What is PIPL?

The Personal Information Protection Law (PIPL) is China's comprehensive framework for protecting personal information. Effective November 1, 2021, it is one of three major Chinese data laws — alongside the Data Security Law (DSL) and the Cybersecurity Law (CSL) — that together define how data is governed in China. The PIPL is structurally similar to the GDPR in many respects, but operates within a political context that makes it fundamentally different in practice.

Scope and Reach

The PIPL applies to:

• Processing of personal information of individuals located in China, regardless of where the processing occurs
• Activities to provide goods or services to individuals in China
• Activities to analyze the behavior of individuals in China
• Any other circumstances specified by law

This extraterritorial reach means foreign companies with Chinese customers or users must comply, even without a physical presence in China. Organizations outside China that fall within scope must designate a representative or an institution within China to handle PIPL compliance matters.

Key Definitions

Personal information — Any information relating to an identified or identifiable natural person, recorded electronically or otherwise. Anonymized information is excluded.

Sensitive personal information — A heightened protection category including biometric data, religious beliefs, specific identities (including medical history), financial accounts, location, and children's personal information. Processing sensitive data requires separate, explicit consent.

Personal information processor — The organization or individual that determines the purpose and method of processing — equivalent to the GDPR's "data controller."

Legal Bases for Processing

The PIPL establishes several lawful bases:

• Individual consent — The primary basis; must be voluntary, informed, and explicit
• Contractual necessity — Necessary to perform a contract with the individual
• Legal obligation — Required by law or regulation
• Public health emergency — Response to major public health events
• Public interest — News reporting, public opinion supervision, etc.
• Protection of life and property — Emergency situations
• Other circumstances — As defined by law

Consent must be obtained separately for each processing purpose; bundled consent is not valid under PIPL.

Individual Rights

PIPL grants individuals the following rights:

• Right to know and decide — Understand and make decisions about how their information is used
• Right to access and copy — Obtain copies of their information
• Right to correct — Fix inaccurate information
• Right to delete — Request deletion when purpose is fulfilled, consent withdrawn, or processing was unlawful
• Right to withdraw consent — Revoke consent at any time; withdrawal does not affect prior lawful processing
• Right to portability — Transfer to another platform (where technically feasible)
• Right to object to automated decision-making — Request human review of automated decisions that have significant effects

Cross-Border Data Transfers: The Critical Difference from GDPR

The PIPL's cross-border transfer rules are more restrictive than any other major data protection law. Before transferring personal data out of China, organizations must satisfy one of these requirements:

1. Cybersecurity Administration of China (CAC) security assessment — Mandatory for large data processors, operators of critical information infrastructure, or anyone transferring data designated as "important data"
2. Certification — By a professional institution recognized by CAC
3. Standard Contracts — CAC-approved standard contract clauses (published 2023)
4. Other conditions — As specified by law or regulation

The CAC has significant discretion over what triggers the mandatory security assessment. For most companies, the standard contract route is most practical for routine cross-border transfers.

Data localization for critical categories: Personal information processors that handle personal data of over 1 million individuals must store that data within China. Critical information infrastructure operators face similar requirements.

PIPL in Practice: Key Tensions

The PIPL creates a notable paradox: it imposes GDPR-like protections against private sector data use while Chinese state agencies are largely exempt from the law's restrictions. The law protects Chinese residents from commercial data exploitation but does not restrain government surveillance.

For foreign companies, practical compliance challenges include:

• Security assessments — Can be lengthy and unpredictable
• Cross-border transfer restrictions — Meaningful operational friction for global businesses
• Localization requirements — May require China-specific infrastructure
• Regulators with broad discretion — CAC can interpret rules broadly

Enforcement

The CAC and other regulators enforce the PIPL. Fines can reach RMB 50 million ($7 million USD) or 5% of the prior year's annual revenue — whichever is higher. For serious violations, businesses can be ordered to suspend operations or have licenses revoked. Responsible individuals can be fined up to RMB 1 million ($140,000 USD) personally.

China has actively enforced data regulations: several major apps were removed from app stores for PIPL and Cybersecurity Law violations, including ride-sharing giant Didi, which was fined RMB 8.03 billion ($1.2 billion USD) in 2022.

Who Needs to Pay Attention

• E-commerce companies with Chinese customers
• SaaS businesses serving Chinese enterprises
• Companies with Chinese employees whose HR data is processed outside China
• Mobile app developers with Chinese users
• Any company operating a supply chain with Chinese entities sharing employee or supplier data