As Scott WarrenLindsay Zhu and Katherine Fan discuss in greater detail here, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”).  They explain that “[t]he final version of the PIPL sets forth a number of new obligations that apply to all Personal Information (PI) collected from the mainland of the People’s Republic of China (hereinafter ‘China’, or the ‘PRC’).  The main changes from the earlier drafts of the PIPL are that the final version allows the processing of employee information, revises the definition of ‘Sensitive Personal Information’ and indicates that special rules will be created for small enterprises.”  They provide a detailed breakdown of the PIPL’s requirements, which reiterate the importance of companies taking immediate steps to ensure compliance with these new and comprehensive regulations, including conducting a data inventory and mapping exercise, assessing the purpose and lawful basis for PI processing, conducting a PI protection assessment and other measures in order to respond to data subject requests.