This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| less than a minute read

Navigating the PIPL without roadmap or GPS

Seeing how GDPR successfully focused corporate minds on data protection, Chinese businesses are about to undertake a chaotic but significant transformation to attempt to comply with the Personal Information Protection Law (PIPL), which comes into force today. As suggested by DLA Piper's Carolyn Bigg in the Financial Times, the legislation's ambiguity makes this a difficult task. 

Recent actions by the Chinese regulator to support this legislation also suggest that we should expect enforcement of the PIPL by the Cyberspace Administration of China (CAC) to be swifter and more extensive than in Europe. For example, the CAC recently conducted a security probe at ride-hailing company Didi Chuxing. Even if this review focused on national security rather than data protection concerns, my Shanghai-based colleague Stephen Yu recently highlighted that the expectation of scrutiny under the PIPL has negatively affected the valuation of China-based online brokerages. 

We should therefore expect that the CAC will continue to take swift action, which will likely disruptive dawn-raid style probes. In addition to recruiting DPOs, starting to prepare for such probes would be sensible.

There is a lot of ambiguity in the PIPL, and companies are already getting mixed messages from the regulators about how they will implement it on the ground


data protection, china