PIPL – Personal Information Protection Law (China's Data Protection Law)
China's PIPL, effective November 2021, is the PRC's most comprehensive personal data protection law with strict requirements for cross-border data transfers.
Summary
The Personal Information Protection Law (PIPL) is China's first comprehensive national-level personal data protection law. Effective November 1, 2021, it is regarded as China's equivalent to the European GDPR but contains significant features reflecting the Chinese legal system and state interests.
- Extraterritorial scope: Applies to processing of Chinese citizens' data by foreign entities.
- Strict transfer restrictions: Cross-border data transfers are subject to stringent requirements including security assessments by the Cyberspace Administration of China (CAC).
- Consent requirements: Broad consent obligations, including separate consent for certain sensitive processing activities.
- Localization obligations: Critical information infrastructure operators must store data within China.
History
Prior to the PIPL, data protection provisions in China were distributed across multiple laws, including the Cybersecurity Law (CSL, 2017) and the Data Security Law (DSL, 2021). Together with the PIPL, these form the so-called "Data Governance Trilogy".
The first draft of the PIPL was published in October 2020 and underwent two public consultation rounds. The law was adopted by the National People's Congress on August 20, 2021 and entered into force on November 1, 2021. The Cyberspace Administration of China (CAC) has since issued numerous implementing regulations, particularly on cross-border data transfers, security assessments, and standard contractual clauses.
Scope
The PIPL applies to the processing of personal information of natural persons within the PRC. It also covers foreign organizations and individuals processing personal information of persons located in China where:
- Products or services are provided to persons in China, or
- The behavior of persons in China is analyzed.
Foreign entities may be required to designate a local representative in China and register with the competent authority. The law distinguishes between ordinary personal information and sensitive personal information (biometrics, religious beliefs, specially designated status, health, finance, location data of minors under 14).
Key Requirements
- Legal basis: Consent, contract performance, legal obligations, public interest, or other statutory grounds.
- Purpose limitation: Clear, specific, and legitimate processing purposes.
- Data minimization: Processing only the minimum necessary data.
- Data subject rights: Access, copy, correction, deletion, restriction, explanation of decision logic, withdrawal of consent, data portability.
- Data Protection Officer: Mandatory appointment for large-scale processing.
- Data protection impact assessment: Required for sensitive data, automated decision-making, cross-border transfers, and other high-risk activities.
- Cross-border transfers: CAC security assessment, CAC-approved standard contractual clauses, or national standard certification required.
- Data breaches: Prompt notification to authorities and, where appropriate, affected individuals.
- Sanctions: Fines up to CNY 50 million or 5% of annual revenue; criminal liability possible.
Related Frameworks
Corrections & Errata
PIPL (China) is equivalent to GDPR — baseline cross-reference was missing.
Full details on the errata page →1 correction:
- PIPL: official_url returns HTTP 404 — wrong URL