What It Is

PIPL (Personal Information Protection Law), enacted November 1, 2021, is China's comprehensive national regulation governing collection, processing, storage, transfer, and deletion of personal information. It applies domestically and extraterritorially to organizations targeting Chinese individuals, emphasizing lawfulness, necessity, minimization, and risk-based protections for sensitive personal information (SPI) like biometrics and health data.

Key Components

• Eight chapters, 74 articles covering processing rules, cross-border transfers, individual rights, handler obligations.
• Core principles: consent-first (no broad legitimate interests), explicit SPI consent, data minimization, transparency.
• Transfer mechanisms: CAC security assessments, SCCs, certifications; localization for CIIOs.
• Compliance via PIPIAs, audits, DPO appointment for large handlers.

Why Organizations Use It

Mandated for China-exposed firms; avoids fines up to 5% revenue. Enhances trust, enables market access, reduces breach risks, supports resilient data architectures amid enforcement like Didi's RMB 1.2B penalty.

Implementation Overview

Phased: gap analysis, policies, controls, transfers (6-12 months). Targets multinationals, platforms; requires data mapping, consent UX, vendor clauses, ongoing audits—no formal certification but CAC reviews.

What It Is

REACH (Regulation (EC) No 1907/2006) is a directly applicable EU regulation on the Registration, Evaluation, Authorisation and Restriction of Chemicals. It shifts responsibility to industry to identify and manage chemical risks for human health and the environment, while fostering innovation. Scope covers substances, mixtures, and certain articles; approach is risk-based with tonnage-triggered data requirements.

Key Components

• Four pillars: Registration (dossiers >1 tonne/year), Evaluation (dossier/substance checks), Authorisation (SVHC permissions), Restriction (Annex XVII bans/limits).
• 17 annexes for data standards, lists (Annex XIV SVHCs), SDS rules.
• Principles: industry data generation, supply-chain communication, continuous updates.
• No certification; compliance via ECHA submissions, national enforcement.

Why Organizations Use It

• Mandatory for EU/EEA manufacturers/importers to ensure market access.
• Mitigates fines, bans, recalls; enables substitution, ESG reporting.
• Builds trust, reduces liability, drives competitive safer products.

Implementation Overview

• Phased: inventory, gap analysis, dossiers/CSRs, monitoring.
• Cross-industry, global via Only Representatives; data governance/training key.
• Audit-ready via self-assessments, national inspections. (178 words)