PIPL: The Complete Guide
China's Personal Information Protection Law, effective November 1, 2021, is the country's first comprehensive data protection law and one of the most consequential privacy regulations globally. The PIPL combines GDPR-inspired individual rights and lawful processing requirements with China's distinct approach to data governance, including strict cross-border transfer controls and data localization mandates.
What the PIPL Covers
The PIPL establishes multiple lawful bases for processing personal information: consent, contractual necessity, legal duties, public health emergencies, public interest activities, and publicly available information. Consent must be informed, voluntary, and given separately for sensitive data, cross-border transfers, and certain other scenarios.
Sensitive personal information — including biometric data, religious beliefs, health information, financial accounts, location tracking, and data of minors under 14 — requires separate consent, a specific purpose, and a necessity justification. Personal information protection impact assessments must be conducted before processing sensitive data.
Individuals are granted rights to know, decide, restrict, refuse, access, copy, correct, delete, and obtain an explanation of processing rules. Notably, the PIPL includes a right to an explanation of automated decision-making, with the right to refuse decisions made solely by automated means.
Cross-Border Transfer Rules
The PIPL's cross-border transfer regime is among the world's most restrictive. Organizations must satisfy one of three mechanisms: pass a CAC-administered security assessment (mandatory for Critical Information Infrastructure Operators and organizations processing large volumes), obtain certification from an accredited institution, or enter into standard contractual clauses published by the CAC.
Critical Information Infrastructure Operators and organizations processing personal information above thresholds set by the CAC must store personal information within mainland China and pass a security assessment before any cross-border transfer.
Enforcement and Penalties
Penalties for violations reach up to 50 million RMB (approximately $7 million) or 5% of the previous year's annual revenue. Regulators may also suspend or terminate services, revoke business licenses, and impose personal liability on directly responsible individuals, including bans from serving as directors or senior managers.
Practical Compliance Steps
- Lawful basis mapping — Document the legal basis for all personal information processing
- Consent architecture — Implement separate consent flows for sensitive data and cross-border transfers
- Cross-border assessment — Determine the applicable transfer mechanism (security assessment, certification, or SCCs)
- Data localization — Evaluate whether data must be stored within mainland China
- Impact assessments — Conduct personal information protection impact assessments for required activities
- Local representative — Designate a domestic representative if processing from outside China