China’s National People's Congress enacted a new law, the Personal Information Protection Law (PIPL), designed to protect individuals’ personal information online. It will be effective as of November 1, 2021, and is expected to add a long list of regulatory compliance requirements to companies operating in China.

The law requires that personal information will only be processed for a clear and reasonable purpose. The scope of data processing must be limited to the minimum necessary to achieve the goals for which it was collected in the first place.

The law lays out the conditions that companies must meet when collecting personal data. These include obtaining the individuals’ consent, ensuring data protection when transferring the data outside China, appointing an internal data protection officer, and conducting periodic audits.

The law is perceived as yet another effort by the communist country to regulate cyberspace. These efforts include imposing comprehensive regulatory procedures on tech giants such as Alibaba, and the enactment of the Data Security Law of the People’s Republic of China, effective as of September 1, 2021.