Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Australia: The impact of Chinese data protection laws on Australian businesses

China has implemented data protection legislation that impacts how companies operate in, or transact with, businesses or individuals in China. The Personal Information Protection Law ('PIPL') applies to organisations and individuals who process 'personally identifiable information' in China. Companies that process, analyse, or access personal data relating to individuals based in China, for example to provide a product or service or analyse their behaviour, will be required to comply with the PIPL. Katherine Sainty and Aisling Hamilton, from Sainty Law, share insight into the impact of the PIPL on Australian businesses and look at what affected businesses should consider in order to stay compliant with Chinese legislation.

Aleksandra Aleshchenko / Essentials collection /

What is the PIPL?

The PIPL came into effect on 1 November 2021. This is the third pillar of China's data governance and cybersecurity regime. The other two pillars are the Cybersecurity Law ('CSL') and the Data Security Law ('DSL') which primarily focus on protecting China's security interests. The recent compilation of laws comes as an attempt to consolidate regulations and regulate the digital economy.

The PIPL governs the way you handle personally identifiable information. Handling includes the 'collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.' (Article 4 of the PIPL).

The PIPL is not restricted to just Chinese companies or local affiliated multinational companies, therefore, Australian businesses that deal in Chinese personal information will also be caught by the PIPL. This means Australian businesses that are working in China or offering goods and services to individuals based in China should review China's data governance and cybersecurity regime to ensure they comply with relevant laws.

Where an organisation handles personal information outside of China, the PIPL applies where the purpose of the activities include:

  • providing products or services to individuals in China;
  • analysing or assessing individual behaviour in China; or
  • other circumstances defined by law and regulations.

Personally identifiable information is defined as 'all information related to identified or identifiable natural persons'. It does not include information which is anonymised. This is similar to the definition of personal information under the Australian Privacy Act 1988 (Cth) No. 119 1988 (as amended), however the PIPL does not include opinions about identified persons or persons who are 'reasonably identifiable', whether true or not in its definition.

The PIPL imposes obligations upon a personal information handler which is defined as any organisation or individual who determines the purpose and method of data handling.

International similarities

The PIPL has adopted similar, but not identical principles to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

For example, both the PIPL and the GDPR have similar extraterritorial application and threshold tests for businesses regardless of location, which process or handle personal information.

Another similarity is the use of standard contractual clauses to safeguard data transfers and to clarify the limited circumstances where the processing of personal information is permissible without consent. The grounds are more stringent under the PIPL than the GDPR.

The PIPL also imposes fixed penalties up to CNY 50 million (approx. €7,041,360) and turnover based penalties (up to 5% of annual turnover from prior financial year) for grave violations of personal data processing. The PIPL is silent on what is considered grave, but it would likely include intentional or repeat violations of the law.

China's updated data protection laws come at a time of significant transition in the global community. With the EU and US agreeing in principle to a data transfer agreement to enable safe and secure transfers of US and EU personal information, this is a promising move towards synthesising international data transfer laws. The PIPL also notes the Chinese Government may enter into treaties with other countries to allow for cross-border transfers of information. This would mean businesses can rely on the treaty instead of demonstrating compliance with the PIPL. No treaty has been entered into yet.

What does this mean for Australian businesses?

Who might be affected?

If your business handles personal information that relates to any individual inside China (Chinese personal data), you need to ensure that you comply with the PIPL. An Australian business will be caught by the PIPL if it:

  • sells goods or services to persons in China;

  • analyses the behaviour of persons in China;
  • has a web platform accessible in China;
  • employs personnel in China or individuals who ordinarily reside in China; and
  • has customers who access their products or services in Australia but ordinarily reside in China.

What steps do these businesses need to take?

At a high level if you are handling Chinese personal data as a result of the scenarios contemplated above, your business will need to:

  • Consider why you are processing the personal information and whether you have a clear lawful basis, such as to enter into or perform a contract with the data subject.
  • Obtain appropriate consent from the relevant individual to handle their data, this can be done through a collection statement.
  • Consider whether you require approval from the Chinese Government for cross border transfers. Companies which handle one million or more individual's personal information and engage in cross border transfers of data must submit a self-assessed security assessment to the Chinese Government and obtain approval.
  • Implement appropriate technical security measures to protect the personal information.
  • Keep track of the information you are sending to other entities, particularly where the other entity is located overseas.

If you are unsure whether your business is impacted by the PIPL, you should seek independent legal advice.

Katherine Sainty Director
[email protected]
Aisling Hamilton Graduate Lawyer
[email protected]
Sainty Law, Sydney