What It Is

PIPL, China's Personal Information Protection Law effective November 1, 2021, is a comprehensive national regulation on personal data collection, processing, storage, transfer, and deletion. Comprising 74 articles, it applies territorially and extraterritorially to organizations handling data of Chinese individuals, using a risk-based approach with strict consent and minimization principles, akin to GDPR but consent-centric.

Key Components

• **Core principlesLawfulness, necessity, minimization, transparency, accountability.
• Seven legal bases, primarily consent; no broad legitimate interests.
• Sensitive personal information rules requiring explicit consent.
• Cross-border mechanisms: security reviews, SCCs, certifications with volume thresholds (>1M PI or >10K SPI).
• Individual rights: access, correction, deletion, portability; mandatory PIPIAs for high-risk activities. No formal certification, but CAC oversight and audits.

Why Organizations Use It

Mandatory for China-exposed firms to avoid fines up to 5% revenue or RMB 50M, operational halts. Enables market access, builds consumer trust, enhances resilience via data governance, reduces breach costs, supports M&A.

Implementation Overview

Phased framework: gap analysis, data mapping, policy/consent updates, controls, monitoring (6-12 months). Applies universally to multinationals, platforms handling Chinese PI; prioritizes SPI, cross-border flows.

What It Is

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is a comprehensive, horizontal regulation establishing the world's first risk-based framework for AI systems. It applies across sectors to providers and deployers placing AI on the EU market or using outputs in the EU, focusing on safety, transparency, and fundamental rights via a four-tier risk model: unacceptable, high, limited, and minimal.

Key Components

• Prohibited practices (Article 5), high-risk obligations (Articles 9-15: risk management, data governance, documentation, oversight, cybersecurity), transparency duties (Article 50), and GPAI model rules (Chapter V).
• Over 100 requirements integrated into lifecycle conformity assessments, CE marking, and EU database registration.
• Built on product-safety principles with hybrid enforcement (AI Office, national authorities).

Why Organizations Use It

• Mandatory compliance for EU market access, avoiding fines up to 7% global turnover.
• Enhances risk management, builds trust, enables procurement in regulated sectors like healthcare, finance.
• Drives better AI quality, competitive edge via certified safety.

Implementation Overview

Phased rollout (6-36 months); inventory AI assets, classify risks, build QMS and documentation, conduct assessments. Applies globally to EU-impacting AI; audits by notified bodies for high-risk.