The Personal Information Protection Law (“PIPL”) of the People’s Republic of China (PRC) was enacted on 20 August 2021 and came into effect on 1 November 2021. As China’s first national-level legislation dedicated to personal information protection, the PIPL complements the Cybersecurity Law and the Data Security Law, forming a comprehensive regulatory framework for data compliance.
The article outlines the requirements set by the PIPL and highlights the key compliance considerations for multinational businesses operating in or engaging with the Chinese market.
Scope and application of the PIPL
The PIPL applies mandatorily to the processing of personal information of natural persons within the territory of the PRC. Notably, its extraterritorial reach extends to activities carried out outside China that process personal information of individuals located in China for the purpose of providing products or services, or for analysing or evaluating their behaviours.
Key provisions of the PIPL
- Broad definition of personal information: The PIPL defines personal information expansively, covering any data relating to an identified or identifiable natural person, whether recorded electronically or in other forms, excluding the information processed anonymously.
- Stringent processing requirements: Organisations are required to follow strict rules when handling personal information. This includes collecting, storing, using, transmitting, providing, publishing, processing and deleting personal data.
- Informed consent: Specific and informed consent from individuals is required under many circumstances, particularly for sensitive personal information.
- Severe penalties for non-compliance: Violations may result in confiscation of illegal gains, substantial fines, and disqualification of directors and supervisors for a certain period.
Obligations for organisations
Entities processing personal information must:
- Ensure a legitimate basis for processing and limit processing to proper purposes in a reasonable manner, minimising impact on individuals’ interests.
- Implement robust security measures, including data classification management, security training, encryption, de-identification, and emergency response plans.
- Uphold individuals’ right to access, correct, delete, and withdraw consent regarding their personal information.
- Obtain explicit consent for processing sensitive personal information and for cross-border transfers, disclosures, or publication.
Cross-border data transfers
China has been developing a sound regulatory system for managing the protection, processing, and the cross-border transfer of various types of data, with a particular focus on national security. The fundamental legislation that governs cross-border data transfer, in addition to the PIPL, include:
- PRC Cybersecurity Law (effective 1 June 2017)
- PRC Data Security Law (effective 1 September 2021)
- Measures for the Standard Contract for the Cross-border Transfer of Personal Information (effective 1 June 2023)
- Provisions on Promoting and Regulating Cross-border Data Flow (effective 22 March 2024)
- Regulation on Network Data Security Management (effective 1 January 2025)
- Measures for the Certification of Cross-border Transfer of Personal Information (to be effective 1 January 2026)
The PIPL outlines several key requirements that information processors must follow when transferring personal data across borders. These include conducting a data protection impact assessment, undergoing a security review with cybersecurity authorities, and obtaining certification related to personal information protection.
The table below summarises the main requirements of the PIPL, its implementing guidelines from the mentioned regulations, and updates based on the latest regulatory practices from the PRC cybersecurity authorities like the Cyberspace Administration of China (CAC).
| Regulatory path for cross-border personal information transfer | If any of the following circumstances exists | Timeline for statutory review |
|---|---|---|
| Security review |
|
Around 60 working days. Once passed, the assessment is valid for 3 years. |
| Signing Standard Contract with Overseas Recipient (more cost efficient) |
|
15 working days |
| Personal Information Protection Certification (less commonly applied) |
|
As required by qualified certification institutions. |
In summary, large-scale transfers involving over one million individuals, sensitive data exceeding ten thousand individuals, or any important data* must undergo a security review. Smaller-scale transfers may instead use the standard contract or certification route, each with different statutory review timelines.
*Note: Important data refers to the data recorded in electronic form, which if tampered with, destroyed, divulged, illegally obtained, or illegally used could cause harm to national security or public interests.
Exemptions
It is worth noting that certain scenarios involving cross-border data transfer are exempt from the compliance requirements specified in the table above.
Exemptions apply, for instance, when personal information must be transmitted to an overseas recipient for the fulfilment or initiation of contracts related to cross-border transactions such as shopping, logistics, payment processing, travel bookings, visa applications, and similar activities.
