How China's new data privacy law impacts global firms?

Today's Cache dissects big themes at the intersection of technology, business and policy.

November 02, 2021 09:12 am | Updated 10:21 am IST

The Chinese national flag is seen in Beijing, China

The Chinese national flag is seen in Beijing, China


China’s personal data protection law came into effect on November 1.



In the past 12 months, China has been coming down heavily on businesses that store or process its citizens’ data. After two rounds of draft versions, the Standing Committee of the National People's Congress passed the country’s personal data protection law in August.

The law comes into effect on November 1, and could significantly increase the burden and cost of data privacy compliance for organisations operating in China.  

Dubbed as China's version of EU’s General Data Protection Regulation (GDPR), the Personal Information Protection Law (PIPL) mandates companies to obtain consent from people for collecting, storing, processing, and transferring their personal data.

It requires critical data infrastructure operators to get consent from users to store their data on the company’s servers located in the country. These firms must also ask for user’s consent before exceeding personal data threshold prescribed by the law.

Also Read | China proposes guidelines on internet platform responsibilities

PIPL is not limited to companies processing consumers’ data. It will also apply to employers as they qualify as data controllers, according to the new law.  That means every company will have to comply with the requirements in collecting and processing employees’ personal data.

Organisations found in violation of the new law may face severe penalties, including a fine of up to 5% of their previous year's turnover, revocation of license to do business in China, and personal liabilities for company executives.

Extra-territorial reach

An important aspect of PIPL is its extended reach, which goes beyond the country’s borders. Existing laws do not have a binding effect on extra-territorial jurisdiction, but PIPL has. It explicitly specifies the broad reach of its jurisdiction.

This can impact “foreign companies and overseas parent companies of Chinese subsidiaries that process personal information collected from the Chinese market as the data collected in China will now be subject to the various personal information protection requirements under the PIPL,” according to international law firm Morgan Lewis.

Failure to comply may put companies on "blacklist" that would restrict them from receiving personal data from China.


To get Today's Cache delivered to your inbox, subscribe here .

Top News Today


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.