China Privacy Law: PIPL Framework, Data Protection, and Compliance Guide
China has built one of the world's most comprehensive data protection frameworks through three interconnected laws: the Personal Information Protection Law (PIPL, effective November 2021), the Data Security Law (DSL, effective September 2021), and the Cybersecurity Law (CSL, effective June 2017). Together with implementing regulations from the Cyberspace Administration of China (CAC) and sector-specific rules, these laws create a strict regulatory environment that affects every business operating in China or handling Chinese citizens' data.
TL;DR
China's PIPL imposes fines up to 50M RMB or 5% of annual revenue for violations. 1,500+ enforcement actions resulted in 3B RMB in fines since 2021. Cross-border data transfers require security assessments. Data localization mandates affect cloud and financial sectors.
Key Insights
PIPL Penalties
PIPL allows fines up to 50 million RMB or 5% of the previous year's annual revenue for serious violations. Companies can also face suspension of business, revocation of licenses, and personal liability for responsible executives. These penalties rival GDPR's 4% global revenue cap.
Enforcement Actions
Chinese regulators conducted over 1,500 enforcement actions since PIPL took effect, resulting in approximately 3 billion RMB in total fines. High-profile cases included Didi Global (8B RMB fine), Alibaba (2.8B RMB), and Meituan (3.4B RMB) for data security and antitrust violations.
Cross-Border Data Rules
PIPL requires personal information handlers to pass a CAC security assessment before transferring data overseas. Thresholds include transferring data of over 1 million individuals or cumulative transfer of over 100,000 individuals' sensitive data. Standard contractual clauses and certifications are alternative mechanisms.
Data Localization
China mandates that critical data and important data defined under DSL must be stored within China. Financial institutions, healthcare providers, and cloud service providers face strict localization requirements. International companies must establish China-specific data centers for Chinese user data.
Side-by-Side Comparison
| Law | Effective Date | Scope | Key Requirements | Maximum Penalty |
|---|---|---|---|---|
| CSL (Cybersecurity Law) | Jun 2017 | Network operators | Data classification, incident reporting | 1M RMB + business suspension |
| DSL (Data Security Law) | Sep 2021 | All data handlers | Data classification, cross-border rules | 10M RMB + business suspension |
| PIPL | Nov 2021 | Personal info handlers | Consent, purpose limitation, rights | 50M RMB or 5% revenue |
| CAC Assessment Measures | Jun 2022 | Cross-border transfers | Security assessment for overseas data | Same as PIPL |
| Algorithm Recommendation Rules | Mar 2022 | Algorithm providers | Transparency, fairness, user choice | 100K RMB per violation |
| Deep Synthesis Rules | Jan 2023 | AI-generated content | Labeling, consent, platform liability | 100K RMB per violation |
| Generative AI Measures | Aug 2023 | AI service providers | Content safety, training data rules | 100K RMB per violation |
Frequently Asked Questions
China's PIPL and the EU's GDPR share many similarities but have important differences: both laws require a legal basis for processing personal data, grant individuals rights to access, correct, delete, and port their data, mandate data breach notification, and impose significant penalties for non-compliance. Key differences include PIPL requires explicit consent for processing sensitive personal information while GDPR allows broader legal bases beyond consent; PIPL's cross-border data transfer rules are stricter, requiring CAC security assessments for larger datasets while GDPR relies on adequacy decisions and SCCs; PIPL mandates personal information protection impact assessments for a broader range of processing activities; PIPL gives Chinese citizens the right to withdraw consent and have their data deleted (the right to be forgotten) but implementation is less tested than GDPR; enforcement differs significantly as GDPR's extraterritorial reach is broader while PIPL is more focused on entities within China; and PIPL's penalties (5% of annual revenue) are comparable to GDPR's (4% of global turnover) but China has shown more willingness to impose maximum penalties on large tech companies as demonstrated by the Didi Global case. Overall, PIPL is generally considered stricter than GDPR in cross-border data transfer and government access requirements, while GDPR provides stronger individual rights and enforcement consistency.