Seeing how GDPR successfully focused corporate minds on data protection, Chinese businesses are about to undertake a chaotic but significant transformation to attempt to comply with the Personal Information Protection Law (PIPL), which comes into force today. As suggested by DLA Piper's Carolyn Bigg in the Financial Times, the legislation's ambiguity makes this a difficult task.
Recent actions by the Chinese regulator to support this legislation also suggest that we should expect enforcement of the PIPL by the Cyberspace Administration of China (CAC) to be swifter and more extensive than in Europe. For example, the CAC recently conducted a security probe at ride-hailing company Didi Chuxing. Even if this review focused on national security rather than data protection concerns, my Shanghai-based colleague Stephen Yu recently highlighted that the expectation of scrutiny under the PIPL has negatively affected the valuation of China-based online brokerages.
We should therefore expect that the CAC will continue to take swift action, which will likely disruptive dawn-raid style probes. In addition to recruiting DPOs, starting to prepare for such probes would be sensible.