Extraterritorial Scope of the PIPL

The privacy law (PIPL or Private Information Protection Law) applies to all personal information processing activities carried out in China, and has extraterritorial application to the overseas processing of the Personal Information of individuals located in China (where the purpose of such activities is to provide a product or service to such individuals), or to processing the information of individuals (Article 3).

Companies affected by the extraterritorial application of the PIPL are obliged to incorporate an entity or designate a representative in China to handle the matters related to the protection of PI, and report the information (including the name and contact information) of such representation to the competent authorities (Article 53).

Should the Personal Information rights of any citizen or resident of China be infringed, or the national security or public interests of China are endangered by any overseas organization or individual, the CAC may take measures against such overseas organization or individual, including blacklisting, restricting, or prohibiting such overseas organization or individual from receiving the personal information (Article 42).

For data processors that have an entity in China from which they receive personal information, they will be obliged to sign contracts with the Chinese entity to commit to compliance and adherence with the standards established by Chinese regulation.

We highly recommend that any company that collects the personal data of individuals in China, included the information of expatriate workers resident in China, to ensure that they have completed the necessary data follow audits, and enacted the necessary internal policies and documents prior to the enactment of the law on the 1st of November.