China's Personal Information Protection Law (PIPL) is a new requirement. How does Approov work within the People's Republic of China (PRC)?
China's Personal Information Protection Law (PIPL) is a new privacy law that came into effect on November 1, 2021. The PIPL defines personal information as information recorded by electronic or other means that can be used, either alone or in combination with other information, to identify a natural person or reflect the activities of a natural person. Under the PIPL, if an IP address and device ID have been truly anonymized, as Approov does, they cannot be used to identify a natural person, then they would not be considered as personal information under the law.
However, it is worth noting that if there is additional information that can be combined with the anonymized IP address and device ID to identify a natural person, then the combination of that information may still be considered personal information under the PIPL. In such cases, the combination of data would need to be protected in accordance with the requirements of the PIPL.
More specifically, the PIPL defines personal information as any information that can be used to identify a natural person, including but not limited to:
- Name, date of birth, ID number, personal biometric information, address, phone number, email address, and other similar identifying information;
- Personal identity information, including ID card number, passport number, driver's license number, and other similar identifying information;
- Personal financial information, including bank account number and credit card number;
- Personal communication information, including communication content and records;
- Personal health information, including medical history, physical examination results, and other similar information;
- Personal transaction information, including transaction records, payment records, and other similar information.
In addition, the PIPL also includes a category of "sensitive personal information" which is given special protection under the law. This includes information such as race, ethnicity, religious beliefs, biometric data, medical and health information, financial accounts and transactions, and personal location tracking data.
Under the PIPL, personal information can also be transferred out of China and stored on servers outside of China, if certain conditions are met. These conditions include obtaining the data subject's explicit consent, entering into a contract with the recipient that includes certain data protection clauses, and ensuring that the recipient's country has data protection laws that are deemed by the Chinese government to be comparable to the PIPL (for example GDPR or the CCPA).
However, if the IP address and device ID have been truly anonymized, as is the case with the use of the Approov services, the data does not qualify as personal information under the PIPL, and there are no restrictions on transferring or storing that information outside of China. Approov's anonymized data falls outside the scope of the PIPL because it cannot be used to identify a natural person.
It is worth noting, however, that the exact requirements for data transfer and storage under the PIPL are still being developed, and the law is still in its early stages of implementation. It is therefore important to regularly monitor updates and changes to the law to ensure compliance with its requirements.