Personal Information Protection Law

From ICANNWiki
Jump to navigation Jump to search

The Personal Information Protection Law (PIPL) is designed to protect personal information, regulate its processing, and promote the use of personal information.[1] It is China's version of the EU's GDPR as it has extraterritorial scope whenever businesses outside China process the personal information of Chinese residents for providing products or services and analyzing and evaluating information about domestic residents.[2] Personal information under this law is defined as information related to identified or identifiable natural persons recorded by electronic or other means.

Roles and Rights

This law relies on personal information processors and entrusted parties. Person information processors decide the purpose, period, and means of processing; personal information categories; protection measures; and parties' rights and obligations. The entrusted parties process information in accordance with the agreement and cannot go beyond those parameters, or engage sub-processors without the consent of the personal information processor. Any cross-border transfer requires an assessment, certification, contract, or compliance with other laws and regulations. Separate disclosure to and consent from the individual is required.[3]

This law reserves the right for:

  1. China's national cyberspace department to add companies and individuals infringing on individuals’ rights to a restricted list and
  2. take countermeasures against any country or region that places prohibitive, restrictive, or discriminatory measures against China.[4]


The PIPL went into effect on November 1, 2021.[5]


On October 21, 2021, ICANN alerted the community that PIPL would soon be implemented. Then on June 27, 2022, ICANN Organization released an advisory on the law.[6]

Following PIPL's implementation, ICANN's Contractual Compliance began receiving complaints in which registrars assert that the PIPL is being used as a basis for denying requests from third parties for access to nonpublic gTLD registration data.[7]

In the advisory, ICANN explains that

  • Like GDPR, PIPL specifies legal bases for processing personal data, including transfers of personal data to third parties. However, PIPL does not contain the "legitimate interest" purpose that GDPR Article 6(1)f) provides.
  • Under the PIPL, the legal basis for processing gTLD registration data is consent, which must be specific and informed and requires notification to the individual of "the recipient's name and contact information, the purposes and means of processing and the categories of personal information to be processed…" (PIPL Article 23).
  • There are few and very narrow legal bases for processing personal data within PIPL beyond consent. Thus, contracted parties are likely to require separate and informed consent from each data subject before it can disclose nonpublic personal data to a third party.[8]

Mandy Carver also briefly discussed it at ICANN 74 in the Geopolitical, Legislative, and Regulatory Developments session during a segment called "Beyond GDPR," directing the community to refer to the advisory.[9]