Personal Information Protection Law
The Personal Information Protection Law (PIPL) is designed to protect personal information, regulate its processing, and promote the use of personal information.[1] It is China's version of the EU's GDPR as it has extraterritorial scope whenever businesses outside China process the personal information of Chinese residents for providing products or services and analyzing and evaluating information about domestic residents.[2] Personal information under this law is defined as information related to identified or identifiable natural persons recorded by electronic or other means.
Roles and Rights[edit | edit source]
This law relies on personal information processors and entrusted parties. Person information processors decide the purpose, period, and means of processing; personal information categories; protection measures; and parties' rights and obligations. The entrusted parties process information in accordance with the agreement and cannot go beyond those parameters, or engage sub-processors without the consent of the personal information processor. Any cross-border transfer requires an assessment, certification, contract, or compliance with other laws and regulations. Separate disclosure to and consent from the individual is required.[3]
This law reserves the right for:
- China's national cyberspace department to add companies and individuals infringing on individuals’ rights to a restricted list and
- take countermeasures against any country or region that places prohibitive, restrictive, or discriminatory measures against China.[4]
History[edit | edit source]
The PIPL went into effect on November 17, 2021.
ICANN's POV[edit | edit source]
ICANN Organization released a blog post on the PIPL and briefly discussed it at ICANN 74 in the Geopolitical, Legislative, and Regulatory Developments session during a segment called "Beyond GDPR."[5]