Exemptions also cover situations in which the personal information of internal employees is required to be provided to an overseas recipient for human resource purposes pursuant to labour policies, regulations, or collective agreements established in accordance with applicable laws.
Additionally, an exemption exists where a data processor, excluding CIIOs, has cumulatively transferred the personal information (excluding sensitive personal data) of fewer than 100,000 individuals to an overseas recipient as of January 1 of the current year.
However, specific consent from individuals remains a mandatory requirement for all cross-border transfers.
Severe penalties for violations of the PIPL
The PIPL imposes severe punishments for entities violating the law, including suspension of the business, confiscation of illegal gains, fines up to RMB 50 million or 5% of the previous year’s revenues.
Individuals found directly liable for violations may face fines of up to RMB 1 million and may be prohibited from serving as directors, supervisors, data protection officers, or holding other senior management roles within companies.
Preparing for compliance
As regulatory guidance continues to evolve, organisations are highly recommended to proactively review and update their data processing activities, policies, and procedures to ensure full compliance with the PIPL and related PRC data protection laws.
Navigating the requirements of the PIPL and associated regulations can be challenging for businesses, particularly those with cross-border operations or extensive personal data management. Our team collaborates with legal experts to assess current data processing practices and identify gaps in compliance with the PIPL and other applicable legislation. Additionally, we provide regular updates on changes in laws and industry standards to support ongoing compliance and risk mitigation.
FAQ
What is China’s PIPL?
The Personal Information Protection Law (PIPL) is China’s first national-level data privacy law, effective from 1 November 2021. It governs the collection, use, storage, sharing, and transfer of personal information and sensitive personal information of individuals in the Mainland of China. Similar to the EU’s GDPR, the PIPL aims to protect individuals’ personal data and regulate how it is processed.
- Personal information refers to any data relating to an identified or identifiable natural person, whether recorded electronically or in other forms, excluding the information processed anonymously.
- Sensitive personal information refers to details that, if leaked or misused, could harm an individual's dignity, safety, or property. This includes biometrics, religion, specific identity, health, financial data, location, and any information about minors under 14.
Who does the PIPL apply to?
- The PIPL applies to any organisation or individual that collects and processes personal data within the Mainland of China
- The PIPL also extends to organisations or individuals outside of the Mainland of China if they:
- Provide products or services to individuals in China
- Analyse or assess the activities of individuals in China
- Engage in other activities governed by Chinese laws or regulations
- Businesses that process data belonging to Chinese users must adhere completely to PIPL regulations.
How does the PIPL affect cross-border data transfers?
Under the PIPL, any data collected must be in the Mainland of China before being transferred abroad. A personal information processor must follow either of the three primary mechanisms for data export compliance, which depends on the volume thresholds:
- Conduct security assessment
Mandatory for:- Critical Information Infrastructure Operators (CIIOs)
- Transfers of important data
- Transfers of personal information of more than 1 million individuals
- File standard contractual clauses
Applicable to:- Non-CIIOs transferring non-sensitive personal information of less than 1 million individuals
- Sensitive personal information of less than 10,000 individuals
- Obtain Personal Information Protection Certification
Appliable to:- Non-CIIOs transferring non-sensitive personal information of less than 1 million individuals
Transfers may be exempt from the above mechanisms if:
- The transfer is necessary for contract performance (e.g. e-commerce, HR)
- The volume of personal information is under 100,000 individuals per year
- No sensitive personal information or important data is involved
What are the penalties for non-compliance?
Non-compliance with the PIPL can result in severe consequences.
For entities:
- Suspension of the business
- Confiscation of illegal gains
- Fines of up to RMB 50 million or 5% of the previous year’s revenues
For individuals directly liable for violations:
- Fines of up to RMB 1 million
- Prohibition from serving as directors, supervisors, data protection officers or holding other senior management roles within companies
Speak to our China experts today
Learn how Hawksford can support your business in ensuring PIPL compliance and strengthening your data governance framework.
