Implications of the PRC Personal Information Protection Law for international financial institutions

The PRC Personal Information Protection Law (the “PIPL”) officially took effect on 1 November 2021 as the first comprehensive privacy law in mainland China.  

Our experience shows that compliance with the PIPL can be particularly challenging for PRC financial institutions since they frequently process large amounts of, or sensitive, personal information and hence are subject to some of the most stringent requirements under the PIPL. Furthermore, financial institutions are subject to overlapping supervision by industry regulators that have tightly enforced data protection principles even before the PIPL’s launch. International financial groups have the additional challenge of balancing multiple jurisdictions’ rules which can be in conflict.

This alert summarises some of the questions most frequently asked by our financial institution clients in relation to the implications of the PIPL and aims to share our thoughts and observations for dealing with this new law in the context of existing financial industry rules.