On August 20th, the 30th meeting of the Standing Committee of the 13th National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China. China’s Personal Information Protection Law, entering into force on November 1st 2021, is comparable to the General Data Protection Regulation (GDPR) of EU.

Overview of the Personal Information Protection Law

The law aims to protect personal information of natural person. There are eight chapters in the Personal Information Protection Law of China:

Chapter I General Provisions

Chapter II Personal Information Processing Rules

Section 1 General Rules

Section 2 Rules on Processing Sensitive Personal Information

Section 3 Specific Provisions on the Processing of Personal Information by State Organs

Chapter IlI Rules on the Cross-Border Provision of Personal Information

Chapter IV Individuals’ Rights in Personal Information Processing Activities

Chapter V Obligations of Personal Information Processors

Chapter VI Departments Performing Personal Information Protection Duties

Chapter VII Legal Liability

Chapter VIII Supplemental Provisions

Here is the link to the whole law.

Application scope of the law

Overseas companies doing business with China should pay attention to this new law and comply with the requirements if you deal with and process personal information of natural person inside China, even if your company based outside China. The article 3 of Chapter I of the Personal Information Protection Law of China determined the application scope of the law.

“Article 3 This Law shall apply to the processing of personal information of natural person within the territory of the People’s Republic of China.
This Law shall also apply to the processing outside the territory of the People’s Republic of China of the personal information of natural persons within the territory of the People’s Republic of China, under any of the following circumstances:
(1) for the purpose of providing products or services to natural persons inside China;
(2) analyzing or evaluating the behavior of natural persons inside China; or
(3) any other circumstance as provided by any law or administrative regulation.“

From the above provision we can learn that, China’s Personal Information Protection Law shall also apply to activities outside China under certain circumstances. For one example, an e-commerce platform operating overseas, such as Amazon, eBay, provides products or services to natural persons in China. As another example, a social networking website located outside China analyzes and evaluates the behavior of natural persons in China. Such as Facebook, annually releases an analysis report on user behavior and habits, which of course includes users in China.  Additionally, according to China’s Data Security Law, data processing activities outside the territory of China to the detriment of the national security or the public interest, or the lawful rights and interests of any citizen or organization shall be held legally liable. That is to say, those illegal activities processing personal information outside China shall also be regulated in accordance with this law.

Compliance suggestion

There are different challenges of doing business in China, regulatory compliance is a critical point foreign companies should not neglect. With the support of Anber Consulting, we will overcome these barriers together with you. To learn more about Chinese laws and regulations on chemicals and environment protection, please feel free to send me an email at siming.sun@anber-consulting.com.