en

China's Personal Information Protection Law: A Gentle Reminder

21 October 2021

Jian-Chuan ZhangJian-Chuan Zhang, Head of China, Global Stakeholder Engagement

In line with ICANN's FY21-25 Strategic Plan, and as part of ICANN organization's (org's) efforts to monitor the development of global legislation that has the potential to impact the ICANN community, I would like to raise awareness regarding a recent development in China. In particular, the Personal Information Protection Law (PIPL), which goes into effect on 1 November 2021.

Where appropriate, ICANN org provides technical advice on proposed legislations to inform lawmakers about the potential effects that their proposals could have on the Domain Name System (DNS). We also try to inform our community about new laws that could have an impact on the ICANN space, such as with the European Union's General Data Protection Regulation (GDPR).

The ICANN community is familiar with laws like the GDPR, which affects ICANN's and the contracted parties' operations, including the Registration Data Directory Services (RDDS) or WHOIS. The WHOIS system is a critical tool for various stakeholders in areas such as fighting against DNS security threats, cybercrime, and IP infringement.

Similar to many governments' efforts, the PIPL is part of China's effort to regulate personal data processing. It is similar to GDPR although its requirements concerning personal data processing, including cross-border transfers of personal information, are different.

For example, the legal basis for personal information processing in PIPL is slightly different from that of the GDPR. Under the PIPL, registrants' consent will play an important role as the legal basis for registries and registrars to process registration data as required under the Registrar Accreditation Agreement (RAA), Registry Agreements, and Consensus Policies. However, the PIPL does not include the concept of "legitimate interests," which is another potentially applicable legal basis for personal data processing under the GDPR. Importantly, the RAA requires registrars to provide notices concerning data processing to registrants and to obtain consent for registration data processing.

ICANN org encourages contracted parties that conduct businesses in China to ensure that their agreements and processes for collecting, processing, and maintaining personal data are in compliance with the PIPL (and other applicable laws), and to obtain legal advice to evaluate their potential obligations under the PIPL before it comes into effect on 1 November.

Head of China, Global Stakeholder Engagement

Jian-Chuan Zhang

Read biographyRead biography