China’s Personal Information Protection Law (PIPL) is now in force, laying out ground rules around how data is collected, used, and stored. It also outlines data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities.
Multinational corporations (MNCs) that move personal information out of the country also will have to obtain certification on data protection from professional institutions, according to the PIPL.
The legislation was passed in August, after it went through a couple of revisions since it was first pitched in October last year. Effective from November 1, the new law was necessary to address the “chaos” data had created, with online platforms over-collecting personal data, the Chinese government then said.
Personal information is defined as all types of data recorded either electronically or other forms, which relates to identified or identifiable persons. It does not include anonymised data.
The PIPL also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related