A simple checklist to help you prepare for the China’s Personal Information Protection Law
This article outlines the summary of the new law, and highlights the potential impacts for multinational companies and any companies doing business in China. Finally, there is a simple checklist at the end of the article to help the readers do a self-assessment and determine whether further actions need to be taken by their companies.
Overview of the PIPL
Similar to the General Data Protection Regulation (GDPR), the PIPL will have an extraterritorial effect if processing, outside of China, of personal information of natural persons who are in China, if such processing is:
a. for the purpose of providing products or services to natural persons in China;
b. to analyse/evaluate the behaviour of natural persons in China; or
c. other circumstances prescribed by laws and administrative regulations.
Previously, exterritorial jurisdiction was only provided in draft regulations and national guidelines did not have a binding effect. For the first time, the PIPL explicitly specifies the broad reach of its purported exterritorial jurisdiction.
That means, having your own legal entity or appointed an individual contact point inside of China will be a mandatory requirement for processing or transferring Personal Information outside of China.
The PIPL clearly stated the consent letter should include:
1. Data processor’s name and contact
2. The purpose, method of processing the data, and the type, storage of personal data
3. Methods and procedures for individuals to exercise their rights under PIPL
And the withdrawal of the consent should be accepted if the data subject is no longer willing to share the personal information.
3. Processing of sensitive personal information
The sensitive personal information may include bio identity, religion, special identity, medical information, financial account, whereabouts etc. and information of an individual under 14-year-old.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity and take strict protective measures.
4. De-identification & Anonymization
De-identification refers to the process in which personal information is processed so that it cannot identify a specific natural person without the help of additional information.
Anonymization refers to the process in which personal information cannot be identified and cannot be restored after processing.
Your PIPL Checklist
1. Does your current data provider has their own legal entity or have appointed a dedicated representative in China?
2. Does the current consent form you are using applies to the PIPL requirement?
3. Does your current process involved sensitive personal data processing?
4. Does your data provider follow the rules of De-identification & Anonymization? e.g. Masking the data, allowing deletion of data upon request, etc.
5. Other actions may be required: Cyberspace Administration of China (CAC)’s standard contract may need to be signed.
AsiaVerify is a RegTech company, incorporated in Singapore, focused on building an automated, simplified and streamlined solution for risk mitigation and compliance systems in an effort to increase trust and safety when you are doing business in Asia. AsiaVerify provides an online platform with access to the most legally authoritative and compliant sources, to instantly verify businesses, customers and shareholders, fully translated in real-time.
To know more about another new law in China, the Data Security Law, please click here.
To find out more about the PIPL and how it will impact your business or the solutions AsiaVerify offers, please