Introduction

This Law is enacted in China to protect the rights and interests of individuals of the People’s Republic of China, regulate personal information processing activities, and promote judicious use of personal information. The law is targeted at personal information protection and addressing the problems with personal data leakage.

A notable aspect of the PIPL is its extraterritorial application, which means it applies to all the entities or persons who process the personal information of individuals in China whether operating in China or any place outside China.

Applicability in India and Other Places Outside China

In effect to its extraterritorial jurisdiction, Article 3 of the Law states that it applies to any person or entity in India or any place outside China if they are processing the Personal Information of Individuals residing within the territory of the People’s Republic of China for:

1. Providing any products or services to Individuals residing in the People’s Republic of China; or
2. Analysing or evaluating the behaviours of Individuals residing within the territory of the People’s Republic of China; or
3. For any other purpose as notified by authority or any other law.

Personal information processing includes personal information collection, storage, use, processing, transmission, provision, disclosure, and deletion, among others.

Obligations Under PIPL

Establishment of a Designated Representative or Specialized Agency in China:

• As per the provisions for Article 53 of the law, Personal information processors outside the territory of the People’s Republic of China shall establish specialised agencies or appoint designated representatives within the territory of the People’s Republic of China to handle personal information protection-related matters.
• Such Personal information processors must provide the names, contact information and other relevant details regarding the established agencies and representatives to the National Cyberspace Department formed under this law.

Take Proper Measures to Ensure Data Security:

• As per the provisions of Article 59 of the law, the individual or entity entrusted with processing of personal information must take all possible steps to guarantee the security of the personal information entrusted for processing and shall meet all the obligations outlined in this Law.

Restrictions under the law

Chapter 3 of the PIPL restricts the cross-border transfer of personal information. Organisations that send personal information of individuals in China, to India, or any place outside China, must comply with any one of the below-stated terms.

• pass Security assessment conducted under the law, or
• obtain a personal information protection certificate from the authority under this law, or
• enter into a contract with the Indian or any other overseas recipient entity as per the standard contract formulated under this law, or
• meet any other condition as specified by the authorities under this law.

This restriction tends to impact multinational enterprises that handle the personal data of individuals belonging to China.

Penal Implication of PIPL

As stated under Article 42 of the law, in case any Entity or individual who belongs to India or any place outside China is engaged in personal information processing activities is guilty of

• an infringement upon the rights and interests of citizens of the People’s Republic of China on personal information
• endanger the national security or public interests of the People’s Republic of China, the national cyberspace department may take necessary actions against the one in default.

The National Cyberspace Department may

• include the one guilty in a list of restricted or prohibited recipients of personal information,
• Publicize such a list so maintained,
• Can restrict or prohibit the provisioning of personal information to such entity or individual.

This provision will affect Indian or other foreign entities operating in China or processing the personal information of individuals of the People’s Republic of China.

PIPL will have a potential impact on organizations in India and other places outside China because of its extraterritorial application, compliance obligations, and penal implications. Organizations should begin reviewing their policies and practices in place to ensure compliance with PIPL.

Disclaimer:  This is an effort by Lexcomply.com, to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.