China Passes Personal Information Protection Law, Effective in November

Request ESG Software Demo

Thank you for your interest in Seneca ESG. We will be in contact shortly.

China Passes Personal Information Protection Law, Effective in November


The Standing Committee of the 13th National People’s Congress (NPC) approved the Personal Information Protection Law (PIPL) on August 20, which will take into force on November 1, as reported by on the same day. The law stipulates that no organization or individual shall illegally collect, use, process, or transmit personal information of others, or illegally trade, provide, or disclose personal information. In addition, the law also specifies restrictions and penalties over algorithmic price discrimination on consumers, excessive user information collection, facial recognition, obligations of information processors, and other illegal practices.

Prior to the legislation, the Chinese government has been dealing with incidents of infringement and misuse of personal information recently. In October 2020, PBoC fined six branches of China Construction Bank [0939:HK], Agricultural Bank of China [1288:HK], and Bank of China [3988:HK] a combined total of over RMB40m for leaking clients’ personal information. This March, at the CCTV Consumer Gala, the program exposed the leakage of resumes from job searching platforms such as Tongdao Lieping [6100:HK], Zhaopin [ZPIN:US], and 51job [JOBS:US]. In early July, the Cyberspace Administration of China (CAC) launched an investigation and ordered to remove ride-hailing giant Didi’s [DIDI:US] mobile apps from Chinese app stores, for the company illegally collected and used personal information.

Considering the chaos of personal information collection and use, the draft of the PIPL started public consultation last October. Before the final version was released on August 20, the law experienced its second and third review in April and August, respectively. Compared with the first draft, the second version had stricter restrictions on the excessive processing of personal information, enhanced protection of juvenile information, strengthened the obligation of information processors to delete information, and further provided an audit system for information processing. The third version, also the final one, added some hot issues of public concerns, such as an explicit prohibition of mandatory push personalized advertising, clear rules for the protection of the deceased personal information, sound complaints and reporting mechanisms, among other amendments.