Everything you need to know about China's comprehensive data privacy law. Understand consent requirements, cross-border transfer rules, and penalties to protect your business.
China's Personal Information Protection Law (PIPL) is China's first comprehensive data privacy legislation, often compared to the EU's GDPR. It took effect on November 1, 2021, fundamentally changing how businesses must handle personal data in China.
PIPL is part of China's broader data governance framework, alongside the Cybersecurity Law (CSL) and Data Security Law (DSL). Together, these three laws form the "trinity" of China's data protection regime.
PIPL has extraterritorial reach, meaning it applies to:
While PIPL shares similarities with GDPR, key differences include:
Any information related to an identified or identifiable natural person, recorded by electronic or other means, excluding anonymized data. Examples include:
Information that, if leaked or misused, could easily cause harm to personal dignity or safety. This category requires separate, explicit consent and enhanced protections:
| Category | Examples |
|---|---|
| Biometric data | Fingerprints, facial recognition, voiceprints, iris scans |
| Religious beliefs | Religious affiliation, practices |
| Specific identities | Ethnicity, political opinions, union membership |
| Health & medical | Medical records, genetic data, health conditions |
| Financial accounts | Bank accounts, credit history, payment data |
| Location tracking | Precise GPS data, movement patterns |
| Minors' data | Any personal information of individuals under 14 |
The organization that independently determines the purposes and means of processing—similar to a "data controller" under GDPR. This entity bears primary compliance responsibility.
A third party that processes data on behalf of the processor—similar to a "data processor" under GDPR. Must operate under contract and processor's instructions.
PIPL establishes fundamental principles that must guide all personal information processing:
Processing must have a clear, legitimate purpose. Data collection cannot exceed what is necessary for the stated purpose. Avoid collecting data "just in case."
Personal information can only be used for the specific purposes disclosed at collection. Any new use requires fresh consent or another legal basis.
Collect only the minimum data required for your stated purpose. Over-collection—even with consent—violates this principle.
Data subjects must be clearly informed about processing activities, purposes, and their rights. No hidden collection or undisclosed sharing.
Processors must ensure personal information is accurate and complete. Provide mechanisms for individuals to correct errors.
Implement appropriate technical and organizational measures to protect data. The processor is accountable for compliance.
Consent is the primary legal basis for processing under PIPL, and the requirements are stringent:
PIPL mandates separate, explicit consent for these high-risk activities:
| Activity | Consent Type Required |
|---|---|
| Processing sensitive personal information | Separate consent + specific purpose disclosure |
| Sharing data with third parties | Separate consent + recipient disclosure |
| Cross-border data transfers | Separate consent + transfer details |
| Making personal information public | Separate, explicit consent |
| Direct marketing | Separate consent + opt-out mechanism |
| Automated decision-making | Consent + right to opt-out |
| Processing minors' data (under 14) | Guardian's separate consent |
PIPL allows processing without consent in limited circumstances:
PIPL grants individuals comprehensive rights over their personal information. Organizations must establish mechanisms to fulfill these requests:
Individuals can request confirmation of processing and access to their data, including:
Individuals can request correction of inaccurate or incomplete personal information. Processors must verify and update within a reasonable timeframe.
Individuals can request deletion of their data when:
Upon request, individuals can obtain their personal information in a structured, commonly used format and have it transferred to another processor (where technically feasible).
Individuals can refuse decisions made solely through automated processing that significantly affect their rights, or request human review of such decisions.
Close relatives can exercise access, correction, and deletion rights regarding a deceased person's personal information (unless the deceased arranged otherwise).
This is where PIPL differs most significantly from GDPR. Transferring personal information outside of China requires specific legal mechanisms:
| Mechanism | Who Must Use It | Process |
|---|---|---|
| 1. CAC Security Assessment | • Critical information infrastructure operators (CIIOs) • Processors handling 1M+ users' data • Processors transferring 100K+ users' data or 10K+ users' sensitive data cumulatively since Jan 1 of prior year |
Mandatory government assessment (6-18 months) |
| 2. Standard Contractual Clauses (SCCs) | Processors below CAC thresholds but above certification thresholds | Sign CAC-published contract + file with provincial CAC |
| 3. Personal Information Protection Certification | Smaller processors, intra-group transfers | Certification from accredited body |
For companies not meeting CAC thresholds, SCCs offer a more manageable path:
Regardless of mechanism, all cross-border transfers require:
PIPL imposes some of the strictest data protection penalties globally:
| Violation Level | Organizational Fines | Individual Fines |
|---|---|---|
| Standard violations | Up to ¥1 million (~$140,000) | Up to ¥100,000 (~$14,000) for responsible persons |
| Serious violations | Up to ¥50 million (~$7 million) or 5% of prior year revenue | Up to ¥1 million (~$140,000) for responsible persons |
| Refusal to correct | Additional ¥1-5 million | ¥10,000-100,000 |
Since PIPL's implementation, enforcement has increased significantly:
China's Personal Information Protection Law (PIPL) is China's comprehensive data privacy law, similar to GDPR. It took effect on November 1, 2021 and applies to any organization processing personal information of individuals in China, regardless of where the organization is located.
PIPL penalties can reach up to 50 million RMB (~$7 million USD) or 5% of annual revenue, whichever is higher. Individuals responsible can face fines up to 1 million RMB and may be banned from serving as directors or senior managers. Severe violations can result in business license revocation.
There are three legal mechanisms for cross-border data transfer: (1) CAC security assessment for large data processors, (2) Standard Contractual Clauses (SCCs) with CAC filing for medium processors, or (3) Personal information protection certification for smaller processors. Each has different requirements and thresholds.
Yes, PIPL has extraterritorial scope. It applies to any organization that processes personal information of individuals in China, even if the organization has no physical presence in China. Foreign companies must appoint a local representative or establish a local entity for compliance purposes.
Sensitive personal information includes biometric data, religious beliefs, specific identities, medical and health information, financial accounts, location tracking data, and any personal information of minors under 14. Processing sensitive data requires separate, explicit consent and stricter safeguards.
PIPL requires informed, voluntary consent that cannot be bundled with other terms. Separate consent is required for: processing sensitive personal information, sharing data with third parties, cross-border data transfers, using data for direct marketing, and making personal information public. Consent can be withdrawn at any time.
Our data privacy experts can assess your current practices and help you build a compliant framework for operating in China.
Get Free Consultation →