As part of the country's growing scrutiny over the tech sector, China enacted on August 21 a sprawling and comprehensive data privacy law, the Personal Information Protection Law (PIPL), which goes into effect on November 1, 2021. In combination with China's newly enacted and still little-understood Data Protection Law, which goes into effect on September 1, 2021, this law promises to impose a host of new data privacy, security, and protective obligations on all US and global companies doing business in China.These significant laws fit into China's broad "informatization policy," which Chinese President Xi Jinping has described as the modern equivalent of industrialization. However, the data protection law comes closer to serving more as a cybersecurity law than the PIPL. In his efforts to boost China to" cyber superpower" status, President Xi has famously said that "cybersecurity and informatization are two wings of one body, and two wheels of one engine."Both national security and the public interest come into playModeled in part on the EU's stringent and pace-setting General Data Protection Regulation (GPDR), PIPL creates a legal regime for all data from both the perspectives of national security and the public interest. It aims to achieve four objectives:Protect the rights and interests of individualsRegulate personal information processing activitiesSafeguard the lawful and "orderly flow" of dataFacilitate reasonable use of personal informationIts focus on national security departs from Western privacy frameworks such as the GDPR and California's Consumer Privacy Act (CCPA). The PIPL further differs from these two forms of data privacy by containing provisions addressing China's digital sovereignty. These provisions aim to limit the ability of overseas entities to infringe on Chinese citizens' rights and constrain the danger to the country's national security.Organizations handling Chinese citizens' data must meet conditionsThe PIPL states that "personal information processors," namely any organization handling the personal data of Chinese citizens, may handle that information only if the processor meets one of the following conditions:The processor obtains personal consentThe information is necessary for the conclusion and performance of a contract in which the individual is a party or necessary for the implementation of human resource management by following the labor rules and regulations established under the law and the collective contract signed per the law.The information is necessary to perform statutory duties or statutory obligations.The information is necessary to respond to public health emergencies or to protect the life, health, and property safety of natural persons in an emergency.The information is necessary to carry out news reports, public opinion supervision, and other acts for the public interest, and handle personal information within a reasonable range.Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope is conducted by following the provisions of this law.The information is processed under other circumstances stipulated by laws and administrative regulations.The law emphasizes that users must consent to allow their data to be processed, and users must be fully informed. Individuals are granted the right to withdraw their consent at any time. Moreover, information processors cannot withhold goods or services from individuals who refuse to allow their information to be processed or used.How organizations can comply with PIPL is still unclearHow organizations doing business in China can comply with the PIPL's complex provisions is unclear because many regulatory proceedings that flesh out how compliance would work have yet to occur. "This is a very new law and quite complex, so US companies that have operations in China are only just now beginning to focus on this law and are trying to figure out how it will affect their operations," Judith Alison Lee, partner at Gibson Dunn and co-chair of the firm's International Trade Practice Group, tells CSO.Moreover, although PIPL might go into effect in November, the fine print on how the law operates won't emerge until later when various Chinese ministries issue regulations, Rogier Creemers, China Digital Economy Fellow at New America and a postdoctoral scholar in Law and Governance of China at the University of Leiden's Van Vollenhoven Institute, tells CSO. "Many laws in China, such as the Personal Information Protection Law, work as framework laws," Creemers tells CSO."For instance, the new law creates a mandate for there to be a security review for the export of personal data. But the Cyberspace Administration of China, the regulator in this specific sector, is empowered to make those rules. So, until those specific rules come out, we don't know what's going to happen."Cross-border flow of information and avoiding sanctions are top prioritiesHowever, organizations that deal with any form of personal data in China can start prioritizing the critical aspects of the law ahead of any further regulatory clarity. "The single most important provisions are going to be those that deal with the cross-border flow of personal information. Those are going to be crucial," Creemers says."My practice is focused on OFAC [the Treasury Department's Office of Foreign Assets Control] sanctions, so one particular area of concern is whether this new law will impede the efforts of companies to ensure that they are in compliance with OFAC sanctions," Gibson Dunn's Lee says. "This usually involves 'screening' the personal information of customers, suppliers, employees, and business partners against a number of prohibited party lists.\u00a0"Sometimes, this screening function is performed outside of China.\u00a0 If companies violate OFAC sanctions, there can be really significant civil monetary penalties, so US companies are worried about being caught in the crossfire of the laws of the US and China, which can be conflicting."Whatever shape the final law takes, it is clear that many international organizations may have to staff up to handle at least some of the law's provisions. For example, the law requires data handlers outside of China that process the personal information of Chinese citizens to establish a dedicated entity or appoint a representative within China to be responsible for matters related to their information processing.