Personal Information Protection Law

The Personal Information Protection Law (PIPL) is designed to protect personal information, regulate its processing, and promote the use of personal information.^[1] It is China's version of the EU's GDPR as it has extraterritorial scope whenever businesses outside China process the personal information of Chinese residents for providing products or services and analyzing and evaluating information about domestic residents.^[2] Personal information under this law is defined as information related to identified or identifiable natural persons recorded by electronic or other means.

Roles and Rights

This law relies on personal information processors and entrusted parties. Person information processors decide the purpose, period, and means of processing; personal information categories; protection measures; and parties' rights and obligations. The entrusted parties process information in accordance with the agreement and cannot go beyond those parameters, or engage sub-processors without the consent of the personal information processor. Any cross-border transfer requires an assessment, certification, contract, or compliance with other laws and regulations. Separate disclosure to and consent from the individual is required.^[3]

This law reserves the right for:

China's national cyberspace department to add companies and individuals infringing on individuals’ rights to a restricted list and
take countermeasures against any country or region that places prohibitive, restrictive, or discriminatory measures against China.^[4]

History

The PIPL went into effect on November 17, 2021.

ICANN's POV

References

[1] PIPL, Translations of Laws, The National People's Congress

[2] China's Data Protection Law, Trulioo

[3] China's Data Protection Law, Trulioo

[4] China's Data Protection Law, Trulioo

[1]

[2]

[3]

[4]