China, The World’s Largest Online Population, Introduces Its First Comprehensive Personal Information Protection Law

The People’s Republic of China (“China”) has introduced its first comprehensive data privacy law, which will explicitly protect the personal information of its residents. On October 21, 2020, China’s legislative body submitted a draft bill for the Personal Information Protection Law (“PIPL”) that would prohibit businesses and enterprises from misusing the personal information of Chinese residents. Like the European Union’s General Data Protection Regulation (“GDPR”), the PIPL defines personal information broadly to include various types of electronic or otherwise recorded information relating to an identified or identifiable natural person.

Non-Chinese companies should monitor the progress of this bill because, like the GDPR, it has broad extra-territorial reach and could apply to foreign companies that provide products or services to people in China or analyze or assess the behavior of Chinese residents. If passed in its current form, those that misuse personal information will be put onto a “blacklist” by the Cyberspace Administration of China, which would prohibit online activity within China.

The draft bill also includes heavy fines for data breaches. Those who violate the proposed law could face fines up to 50 million yuan ($7.4 million) or 5% of its past year’s revenue. If the law passes, this would make the financial penalties one of the strictest in the world; surpassing even the GDPR penalties, which can be up to 4% of a business’s annual revenue.