All You Need to Know About the Personal Information Protection Law

China, a country that has a vast number of internet users in the world, is among the most recent nations to approve new comprehensive data protection laws. This is as the world continues to operate online in the aftermath of COVID-19, and businesses rely on internet technology to conduct their enterprises and serve their clients. So, the (PIPL) Personal Information Protection Law, which went into effect on November 1, 2021, is China’s initial comprehensive legislation intended to control internet data and protect personal details.

On September 1, 2021, China’s new Data Security Law (DSL) also came into force. The DSL applies to various computational data requirements, including but not restricted to handling personal data. The Cyberspace Agency of China and pertinent local and state government departments enforce and manage the Personal Information Protection Law. The regulation is based on the Data Protection Act of the European Union, which imposes severe fines of up to five percent of annual turnover or seven point seven million dollars, whichever is greater. Eight chapters and more than seventy articles make up the protection law.

Who Is Subject to the Law?

This law presumably applies to any organization or person who handles the personal details of persons in China (despite the person’s nationality or place of residence), as it is designed to establish extraterritorial jurisdiction. Furthermore, the law mandates that companies handling personal information outside China establish corporations or hire agents to handle it outside. A processor of intimate details must also name and make public the contact details of an individual responsible for processing and preserving confidential info, comparable to the GDPR’s idea of a data privacy officer.

Distinction Between “Controllers” and “Processors” of Personal Information 

Under personal information, processors are equivalent to “controllers,” but “assigned parties” are equivalent to “processors” under the GDPR, a classification that is sure to generate some confusion. Under this law, personal information controllers are responsible for regulatory requirements and liability. In the meantime, joint personal information controllers must establish a contract outlining their joint liability and defining every personal information controller’s special rights and responsibilities.

Likewise, suppose an entrusted company handles personal data processing on account of a personal data controller. In that case, the partners must execute a contract outlining the precise goals, procedures, classifications, degrees of protection, privileges, and responsibilities for handling personal details. Meanwhile, the following factors must be contained in the data processing contract:

  • A restriction on the committed party’s use of personal data beyond the scope of the agreement.
  • Agreement provisions mandating the responsible entity to surrender or destroy personal data after the conclusion, cancellation, or termination of the contract.
  • Provisions state that the authorized party must get the processor’s permission before permitting a sub-processor to handle personal details.

What Private Property Rights Does the Law Grant?

Regarding the processing of their private details, persons have several rights under this law, including the right to:

  • Understand, choose, and oppose anyone using your data for any purpose.
  • View, modify, and redistribute their private data to data processors.
  • Demand the private details to be updated or completed.
  • In specific situations, ask for the deletion or revoke permission.

Personal information processors must create a practical but vague method for people to exercise these rights. Notably, a family of a departed average individual may examine, record, modify, and erase the recipient’s confidential info to fulfill their own legitimate and reasonable reasons.

The PIPL mandates that those who handle private data take the necessary steps to ensure that foreign receivers are processing it by the law’s requirements for personal information security. And after alerting people, personal data processors must also get their permission before cross-border transactions.