Everything you need to know about China’s Personal Information Protection Law

What is the Personal Information Protection Law (PIPL)?

China’s Personal Information Protection Law (PIPL) is a federal data privacy law aimed at safeguarding the privacy and personal information of Chinese citizens. It was enacted on August 20, 2021, and became effective on November 1, 2021. This law works in tandem with the Data Security Law (DSL) that was passed in June 2021.

Both Chinese entities and foreign companies with operations in China must take measures to comply with this law.

There are several similarities between China’s PIPL law and other international data privacy laws such as the General Data Protection Regulation (GDPR). Businesses that comply with these laws have laid a significant groundwork towards meeting the legal requirements of the PIPL.

Who does the Personal Information Protection Law impact?

Like most data privacy laws enacted around the world, the PIPL focuses on protecting the privacy of Chinese residents and protecting their personal data. By extension, the law includes comprehensive responsibilities for entities that collect and process personal data.

Natural persons or individuals

The PIPL provides legal protection to “natural persons,” commonly referred to as “individuals” within the law. This concept aligns with the term “data subjects” found in various global data protection regulations, including the GDPR. Essentially, it refers to natural persons residing in China, whose data organizations may collect and use. Doing this often requires these individuals’ consent for such activities.

Personal information handlers

Under the PIPL, activities such as the collection, processing, sharing, and storage of personal information are collectively referred to as “handling.” Accordingly, those who perform these tasks are labeled as “personal information handlers”.

According to Article 73 of the PIPL, personal information handlers are defined as “organizations and individuals that, in personal information handling activities, autonomously decide handling purposes.” This implies that, while companies are typically the main handlers of data, the PIPL’s scope extends beyond just corporate entities to other entities that handle personal data. However, Article 72 of the PIPL clarifies that the PIPL excludes natural persons managing personal information for personal or family-related purposes.

The term “personal information handler” closely mirrors the concept of a “data controller” found in other global privacy regulations, such as the GDPR. It refers to entities that begin the data collection process, secure necessary consents, manage data processing activities, and engage third parties for data processing tasks. These entities typically have ultimate responsibility for data processing activities and responsibility for data protection and security measures.

Who has to comply with the Personal Information Protection Law?

Chapter I, Article 3 specifies that the PIPL governs the processing of personal data belonging to individuals in China. However, it also has extraterritorial scope and its reach extends beyond these borders to include organizations located elsewhere, and/or the processing of Chinese citizens’ data overseas if it’s for:

• offering products or services to people within China
• analyzing or evaluating the activities of natural persons within China 

or

• other situations outlined in laws or administrative rules

Unlike some data privacy laws like the California Consumer Privacy Act (CCPA), which sets specific thresholds for compliance, the PIPL has no such provisions. Handlers must adhere to the law regardless of their annual revenue or the volume of personal data processed annually.

What does the Personal Information Protection Law say about consent?

Similar to the GDPR, the PIPL outlines several legal bases for handling individuals’ personal information. Consent from the data subjects is one of these bases, but the law also provides six other bases under which personal information may be handled without the individual’s consent.

Under Section 1, Article 13, individuals’ personal information may be handled if the personal information handler meets at least one of the criteria listed below:

1. securing consent from the individuals whose personal data is handled
2. it’s necessary to conclude or fulfill a contract where the individual has an interest, or for conducting human resources management as per legally established labor rules and collective contracts
3. to fulfill statutory duties and responsibilities or comply with legal obligations
4. to address urgent public health emergencies or to safeguard the life, health, or property security of individuals under emergency situations
5. to carry out news reporting, public opinion monitoring, or similar activities in the public interest, within a reasonable scope
6. when managing personal information that has been made public by the individuals themselves or is already lawfully public, within a reasonable limit as defined by this law
7. under other conditions specified by laws and administrative regulations

In contrast to the GDPR, the PIPL lacks a “legitimate interest” clause, which permits entities to process personal information without first obtaining the data subjects’ consent, provided the information is legally obtained and there is a justifiable reason for its use.

For consent to be deemed valid under the PIPL, as outlined in Section 1, Article 14, it must be voluntarily and explicitly given with the data subjects’ full knowledge. In some situations, laws or administrative regulations may provide that the handler requires separate consent or written consent to handle personal information.

Article 15 further stipulates that a natural person must have the right to revoke or withdraw their consent at any time. It is a common requirement in data privacy laws that changing or revoking consent must be as easy to do as to give it, and even when not codified in law, failing to do so is frowned upon by data protection authorities.

