China’s Personal Information Protection Law (PIPL) - which will form a major part of the legal framework governing data protection, cyber security, and data security in China - is set to come into force on November 1st, 2020.
The new law regulates the processing of personal information of individuals within China. It also covers the processing of personal information conducted outside China, if the purpose of this processing is (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations. Similar to the requirement to appoint an “EU representative” for offshore controllers under GDPR, the PIPL also requires that a “dedicated office” or “designated representative” within China is appointed by offshore entities.
Under GDPR, a company can collect data if it considers that it has a “legitimate interest” to do so, even if the data subject does not give consent. This basis for processing does not exist in the PIPL. As outlined here, under Article 13 of PIPL data controllers can only process personal information if:
Consent must be informed, freely given, demonstrated by a clear act of the individual and can be withdrawn later on. However there is separate consent required in a number of other instances, for example if the processing entity intends to publicly disclose personal information, transfer personal information overseas or process personal information (medical details, financial accounts, religious beliefs, etc).
Individuals have a number of rights regarding their own personal information, including the right to request processors explain processing rules as well as to correct and delete their personal information.