Skip to main content

Personal Information Protection Law of the People's Republic of China

China's PIPL is a comprehensive personal information protection law with strict consent rules, impact assessments, and tightly controlled cross-border transfers, regulated chiefly by the CAC. It has broad extraterritorial reach and severe penalties.

Jurisdiction
China

The Personal Information Protection Law (PIPL) of the People's Republic of China is China's first comprehensive law dedicated to personal information protection. It was passed in August 2021 and took effect on November 1, 2021. The PIPL sits alongside the Cybersecurity Law and the Data Security Law to form the core of China's data governance framework. It draws on concepts from the GDPR but adds strict rules on cross-border transfers and state oversight. The Cyberspace Administration of China (CAC) is the lead regulator.

The PIPL applies broadly to the processing of personal information of natural persons within China and has significant extraterritorial reach.

Who It Applies To

The PIPL applies to organizations and individuals that process the personal information of natural persons within the borders of China. It also applies to processing outside China where the purpose is to provide products or services to individuals in China, to analyze or assess their behavior, or in other circumstances set by law. Foreign processors covered by the law must establish a dedicated entity or appoint a representative in China and report its details to authorities.

Key Requirements

Processing requires a lawful basis, such as consent, necessity for a contract, legal duties, public health emergencies, or news reporting in the public interest. Consent must be voluntary and informed, and separate consent is required for sensitive personal information, for providing data to third parties, for public disclosure, and for cross-border transfers. Individuals have rights to know, decide, access, correct, delete, and port their data and to withdraw consent. Processors must conduct personal information protection impact assessments for sensitive data, automated decision-making, and cross-border transfers. Cross-border transfers require one of several mechanisms: a CAC security assessment, certification, the CAC standard contract, or another legal basis. Certain critical information infrastructure operators and large-volume processors must store data locally.

Penalties for Non-Compliance

Penalties are severe. Serious violations can lead to fines of up to RMB 50 million or 5 percent of the prior year's annual turnover, suspension or termination of services, and revocation of business licenses. Responsible individuals can be fined and barred from senior roles. Violations may also be recorded in China's credit systems.

How to Comply

Identify a lawful basis for each activity and obtain separate consent where the law requires it. Provide clear notices and honor individual rights. Conduct personal information protection impact assessments for sensitive processing, automated decisions, and transfers. Select and document a valid cross-border transfer mechanism and assess data localization duties. If you are a foreign processor in scope, appoint a local representative or entity.