Understanding PIPL, China's National Privacy Law

• PIPL, or the Personal Information Protection Law, is China’s federal data privacy law.

• Though similar to the GDPR in its framework, PIPL does not allow data processing via legitimate interest and has a strong data localization requirement—making it a stricter regulation overall. 

• Businesses that process data from Chinese citizens, regardless of size or location, need to ensure they're adhering to China’s new privacy law—or else risk significant penalties. 

• What is PIPL?

• PIPL vs GDPR

• Who’s subject to China’s privacy law?

• Businesses obligations under PIPL

• Consumer rights provided by PIPL

• Enforcement

• Exemptions

Passed on August 20, 2021, the Personal Information Protection Law (PIPL) is China’s federal data privacy law. Going into effect on November 1, 2021, PIPL established strong requirements surrounding the use of Chinese citizens’ personal information (PI) both at home and abroad—taking strong cues from the EU’s General Data Protection Regulation (GDPR).

Any company that handles the data of Chinese citizens, regardless of the organization’s size or nationality, is subject to PIPL. Acting as a complement to the Data Security Law, also passed in 2021, the intent behind PIPL was to increase protections on Chinese citizens’ personal information.

China’s first comprehensive federal privacy law, PIPL has already had significant effects on businesses operating within China. Shortly after PIPL was passed, both Yahoo and LinkedIn pulled out of China, with a Yahoo representative citing an “increasingly challenging business and legal environment.”

Though part of a larger crackdown on both foreign and domestic enterprises, many were surprised when, only a few weeks after PIPL went into force, a handful of Chinese domestic providers stopped sharing shipping data with foreign companies—pointing to PIPL provisions that limit cross-border data transfer.

Some analysts have noted that PIPL’s immediate ripple effect, when compared to the slower burn of the GDPR, is an effect of China’s stricter approach to economic and social control, as well as the fact that many of PIPL’s mandates (especially those surrounding data localization) reflect national security interests—rather than consumer data privacy rights. 

Either way, PIPL will continue influencing how foreign and domestic companies do business in China, so it’s important these organizations understand who falls under PIPL’s purview, as well as the specific obligations outlined by the law.  

As we mentioned above, PIPL takes many of its cues from the EU’s landmark privacy law, the GDPR. However, though they share a similar framework, PIPL is stricter as a whole—and businesses should make sure to consider that when building out their PIPL compliance program. 

Both PIPL and GDPR, in certain circumstances, have an extra-territorial scope. This means that, in the context of PIPL, the law applies to businesses processing the personal data of Chinese citizens—whether or not that entity is located within China.

Like GDPR, PIPL established several new data rights for consumers under its purview. Chinese citizens now have the right to request access, deletion, and correction of their personal information. They may also limit the processing of their PI in certain circumstances.

Under both GDPR and PIPL, a representative of the company is required to be present within the country’s borders. This requirement may disproportionately affect smaller organizations who don’t have the budget to permanently place someone in China. 

One of the biggest differences between PIPL and GDPR is that PIPL does not offer the legitimate interest provision. Under GDPR, businesses may process personal information without opt-in consent as long as it falls under one of several “legitimate interests” outlined within the law’s text. 

Under PIPL, consent is the primary mechanism that allows the collection and processing of personal data—though there are seven exemptions, which we’ll outline below. The lack of a legitimate interest provision is one of the key reasons PIPL is considered a stricter data protection law when compared to the GDPR.

The data localization requirement is another key factor for why PIPL may be difficult to implement. For companies that don’t already have a significant presence within China, being required to store the data of Chinese citizens within the country’s borders will be a significant hurdle. 

On one hand there’s the cost of additional servers within China and there’s also the technical complexity of making sure that all data is routed and stored appropriately.  

Fines are another way in which PIPL and GDPR differ. Interestingly, GDPR has a stiffer discrete penalty threshold—with a cap of 20 million Euros ($22.6 million USD) under GDPR, and 50 million Yuan ($7.8 million USD) under PIPL.

However, both laws take an either/or approach.

For the EU, it’s 20 million Euro or 4% of annual revenue, whichever is higher. And for China, it’s 50 million Yuan or 5% of annual revenue, whichever is higher. This means that for large companies with high annual revenue, the penalties defined under PIPL are actually more significant. 

Under PIPL, businesses must notify consumers of a breach immediately, whereas under GDPR they have 72 hours.

PIPL takes an opt-in approach to cross-border data transfer consent, meaning businesses must obtain consumers’ consent before initiating an international data transfer. The GDPR gives consumers the option to opt-out of cross-border transfers, but does allow businesses to initiate them without prior consent.

