USA +1 855 726 4878  |  BR +55 11 3069 3925 

China has Published Its Specific Law for the Protection of Personal Data. What Are the Implications?

by | Sep 27, 2021 | BLOG

Global efforts to ensure data protection have increased dramatically over the years. Governments around the world have been concerned with creating laws and regulations that ensure the security of circulation and processing of information from citizens and users, especially by companies, respecting people’s privacy and operating within the specific laws of the country.

After the European Union General Data Protection Regulation (GDPR), which seeks to guarantee citizens greater control over their own data, governments in several countries also started to invest in their own regulation with the same purpose. 

PIPL Construction Route

The most recent regulation was from China, which, after several revisions since October 2020, has officially approved its PIPL (Personal Information Protection Law) in August of this year. The first draft was presented at the National People’s Congress of China on October 13, 2020, and opened for public review on October 21 of the same year. 

A month later, the reviewed document was closed for internal assessment. In August 2021, the proposal was approved and is expected to take effect on November 1st.

The Chinese data protection law is similar to the European law, but with a stricter structure, especially for “Big Techs”. The goal is to further strengthen the current protection regime, regulating the collection, processing, and use of Chinese citizens’ data, including rules that avoid the monopoly and over-enrichment of some companies through population data. 

The China Consumer Association strongly criticized this type of behavior by companies, saying that the algorithms are becoming a “technical intimidation” to consumers.

How does PIPL impact organizations?

The data is seen by the Chinese government as a basic strategic resource and belonging to the country, and its use by third parties should be kept to a minimum, monitored, and for well-defined purposes. Therefore, with PIPL’s approval, the activities of organizations and individuals working with personal information will be heavily impacted. 

European entities fear that Chinese regulations will jeopardize trade between companies in the bloc and China, putting at risk the privacy of their businesses, as it is necessary to be subject to protection demands different from the European LGPB. 

For multinationals, the situation is no different, as they consider an uncertain business scenario and an invasive behavior by the Chinese government when auditing companies. In short, this uncertain scenario ends up generating concern for companies due to the following requirements:

  • Users are given more control over their data: Users can request/control the editing, removal, and restriction of the distribution, processing, and use of their data. In addition, prior consent can be changed or canceled by the user.
  • More rigorous requirements for data sharing and transfer: An organization or any other parties involved in data control need to pass assessments related to the legal use of data. 
  • Penalties and fines in cases of data breaches: The value of fines can reach up to 50 million RMB (Yuan Renminbi), the equivalent of 40 million reais or 7 million dollars, deduction of annual revenue percentage, or even termination of business.
  • Mandatory security controls: The processing of personally identifiable, sensitive, or critical information must be subject to strict mandatory security controls and personnel responsible for handling it must receive appropriate training. 
  • Mandatory location of data: The processing of personally identifiable information is limited to the boundaries defined by the China Cybersecurity Administration – CAC. If a company exceeds these limits, it must provide the location of this data.

Key Points of the Chinese Law

The law presents requirements and regulations on the legal form of handling personally identifiable information, which is those that somehow identify the user in electronic media, including critical state security information and sensitive information involving religion, beliefs, ethnicities, financial information, user tracking, and others. 

Thus, some key points can be highlighted that must be observed by companies in operations that deal with information of this nature.

User Consent

Before any operation with personal data, companies or interested parties must request the consent of the users, who must be explicitly notified about any matter related to the processing of their data, including the identity and contact information of those responsible for handling it. (Article 24)

Organizational Management 

Those responsible for handling the data must adopt security measures that ensure protection against intrusion, leaks, or theft during data collection, distribution, and processing. Some of these measures involve data encryption and proper training of those responsible for operations and/or overseeing operations. (Articles 50, 51, 52)

Individuals’ Rights

Users must have the right to access their own data, being able to modify them, delete them, decide when their information can or cannot be processed, or request an explanation about the processing. (Articles 44, 45, 46, and 48)

Data Transfer Borders

The transfer of data outside China can only be done with the explicit consent of the subjects, who must be notified when their information is transferred outside Chinese territory. When processing crosses borders, an organization undergoes a security assessment, which must be approved to proceed with operations. (Articles 39 and 40)

Data Location

When organizations reach the limit of data volume defined by CAC, they must maintain the storage of the information already collected and generated on the premises of the Chinese territory. Article 40)

What Can We Expect as Next Steps?

The approval of the Law affected various sectors of the economy and raised concerns for Chinese companies and European multinationals, especially the ‘Big Techs’. In this sense, companies that deal with the distribution, collection, and processing of data, as well as the development of software and related activities must work ethically and morally, paying attention to all the requirements established by the law, if they want to ensure the smooth running of their business and a good reputation.

Are you enjoying this post? Join our Newsletter!

1 + 3 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

$13 million growth investment drives senhasegura’s expansion in North America and the Middle East

Written by Priscilla Silva São Paulo, March 10, 2023 - senhasegura, an award-winning Privileged Access Management (PAM) solution provider that protects corporate IT environments and critical resources from cyber threats, announces a $13 million funding round from...

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...