If there are changes in the purpose(s) for collecting personal information, the handling method, or the categories of handled personal information, handlers must obtain new consent from individuals to align with these changes.

Important definitions under the Personal Information Protection Law

The PIPL defines certain key terms related to data privacy and protection, clarifying what types of personal information and handling activities are covered by the law.

Personal information

Article 4 defines personal information as any type of information that relates to individuals who are either identified or can be identified by it, whether stored electronically or through other means. It excludes anonymized data.

The law refrains from giving specific examples of what constitutes personal information, such as names, email addresses, or health records, offering a broad scope that adapts to evolving technologies without needing regular updates.

Sensitive personal information

The PIPL specifically addresses the handling of sensitive personal information or information related to minors. Article 28 states that certain types of information require heightened protection due to their potential to significantly harm an individual’s dignity or safety if misused. Examples that the law specifics include:

• biometric characteristics
• religious beliefs
• medical health records
• financial accounts
• specially-designated status
• location tracking
• any data pertaining to minors under 14 years of age

For such sensitive data, the law mandates obtaining separate explicit consent from the individuals concerned or, in the case of minors, from their parents or guardians. This consent is necessary alongside a clear and specific purpose for handling the data, accompanied by stringent protective measures and detailed disclosures to those whose sensitive information is being processed, as stipulated in Articles 28 and 30.

Personal information handling

Article 4 states that personal information handling includes “collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.” of personal information. This definition encompasses a wide range of actions that can be performed on personal data, from the moment it is collected until its eventual return or destruction.

Rights of individuals under the Personal Information Protection Law

Articles 44 to 50 of the law grant numerous rights to individuals, including:

• Right to know what personal information a handler has on them
• Right to object to processing of personal information
• Right to access and copy personal information
• Right to data portability
• Right to correct inaccurate information
• Right to supplement incomplete information
• Right to deletion
• Right to have personal information handlers explain personal information handling rules
• Private right of action (individuals can sue organizations if affected by violations of the law)

Individuals can take legal action if their rights are infringed upon, such as appealing when a legitimate request is denied, or if the handler violates their rights. Companies also can’t refuse to do business with individuals who do not consent to the handling of their personal information (prohibition against discrimination).

Additionally, Chinese authorities may intervene if a handler causes damages to a large group of people — although what constitutes this isn’t defined — and may initiate civil prosecution against the handler on the public’s behalf.

Obligations of companies under the Personal Information Protection Law

Personal information handlers have specific responsibilities for PIPL compliance to ensure the privacy and security of personal information. 

Transparency requirements for personal information handling

According to Article 17, handlers are required to provide individuals with accurate, truthful, complete, and clear information in an understandable manner before processing their personal information. This information must include:

• name and contact details of the personal information handler
• categories of personal information being handled
• methods by which the personal information will be handled
• purposes for handling
• how long the information will be kept for
• ways individuals can exercise their rights under this law
• any additional details mandated by laws or administrative regulations

Data retention period

Article 19 provides that personal information should be retained for “the shortest period necessary” to fulfill the processing objectives (stated purposes), although specific legal or administrative regulatory requirements might influence the actual retention time.

Disclosure of personal information

Article 25 strictly forbids personal information handlers from disclosing any personal information they handle without obtaining separate consent from the individual(s) concerned.

Under Article 41, handlers must receive prior approval from Chinese authorities for the transfer of any personal information stored in China to foreign judicial or law enforcement authorities at their request. The PIPL, however, leaves the details of this approval process unspecified.

Implementing security and oversight measures

Personal information handlers are required to put in place security measures to prevent data leaks or unauthorized access. They must also carry out personal information protection impact assessments (sometimes referred to as a data protection impact assessment, or DPIA) for specific processing tasks, such as when handling sensitive personal information. They must also conduct regular audits of their personal information handling and necessary PIPL compliance requirements as the legal landscape and technologies change.

In certain scenarios, the appointment of a data protection officer — known under the PIPL as a personal information protection officer — is mandatory. In a provision similar to the GDPR and some other data privacy laws, entities operating outside of China must nominate a representative within China to be responsible for personal information handling.

Specific requirements for certain platforms

Article 58 specifically targets entities that offer “important Internet platform services”, characterized by their extensive user base and complex business operations. These requirements are similar to those of the EU’s Digital Markets Act (DMA), though they preceded them by a couple of years. Obligations they must adhere to include:

• Establishing and maintaining personal information protection compliance systems and structures according to State regulations, and establishing an independent body composed mainly of outside members to supervise personal information protection circumstances.
• Abiding by the principles of openness, fairness, and justice; formulating platform rules; and clarifying the standards for intra-platform product or service providers’ handling of personal information and their personal information protection duties.
• Stopping the provision of services to product or service providers on the platform that seriously violate laws or administrative regulations in handling personal information.
• Regularly releasing reports on personal information protection, social responsibility, and accepting society’s supervision.