According to PIPL Article 3, the law applies to: 

“the processing of the personal information of natural persons within the territory of the People’s Republic of China”. 

Similar to GDPR, the PIPL also takes an extra-territorial approach. In practice, this means that China’s privacy law applies to any company that handles the data of Chinese citizens, regardless of:

• The company’s size

• Whether they’re processing the data within China’s borders or beyond them

Sporting a fairly broad scope (especially compared to many US state privacy laws), PIPL also outlines new obligations for businesses and a range of data rights for Chinese citizens.

Businesses beholden to China's privacy law must comply with several specific requirements. As always, we recommend reading the full text of the law and consulting your legal counsel when building your own PIPL compliance program.

If transferring personal information (PI) out of China, companies must obtain consent from the individuals whose data is being transferred. They must also conduct a transfer impact assessment.

Any company collecting personal data past a certain threshold (exact quantities are still TBD) must store that data within China. For companies in transportation, telecommunications, and other critical infrastructure industries, this requirement was already established. However, under PIPL, it was expanded to include all businesses that meet the still-to-be-defined state threshold.

International companies handling data in China must have a representative or other legal entity based within the country—a requirement that may disproportionately affect startups and small to midsize businesses.  

Companies handling personal information must notify individuals before data processing begins. This notice must be truthful, accurate, and easy-to-understand. It must also include information such as the data handler’s name, categories of PI being processed, purpose of processing, information on how an individual can exercise their data rights, retention periods, and a contact method. 

Similar to GDPR, companies under PIPL must implement adequate security measures to protect the personal data they’ve collected. They must also conduct regular audits to ensure their privacy and security measures are effective and up-to-date.

Companies looking to send personal information to foreign authorities or law enforcement must receive explicit permission from Chinese authorities before doing so. 

In the event of a data breach, companies are required to notify all affected individuals immediately.

Like all modern data privacy laws, PIPL established new consumer data rights for citizens under its purview.

Companies must notify individuals they are collecting and processing their personal information and obtain content before processing begins.

Individuals have the right to access the personal information a company holds, and may request corrections or deletions.

Individuals can request a copy of their personal information in an easily readable and transmittable format.

Individuals have the right to object to the processing of their personal information in certain circumstances.

Individuals may request that a company erase their personal information.

Individuals may restrict the processing of their personal information in certain circumstances.

Companies must take appropriate action to protect the personal data they collect from unauthorized access, disclosure, alteration, or destruction.

Individuals can lodge a complaint with the relevant authorities if they believe their rights under PIPL have been violated.

Enforced by a state-backed regulator, PIPL has fairly serious consequences for those found to be non-compliant.

For smaller scale violations, departments can be fined up to 1 million Yuan, while any personnel held directly responsible face fines between 10,000 and 100,000 Yuan. In this circumstance, the guilty entity must also correct violations and suspend or terminate programs that handle personal information unlawfully. 

For more serious violations, or “grave circumstances,” violators can be fined up to 5% of annual revenue or 50 million Yuan ($7.8 million USD). In extreme circumstances, a business may have their license suspended or revoked and digital apps may be blacklisted from app stores. 

Like all privacy laws, PIPL outlines a handful of exceptions. In this vein, PIPL does outline seven scenarios under which a businesses may process personal data, including if: 

• They’ve obtained an individual’s consent

• The data processing is necessary to fulfill the terms of a contract

• The data processing is necessary to fulfill statutory requirements

• The data processing addresses or mitigates a public health emergency or supports the protection of an individual's health or safety

• The data processing supports the public interest and is within a reasonable scope

• An individual publicly disclosed the information 

• There are “other circumstances provided by laws and administrative regulations”

As with all exceptions to privacy laws, it’s best practice to err on the side of compliance, rather than relying on an exemption—both in terms of honoring consumers' privacy rights and avoiding legal issues due to misunderstandings of a complex legal text.

China’s Personal Information Protection Law (PIPL) extends individual rights and consent requirements while establishing stringent requirements on territorial data processing. With Transcend, the platform that helps companies put privacy on autopilot, you can easily encode privacy directly into your data systems for seamless compliance.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• The Personal Information Protection Law: China’s Version of the GDPR?

• Personal Information Protection Law of the People’s Republic of China

• Off the grid: Chinese data law adds to global shipping disruption

• China’s PIPL takes effect, compliance ‘a challenge’

• China’s Personal Information Protection Law (PIPL)

• 10 ways China’s new data rules will change your business

• China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies