China’s new data protection law in force from 1 November



China’s Personal Information Protection Law (PIPL), adopted on 20 August, will enter into force 1 November.

The law applies to both the public and private sectors and due to its territorial scope, also to the processing of China residents’ personal information outside of China in certain circumstances.

The law includes many GDPR-like elements, such as heavy fines for the most serious offences - 5% of the previous year’s annual revenue. Notably, the law now includes several legal basis for the processing of personal data – previous drafts were relying on consent.

PL&B Asia Pacific Editor, Professor Graham Greenleaf said:

“Since the first draft of the PIPL was released by the Standing Committee of China’s National People’s Congress in October 2020, it has been revised in a succession of drafts. Of the 74 sections in the final Law, half have had non-trivial amendments since the first draft. Some of the amendments are significant, although none involve fundamental changes to the direction of the first draft. Some of the more significant amendments include:

  • Individuals have an explicit right to sue in the courts a personal information handler that refused to allow them to exercise their rights.
  • It is now explicit that actions for compensation are only available if a breach ‘causes harm’ (not merely because of the breach), and the handlers ‘cannot prove that they are not at fault’. Where large numbers of persons are affected ‘legally designated consumer protection organisations’ (China’s NOYBs) can act on their behalf.

The result of the amendments is that the law is now less ambiguous, and overall it gives stronger protection to data subjects. The result is a modern and sophisticated data privacy law, which in a few respects may be stronger than the GDPR. Of course, any such judgments must await the law’s operation in practice, but with a starting date only a few months away, evidence may be available soon. The result may be that China will become the only significant competitor to the EU in obtaining influence over development of other national data privacy laws, at least until India enacts its law, or the US discovers that it needs to compete.”

Follow Privacy Laws & Business International Report for in-depth reporting and analysis on China’s legislative privacy developments by Professor Greenleaf. Subscribers have access to all previous articles. Join the PL&B community of privacy professionals now and subscribe.