Major international digital platforms like Meta’s Facebook and Instagram and Alphabet’s YouTube are inaccessible within China, despite their significant global user bases.

Special conditions for PIPL compliance exceptions

In certain situations, such as emergencies aimed at safeguarding the life, health, or security of individuals and their property, personal information handlers may be relieved from the obligation to immediately inform individuals about their handling practices. However, once the situation is resolved, handlers must proceed with the mandatory notifications.

It’s important to recognize that anonymized data is treated differently under the law. Unlike identifiable personal information, anonymized data does not fall under the same regulatory scrutiny or obligations.

Data processing agreements for third-party processing

Article 21 requires that, when personal information handlers engage third parties, known as “entrusted persons,” with processing of personal information, they must enter into a contractual agreement with the third-party personal information processor. This agreement must detail:

• specific purpose of the entrusted handling
• duration of the agreement
• method of handling
• types of personal information involved
• measures for data protection
• rights and obligations of both parties

The personal information handler must supervise the personal information processing activities of the entrusted parties. These third parties are bound by law to follow the terms of the agreement, including the return or deletion of personal data once the contract ends, and are prohibited from passing the information to others without the original handler’s approval.

Cross-border transfer of personal information under the Personal Information Protection Law

Articles 38 to 43 of the PIPL address instances where the cross-border transfer of personal information may be permitted. Handlers must fulfill at least one of the criteria below:

• Pass a security assessment organized by the State cybersecurity and informatization department (as per Article 40).
• Undergo personal information protection certification conducted by a specialized body as per the provisions of the State cybersecurity and informatization department.
• Conclude a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides.
• Meet other conditions as stipulated by law, administrative regulations, or directives from the State cybersecurity and informatization department.

Where the People’s Republic of China has concluded or acceded to international agreements or treaties that contain relevant provisions for providing personal information outside of China’s borders, these provisions may be carried out.

When sending personal information outside China, handlers must inform individuals the following:

• name or contact information of the overseas recipient
• method of contact
• purpose and methods of personal information handling
• procedures individuals can follow to exercise their rights with the foreign recipient

Handling of a data breach under the Personal Information Protection Law

Article 57 specifies the measures that personal information handlers must take if a “leak, distortion, or loss occurs or might have occurred”. They must immediately alert both the responsible personal information protection personnel and the impacted individuals. The notification should cover:

• categories of personal information involved, cause of the breach, and the possible harm as a result of the breach
• remedial measures or actions they have taken, along with advice for individuals on how to minimize potential damage
• how to get in touch with the personal information handler

Penalties under the Personal Information Protection Law

In cases where personal information handlers violate the PIPL or fail to fulfill the obligations of personal information protection, the relevant departments must:

• order correction
• confiscate unlawful income
• order provisional suspension or termination programs unlawfully handling the information

If the handler refuses to correct the violation, they are to be fined up to RMB 1 million (approximately USD $140,000) on organizations, while the directly responsible person might face fines ranging from RMB 10,000 to 100,000 (approximately USD $1,400 to $14,000).

For serious acts of PIPL noncompliance, penalties can escalate to fines up to RMB 50 million (around USD $7 million) or as much as 5% of the annual revenue from the preceding year, though the law does not clarify whether this refers to revenues generated in China or worldwide. Handlers found in serious violation could see their operations suspended or their business licenses revoked, and their apps may be removed from app stores.

Individuals found directly accountable for serious violations face steeper fines of between RMB 100,000 and 1 million (approximately USD $14,000 to $140,000). They may also be barred from serving as directors, supervisors, senior managers, or personal information protection officers for a determined period.

Summary of the Personal Information Protection Law and its requirements

China has laid down a robust regulatory framework with the Data Security Law and the Personal Information Protection Law. Together, the laws regulate both local and foreign businesses on data management and protection practices while safeguarding the interests of Chinese citizens.

Though the PIPL and the GDPR are similar in many ways, it imposes stricter requirements in various areas and is expected to evolve in response to technological advancements, shifts in consumer expectations, and legal interpretations. Companies looking to tap into China’s vast market are strongly advised to seek legal advice from qualified legal counsel.