Skip to content

Something urgent? Call us now! (852) 3416 1711

Ally Law
Boase Cohen & Collins
Blog

China gets tough on data protection

By Allison Lee

Hong Kong, 10 September 2021: China’s long-awaited data privacy legislation, the Personal Information Protection Law (PIPL), will take effect on 1 November. While the law does not directly apply to Hong Kong, which has its own Personal Data (Privacy) Ordinance, it does have extraterritorial application, meaning companies in Hong Kong and elsewhere with business connections to the mainland need to take immediate action to comply with its requirements.

The PIPL, formally approved by the Standing Committee of the National People’s Congress on 20 August, is seen as one of the world’s strongest laws on personal data security, making it significantly harder for tech firms in China to access and use consumer information. It requires that the processing of personal information shall abide by the principles of legality, fairness, good faith, openness and transparency.

Underlying the PIPL is the fundamental principle that collection and processing of personal information should be limited to the minimum level necessary to fulfil the specific purpose. Processing information beyond this level may be unlawful, even if individual consent is obtained.

Rights of the individual

The PIPL will give citizens the right to access and obtain a copy of their personal information from firms and request that the data be corrected or deleted (Articles 45 to 47). Further, individuals can opt out of targeted marketing, including push notifications and pop-ups (Article 24).

Companies and organisations will need to obtain individual consent to access sensitive personal information such as biometrics, medical health records, financial accounts and a person’s location (Article 29). When processing personal information of a minor under the age of 14, firms will need to obtain consent from the parent or guardian and establish specific processing rules (Article 31).

There are certain instances where consent is not required, including: a contract with an individual or for the purposes of human resources management according to established employment policies; where necessary to perform statutory duties; where necessary for the protection of life, health or property; or in the process of news reporting (Article 13).

The PIPL has similarities with the EU’s General Data Protection Regulation (GDPR), which came into effect in 2018 and imposed strict controls on how companies handle personal data within Europe. However, the mainland’s new law is stronger when it comes to cross-border data transfers.

The new law stipulates that firms with critical information infrastructure and large amounts of personal information must store this data within China (Article 40). If they wish to transfer it out of the mainland, they will first need separate consent from individuals (Article 39). Then, they will have to meet certain requirements, such as passing a security assessment made by the state cyberspace authorities and obtaining the required certification or entering into a standard contract with the overseas recipient as prescribed by the cyberspace authorities (Article 38).

Obligations for foreign firms

The PIPL’s provisions on extraterritorial application are clear. Foreign businesses and organisations, including those in Hong Kong, which process personal information of individuals in the mainland for the purposes of offering products or services to them, or analysing and assessing their behaviour, must fall in line. A key requirement is that foreign firms should establish a dedicated entity or appoint a legal representative based in the mainland for data compliance (Article 53). 

Given the close business ties between Hong Kong and the mainland, the new law poses challenges for businesses in the territory, particularly those in the retail and e-commerce sector which collect and process consumer data. The PIPL’s regulations on the transfer of data also cover financial accounts, meaning new compliance procedures for financial institutions.

Firms which contravene the PIPL may face a maximum fine of RMB 50 million (about HK$60 million) or 5% of annual turnover. Other penalties can include suspension of operation or loss of licence.

Summary

The PIPL appears to be the final part of China’s new data management regime, following on from the Cybersecurity Law passed in 2017 and the recent Data Security Law. Together, the three pieces of legislation give the mainland a comprehensive data protection legal framework.

The new law will usher in distinct changes in the way cross-border business is carried out. In order to ensure compliance with its obligations, businesses are recommended to become familiar with the PIPL and to review and amend their practices accordingly. If in doubt, they should seek legal advice.

A Senior Associate with BC&C, Allison Lee handles a diverse range of civil litigation matters including shareholders’ disputes, contractual disputes, employment and immigration. In addition to her law qualifications, she has a Master’s degree in science, specialising in electronic commerce and internet computing, and a Bachelor’s degree in math majoring in Computer Science. She can be contacted at allison@boasecohencollins.com.

40+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

CFA ends long-standing land law principle

By Alex Liu Hong Kong, 27 April 2026: In a significant judgment concerning land law, the Court of Final Appeal has effectively abolished the Milmo principle, which has been applied in Hong Kong for 80 years. The decision marks a rare occasion where our city’s top court departs from a long-established line of English case […]

Read more

Focus on anti-money laundering measures

Hong Kong, 24 April 2026: As part of our commitment to the highest professional standards, we were pleased to host an interactive seminar on compliance with Hong Kong’s strict anti-money laundering and counter-terrorist financing (AML/CTF) regulations as they apply to the legal sector. We welcomed to our office Patrycja Kosc and Nelson Chan, respectively Head […]

Read more

Vaping clampdown enters new phase

By Stephanie Lai and Luzia Liu Hong Kong, 21 April 2026: Health authorities are rolling out stricter tobacco control measures, with possession of alternative smoking products (ASPs) – namely electronic smoking devices, heated tobacco products and herbal cigarettes – being banned in public places from 30 April. Legislation was implemented four years ago which outlawed […]

Read more

Taking a chain reaction on the chin

Hong Kong, 15 April 2026: The domino toppling world record stands at 4,491,863 and was achieved in 2009. A team of 90 builders from 14 nations worked for two months setting up the display in the Dutch town of Leeuwarden. When the first piece was pushed over, it triggered a 90-minute chain reaction in which […]

Read more

Law & More: Episode 64 – Yang-Wahn Hew & Azan Marwah

Hong Kong, 13 April 2026: In this episode, we examine sports law, a practice area that is evolving rapidly as Hong Kong builds world-class sports facilities and hosts an increasing number of elite international sporting events. Our Senior Partner Colin Cohen is joined by barristers Yang-Wahn Hew and Azan Marwah to discuss the multiple governance, […]

Read more
See all news and knowledge
Ally Law