How China's new data privacy law applies to foreign businesses
China's new Personal Information Protection Law (PIPL) took effect yesterday, and it's likely to change the private data protection landscape in China and beyond.
The big picture: The law is part of the Chinese government's ongoing campaign to assert control over data and it's also a response to growing calls within China for stronger protection of user data.
- The law does not restrict the government's collection or use of data but rather is targeted at companies.
- Like the EU's General Data Protection Regulation (GDPR), China's PIPL applies to some companies located beyond its own borders.
Background: In China's nearly cashless economy, many companies have required customers to share personal data like their names and phone numbers when they scan QR codes to order or pay, China-based news outlet Sixth Tone reports.
- That practice has become unpopular among China's increasingly privacy-minded consumers. The new law greatly restricts the ability of companies to make those demands on their customers.
The law also contains several provisions relating to international companies.
- PIPL has "an extraterritorial aspect to it," JoHannah Harrington, chief legal officer at tech firm Elements Global Services, told me. The law will apply to companies outside of China that process data related to products and services provided in China, or that "analyze or assess behavior of individuals in China."
- In addition, "similar to GDPR, the law requires that any organization processing the data of individuals outside of China needs to establish a dedicated office or point person" within China, Harrington said.
- Companies hoping to send the data of Chinese users overseas will have to seek permission.
The bottom line: "Companies that have a strong GDPR and data protection programs will be in a good place to ensure they can start to meet the requirements of PIPL," Harrington said.
Go deeper: Yahoo shuts down services in China