Navigating China’s New Data Protection Laws: What Businesses Need to Know

China has recently implemented new protections for Chinese data subjects, similar to the EU’s General Data Protection Regulation (GDPR). The Personal Information Protection Law (PIPL) grants Chinese consumers the right to access, correct, and delete their personal data held by businesses. This law also affects offshore data processors that provide goods or services to individuals in China, with hefty fines of up to 5% of a company’s turnover from the previous financial year for non-compliance.

In addition to the PIPL, the Data Security Law (DSL) requires businesses to classify their data according to its relevance to national security and the public interest. Companies must conduct internal security reviews before transferring “important” data outside of China, and face severe penalties for mishandling data. Furthermore, China is cracking down on the use of predictive algorithms by online content providers, with regulations in place to prevent algorithms that promote online addiction.

As companies await further guidance on these new regulations, many are rushing to assess their data compliance maturity levels and improve their processes. Foreign data processors, even those compliant with GDPR, will need to analyze and adjust their processes to meet Chinese regulations. Multinational companies are faced with the decision of adopting strict data privacy measures globally or following less restrictive guidelines based on their business models and growth plans.

Overall, the new protections for Chinese data subjects are reshaping the data privacy landscape in China and beyond. Companies must stay informed and proactive in ensuring compliance to avoid hefty fines and potential business disruptions.