China Privacy Law (PIPL): Data Protection, Cross-Border Transfer, Compliance
China's Personal Information Protection Law (PIPL), enacted in November 2021 and fully enforced since 2023, is China's comprehensive data protection framework comparable to the EU's GDPR. PIPL regulates how organizations collect, process, store, and transfer personal information, with special protections for sensitive data including biometrics, financial records, and geolocation. Cross-border data transfer rules require security assessments for companies handling data of over 1 million individuals or transferring significant volumes abroad. Non-compliance penalties reach up to 50 million RMB or 5% of annual revenue.
TL;DR
PIPL fully enforced since 2023 with penalties up to 50M RMB. Cross-border transfer security assessments required for 1M+ user data. 80% of top apps completed compliance. Special protections for sensitive data. CAC approved 200+ cross-border certificates.
Key Insights
Comprehensive Framework
PIPL establishes a comprehensive data protection framework with penalties reaching up to 50 million RMB or 5% of annual revenue for violations. The Cyberspace Administration of China (CAC) enforces PIPL through investigations, compliance audits, and public naming of violators. Over 100 companies received compliance orders in 2025, including major tech platforms.
Cross-Border Data Transfer
PIPL requires security assessments for companies transferring personal data of over 1 million individuals abroad or whose data exports exceed certain thresholds. The CAC approved over 200 cross-border data transfer certificates by 2025. Standard contractual clauses (SCCs) and personal information protection impact assessments are required for most transfers.
Sensitive Data Protections
PIPL provides enhanced protections for sensitive personal information including biometrics, religious beliefs, medical records, financial data, and geolocation. Processing sensitive data requires explicit consent and demonstrated necessity. Facial recognition collection for commercial purposes faces additional restrictions under separate CAC regulations.
App Compliance
Approximately 80% of China's top 500 apps achieved PIPL compliance through privacy policy updates, consent mechanism improvements, and data minimization practices. The CAC conducts regular app privacy assessments and removed 500+ non-compliant apps from stores. User complaints about data privacy decreased 40% since enforcement began.
Side-by-Side Comparison
| Aspect | China PIPL | EU GDPR | US (State Laws) | India DPDP |
|---|---|---|---|---|
| Effective Date | Nov 2021, full 2023 | May 2018 | Varies by state | Aug 2023 |
| Max Penalty | 50M RMB or 5% revenue | 20M EUR or 4% revenue | Varies ($7,500-$20M) | 250 Cr INR |
| Data Subject Rights | Access, correction, deletion | Access, rectification, erasure | Varies by state | Access, correction, erasure |
| Cross-Border Transfer | Security assessment required | Adequacy or SCCs | Generally unrestricted | Blacklist approach |
| Consent Model | Explicit for sensitive | Explicit for sensitive | Opt-out common | Explicit required |
| DPO Requirement | Over certain thresholds | Over certain thresholds | Varies | Significant data fiduciaries |
| Breach Notification | Immediate to CAC | 72 hours to DPA | Varies (30-60 days) | 72 hours to board |
| Enforcement Agency | CAC | National DPAs | State AGs, FTC | DPBI |
Frequently Asked Questions
China's PIPL and the EU's GDPR share many similarities as comprehensive data protection frameworks, but differ significantly in enforcement approach and specific requirements: similarities include both laws establish individual rights to access, correct, and delete personal data; both require explicit consent for processing sensitive personal information; both mandate data protection impact assessments for high-risk processing; both impose significant penalties for non-compliance (5% of revenue under PIPL versus 4% under GDPR); and both restrict cross-border data transfers to jurisdictions with adequate protections. Key differences include enforcement philosophy: GDPR is enforced by independent data protection authorities in each EU member state, while PIPL is enforced by the Cyberspace Administration of China (CAC), a government agency with broader regulatory authority over internet content and national security; cross-border transfer mechanism: GDPR uses an adequacy decision framework allowing transfers to approved countries, while PIPL requires security assessments conducted by Chinese authorities for specific data categories and volumes, making it more restrictive in practice; consent burden: PIPL places a heavier burden on data processors to demonstrate that consent is freely given, particularly for minor's data which requires separate parental consent; government access: PIPL contains broader exceptions for government access to personal data for national security and public safety purposes, while GDPR provides more limited law enforcement exceptions; and enforcement outcomes: GDPR has resulted in over 4 billion EUR in cumulative fines since 2018, while PIPL enforcement has focused more on compliance orders and app removals rather than monetary penalties, though this is shifting as CAC enforcement capacity grows. For multinational companies operating in China, PIPL compliance often requires separate data localization and governance structures that go beyond GDPR compliance, particularly for cross-border data transfers and government access requests.