The Personal Information Protection Law (PIPL), China’s comprehensive data protection legislation that took effect last November, provides unprecedented opportunities for privacy professionals in China—but also puts them at direct risk of potential legal action.

China flag

The PIPL reportedly has driven huge Chinese demand for DPOs, referred to in the PIPL as “responsible persons.” CPO Magazine estimated that “upwards of 500,000 organizations will appoint a DPO responsible for PIPL in the coming years.”

Furthermore, the FT reported how Chinese DPOs have found both their job descriptions and earnings potential expanding since the law was introduced, and claimed that “salaries are soaring as companies scramble to hire DPOs.”

Under Article 51 of the PIPL, all organisations that handle a given quantity of personal information must appoint a DPO. The threshold will be determined by the Chinese regulator, the Cyberspace Administration of China (CAC).

Under PIPL, a DPO is responsible for “conducting supervision of personal information handling activities” and supervising the adoption of “protection measures” designed to safeguard personal data.

But perhaps the biggest burden of the job is that a DPO can be personally punished for their organisation’s PIPL infringements.

Under Article 62 of the PIPL, a responsible person can face direct liability if their organisation violates the law, including fines of up to CNY 1 million (USD 157,000) or criminal sanctions for the most serious types of violations.

A DPO must ensure their organisation meets the PIPL’s extensive and somewhat labyrinthine requirements, including:

  1. Facilitating requests to access, rectify and delete personal data
  2. Implementing security controls
  3. Dealing with international data transfers and undergoing CAC security assessments where necessary

Article 53 of the PIPL also requires the DPO to undertake regular audits of the measures taken to meet these requirements.

Organisations from outside China must also establish an entity or appoint a representative within China, a requirement akin to the EU representative provision under the GDPR.

Understanding the PIPL at PrivSec China — 15 March 2022

PrivSec China hero image

PrivSec China is a livestream experience welcoming senior professionals and experts to explore Chinese privacy and security law.

This all-day event, taking place on 15 March 2022, will feature presentations, panel discussions and keynotes, providing fascinating content and actionable insights.

China’s data protection and security laws are growing increasingly vast and complex. For some companies these regulations present a barrier to entry into the Chinese market. But others will leverage their understanding of this complexity for a competitive advantage.

PrivSec China will help you develop your compliance strategy and learn to thrive in China’s regulatory environment.