Preparation for China's Personal Information Protection Law (PIPL): Is Your Business Compliant Yet?

Foreign businesses handling Chinese personal data must comply with stringent data protection requirements under China's Personal Information Protection Law (PIPL), which came into effect on November 1st, 2021.

Key Requirements for Foreign Businesses

Appoint a Data Protection Officer (DPO) in China: Businesses processing data of over one million individuals must designate a DPO resident in China to oversee personal information protection compliance and file this designation with the Cyberspace Administration of China by the mandated deadline (e.g., August 29, 2025).
Establish a local representative or office in China: Offshore entities processing personal information of Chinese citizens must have a dedicated office or a representative physically located in China responsible for personal information protection compliance.
Conduct a Personal Information Protection Impact Assessment (DPIA): Before engaging in high-risk processing activities, such as processing sensitive information, using automated decision-making, or sharing data with third parties, companies must conduct a risk assessment and keep records for at least three years.
Obtain explicit, separate consent from data subjects: Consent must be specific and informed, especially for sensitive data processing activities and cross-border transfers.
Comply with strict cross-border data transfer conditions: Foreign companies must meet all three key conditions to transfer data outside China: explicit consent from the data subject, completion and record-keeping of a personal information protection impact assessment, and adoption of approved safeguards such as passing a security assessment by the CAC, obtaining certification from accredited bodies, or signing standard contracts approved by regulators.
Data localization and storage: PIPL generally requires that personal information collected or generated in China be stored within China. Cross-border transfer requires explicit approvals or adherence to one of the legal transfer mechanisms described above.
Compliance audits and record keeping: Businesses should maintain and be able to provide audit trails of processing activities, impact assessments, and consent records; PIPL mandates keeping these records for at least three years.

Other Important Provisions

The Cyberspace Administration of China (CAC) is responsible for enforcing the data localization rule and may conduct on-demand assessments.
Sensitive personal information includes biometrics, religion, medical and financial information, individual location tracking, information relating to minors under the age of 14, etc.
Businesses must provide a consent form that clarifies the name of the company and its contacts, the purpose of information handling, the scope of information, handling method, retention period, and the individual's rights.
If a business doesn't have an appropriate legal basis for data handling, it must obtain user consent in a non-coercive way.
The PIPL applies to public and private organizations handling the personal data of Chinese citizens for activities such as collection, storage, usage, transmission, and public disclosure.

Failure to comply with these obligations can lead to significant regulatory penalties including fines, and filing failures or DPO omissions carry legal liabilities for companies and their designated officers.

In summary, foreign businesses must appoint a China-based DPO, maintain a local representative, conduct impact assessments, secure explicit consent, localize data storage, and rigorously follow cross-border data transfer rules to comply fully with China’s PIPL regarding data handling and localization.

Preparation for China's Personal Information Protection Law (PIPL): Is Your Business Compliant Yet?