China’s New Data Protection Law Set to Take Effect November 1
Come November 1, 2021, U.S. companies doing business abroad will have yet another privacy law to think about – China’s Personal Information Protection Law (PIPL). China’s state media reported that the PIPL, which has been in development over the past year, was passed by China’s People’s Congress on August 20, 2021.
Though a full copy of the passed law is not yet available, the U.S. and global press, including Reuters, the Wall Street Journal, and Bloomberg are widely reporting on its contents based on the PIPL’s most recent drafts. The PIPL is poised to be one of the most restrictive privacy laws worldwide. The PIPL sets restrictions on data collection, and is suspected to have been directed to curb technology giants’ use of personal data. In particular, it prevents e-commerce companies from unscrupulously using personalized data to market to consumers online.
PIPL is being regarded by many as the “Chinese GDPR” due to its strict and far-reaching scope. The GDPR is the EU’s Privacy law that went into effect in 2018. Like the GDPR, the PIPL is extraterritorial in nature – meaning U.S. companies are not immune from its scope even if they do not have a physical presence in China.
User consent is likely to be the key focus of the PIPL. It is expected that the law will require that individuals have the power to opt out of having their information used for marketing purposes or being targeted based on personal information. Additionally, it is expected that collection of sensitive data, such as financial information, location data, medical and health data, and biometrics will be impermissible without user consent under the PIPL.
It is anticipated that companies will be prohibited from denying their services to a customer solely because that customer opts out of data collection. Companies are also expected to have clear and reasonable purposes justifying their collection of personal information. The PIPL is likely to have steep penalties for violators; prior drafts suggested fines could amount to over $7 million U.S. dollars or 5% of the violator’s revenue.
More details on the PIPL should be expected prior to November 1, 2021. The PIPL is likely to have a significant impact on the way American businesses collect information from global customers and may require additional obligations in the way data is collected and handled.