.

What actions should I take?

There are a few options for getting your business across PIPL and related laws. You can:

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and tech and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelly has a China Focus Group which advises and assists Australian individuals or businesses doing business in China as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state owned and private enterprises as well as foreign residents for significant transactions, investment and commercial structuring.

You can find translated information on our China focus group here.

stay up to date with our news & insights

Chinese PIPL: China’s strict privacy and data protection laws

16 December 2022
Kelly Dickson
  • Are you an Australian entity doing business in China?
  • Do you sell products or services to Chinese nationals?
  • Do you have Chinese employees?
  • Do you have access to, or process the personal data of Chinese nationals (regardless of whether your business is located in Australia or China)?
  • Does a Chinese business transfer personal data cross-border to you?

If so, the Chinese Personal Information Protection Law 2021 (PIPL) is relevant.

What is the PIPL?

The PIPL was introduced on 1 November 2021 and contains very strict privacy and data protection obligations. Some consider it in some aspects comparative to or exceeding the known stringent requirements of the EU General Data Protection Regulation (GDPR).

The PIPL is also supported by two other pieces of Chinese legislation (the Data Security Law (DSL) and the Cyber Security Law (CSL)), which together:

  • implement 9 principles for the processing and protection of personal data;
  • give enforceable legal rights to data subjects;
  • Prescribe a framework for cross-border transfers of personal data; and
  • mandate requirements for data localisation, the conduct of cybersecurity assessments and cybersecurity controls.

What happens if my business breaches the PIPL?

The Chinese legislative regime is extremely complex. Businesses should seek proper legal and cybersecurity advice, guidance and support for compliance.

Consequences of breach can include:

  • fines of up to RMB 50 million (approx. AUD $10.5M) or revenue confiscation of up to 5%;
  • termination of any licences to operate in China; and
  • personal (individual) liability.

The Cyberspace Administration of China (CAC) has already fined ride-share operator, Didi Global Co., Ltd, RMB 8 billion (approx. AUD $1.7 billion) for breaches of the PIPL.

What actions should I take?

There are a few options for getting your business across PIPL and related laws. You can:

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and tech and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelly has a China Focus Group which advises and assists Australian individuals or businesses doing business in China as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state owned and private enterprises as well as foreign residents for significant transactions, investment and commercial structuring.

You can find translated information on our China focus group here.