China’s personal data protection law came into effect on November 1.
In the past 12 months, China has been coming down heavily on businesses that store or process its citizens’ data. After two rounds of draft versions, the Standing Committee of the National People's Congress passed the country’s personal data protection law in August.
The law comes into effect on November 1, and could significantly increase the burden and cost of data privacy compliance for organisations operating in China.
Dubbed as China's version of EU’s General Data Protection Regulation (GDPR), the Personal Information Protection Law (PIPL) mandates companies to obtain consent from people for collecting, storing, processing, and transferring their personal data.
It requires critical data infrastructure operators to get consent from users to store their data on the company’s servers located in the country. These firms must also ask for user’s consent before exceeding personal data threshold prescribed by the law.
Also Read | China proposes guidelines on internet platform responsibilities
PIPL is not limited to companies processing consumers’ data. It will also apply to employers as they qualify as data controllers, according to the new law. That means every company will have to comply with the requirements in collecting and processing employees’ personal data.
Organisations found in violation of the new law may face severe penalties, including a fine of up to 5% of their previous year's turnover, revocation of license to do business in China, and personal liabilities for company executives.
An important aspect of PIPL is its extended reach, which goes beyond the country’s borders. Existing laws do not have a binding effect on extra-territorial jurisdiction, but PIPL has. It explicitly specifies the broad reach of its jurisdiction.
This can impact “foreign companies and overseas parent companies of Chinese subsidiaries that process personal information collected from the Chinese market as the data collected in China will now be subject to the various personal information protection requirements under the PIPL,” according to international law firm Morgan Lewis.
Failure to comply may put companies on "blacklist" that would restrict them from receiving personal data from China.
To get Today's Cache delivered to your inbox, subscribe here .