If October screams anything to me, it’s changing leaves, sweaters, pumpkins…and Cybersecurity Awareness Month!
The theme this year is, “Do Your Part. #BeCyberSmart,” with the goal of empowering employees and organizations to own their role in protecting their part of cyberspace. This is a great time to make sure you’re up to date on all things cybersecurity, including information security and data privacy best practices, trends, and legal updates.
China's new data protection law
- What is it?
- China’s Personal Information Protection Law (PIPL) was passed on August 20th and is the first national law in China that gives individuals rights and protections related to their personal information.
- When does it go into effect?
- November 1, 2021.
- That seems pretty quick, right?
- This is lightning speed for a major data privacy to go into effect after passage, particularly one that is so strict and that has extraterritorial impacts.
- Who does the PIPL apply to?
- The law applies to personal information handlers, or entities that collect, store, use, transmit, provide, or otherwise handle personal information belonging to natural persons within China’s borders. This includes businesses based entirely outside of China if the data processing purpose is to provide products or services to individuals located in China or to analyze or assess the behaviors of individuals located in China.
- What does it do?
- It sets requirements for how personal information handlers should collect, use, process, share, and transfer personal information of individuals located in China. It supplements the existing data protection regime previously established by the Cybersecurity Law (CSL) and national guidelines, as well as the recent Data Security Law (DSL) that went into effect on September 1.
- The penalties for violations are severe, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s license to do business in China, and personal liability for company executives.
- Is this just China’s version of the GDPR?
- The PIPL has some similar aspects to the GDPR, for example, in providing certain individual data privacy rights and requiring consent for processing if there’s not a lawful basis. But it goes beyond the GDPR in notable ways, particularly when it comes to restrictions around cross-border data transfer, required notices for collection, and lawful reasons for data processing.
- What do I need to do about it?
- If you do business in China or handle the personal information of individuals in China and this law may apply to you, it’s best to seek legal advice immediately if you haven’t already. GDPR compliance will go a long way toward PIPL compliance, but not all the way. And there are particular requirements that may require in-country coordination, such as establishing a dedicated entity or representative in China to handle matters in relation to the protection of personal information they collect, and to file information with government authorities.
We'll see you next month with some new regulatory updates. In the meantime, let's all do our part this October to ensure that our data and the devices that store them remain protected.