Understanding PIPL: Compliance and Implementation Challenges

March 25, 2024

Woman smiling and wearing a headset at a call center

What is PIPL?

Personal Information Protection Law (PIPL) was approved in China on August 20, 2021. It was the first comprehensive data protection legislation in the region. The Law entered into effect on November 1, 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. The PIPL aims to "protect the rights and interests of individuals", "regulate personal information processing activities" and "facilitate reasonable use of personal information".

Key Provisions and Territorial Reach of the PIPL

Key provisions of the PIPL include:

  • Consent: Individuals' consent is required for the collection, processing, and sharing of their personal information.
  • Rights of Individuals: The law grants individuals rights such as the right to access, correct, and delete their personal information.
  • Data Transfer: The PIPL imposes restrictions on the cross-border transfer of personal information and requires data localization for certain types of sensitive data.
  • Data Protection Measures: Organizations handling personal information must implement measures to ensure its security and confidentiality.
  • Accountability and Compliance: The law holds organizations accountable for violations and mandates the establishment of compliance mechanisms to ensure adherence to its provisions.

The PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is:

  • to provide products or services to individuals in China
  • to "analyze" or "assess" the behavior of individuals in China, or
  • for other purposes to be specified by laws and regulations.

Moreover, the PIPL requires offshore "personal information processing entities" subject to the PIPL to establish a "dedicated office" or appoint a "designated representative" in China for personal information protection purpose.

PIPL implementation challenges

Following the PIPL coming into effect, most organizations, especially those international companies who conduct business in China, have enthusiastically complied with the PIPL. However, most organizations will not have solutions associated with the data transfer mechanisms required by the PIPL, since data authorities in China have not officially released any guidance on the same to date.

The implementation of PIPL in China poses several challenges for organizations, including:

  • Compliance Requirements: Ensuring compliance with the comprehensive requirements of the PIPL, including obtaining consent for data collection, implementing security measures, and providing individuals with rights over their personal data, can be complex and resource-intensive.
  • Data Localization: The PIPL imposes restrictions on cross-border data transfers and mandates data localization for certain types of sensitive personal information. Organizations may face challenges in establishing or modifying infrastructure to comply with these requirements.
  • Cross-Border Data Transfers: Organizations conducting cross-border data transfers must meet stringent requirements under the PIPL, including conducting security assessments and obtaining approval from regulatory authorities. Navigating these requirements while maintaining business operations can be challenging, particularly for multinational companies.
  • Resource Constraints: Smaller organizations may struggle to allocate sufficient resources and expertise to ensure compliance with the PIPL's requirements, including implementing data protection measures, conducting assessments, and responding to data subject requests.
  • Regulatory Uncertainty: The PIPL introduces new regulatory frameworks and requirements, and organizations may face uncertainty regarding the interpretation and enforcement of these provisions. Lack of clarity on specific aspects of the law may hinder effective compliance efforts.
  • Third-Party Compliance: Organizations may rely on third-party service providers for various data processing activities, including data storage and processing. Ensuring that these third parties comply with the requirements of the PIPL and adequately protect personal data presents additional challenges in terms of oversight and accountability.

Overall, navigating the complexities of the PIPL and addressing its implementation challenges require careful planning, allocation of resources, and ongoing monitoring of regulatory developments to ensure compliance and mitigate risks associated with personal data processing in China.

How We Can Help

As an organization, ProPharma has acted very quickly by engaging with external counsel to understand the PIPL laws that came into effect on November 1, 2021 and the GVP (Good Pharmacovigilance Practices) laws that came into effect on December 1, 2021.

Because a legal entity in China is a requirement under GVP, ProPharma is currently working toward the set up of a legal entity and we expect it to be in place by the end of March 2024.

Under PIPL, compliance is essential, particularly concerning the management of consent for cross-border personal data transfers. Our local Chinese entity plays a crucial role in aiding compliance efforts. By establishing an entity in China, ProPharma can effectively address data localization challenges and cater to data subjects' preferences regarding the transfer of their information.

Furthermore, leveraging our resources allows us to navigate the intricacies of PIPL seamlessly. From establishing robust consent management systems to ensuring compliance with oversight mechanisms, ProPharma is dedicated to assisting clients in meeting their PIPL obligations while maintaining operational efficiency and data security.

Get Expert Guidance on PIPL Compliance

Navigating the complexities of PIPL implementation in China poses significant challenges for organizations, especially those conducting international business. ProPharma, with its proactive approach and expertise, stands ready to assist you in ensuring seamless compliance with the latest data protection laws.

Don't let PIPL implementation challenges hinder your operations. Contact ProPharma today for expert guidance, proactive solutions, and a streamlined path to compliance. Your data protection journey starts with us. Speak with an expert today!


Meet the Expert: Collin Freeman

May 25, 2023

Meet the Expert: Collin Freeman

Our "Meet the Expert" series introduces you to our team of experts around the world. This "behind the curtain" view will help you get to know who we are on a professional and personal level, and...

Meet the Expert Kamila Rocha

September 21, 2023

Meet the Expert: Kamila Rocha

Our "Meet the Expert" series introduces you to our team of experts around the world. This "behind the curtain" view will help you get to know who we are on a professional and personal level, and...

October 8, 2015

FDA Takes Steps to Make REMS Info Easier to Share

FDA is launching a pilot project to integrate Risk Evaluation and Mitigation Strategies (REMS) into Structured Product Label (SPL) format. This will facilitate the sharing of documents and ease the...