How to comply with PIPL

China’s data protection law, the Personal Information Protection Law (PIPL), came into effect on 1 November 2021—around three years after Europe’s GDPR. PIPL is already regarded as one of the most comprehensive data privacy laws globally and applies to all businesses handling personal data of Chinese citizens, regardless of their geographic location. If your company has operations or customers in China, it’s essential to understand these rules. Non-compliance can result in hefty fines, blacklisting, and severe restrictions imposed by Chinese authorities. This article provides an overview of what PIPL entails and how your business can ensure compliance by obeying local data protection laws.

PIPL is not limited to China’s borders—it also impacts businesses located outside China. If your company offers products or services to individuals residing in China or monitors and analyses behaviour of Chinese citizens, compliance with PIPL is mandatory. This applies irrespective of where your business is situated. Therefore, any company with Chinese customers or website visitors should pay close attention to PIPL to avoid legal repercussions.

If your business violates PIPL, the consequences can be severe. Penalties can amount to up to 5% of your company’s annual revenue from the previous year, or up to 50 million Chinese Yuan (approximately €6.7 million). These penalties particularly apply to serious violations, although exactly what constitutes a “serious” breach has not yet been clearly defined by the law.

Beyond financial penalties, the Cyberspace Administration of China (CAC)—the primary body responsible for enforcing data protection under PIPL—can suspend or completely shut down your business operations. They can also revoke your administrative and business licences or place your company on a public “blacklist,” restricting or entirely preventing your future collection and processing of personal data.

PIPL protects all information that can identify an individual, whether processed digitally or otherwise. It covers not only regular personal data but also so-called sensitive data. Sensitive data is broadly defined as information that could cause serious harm if misused or shared without authorisation. Examples include biometric data, religious beliefs, health records, financial information, individual location data, and personal details of children under 14 years of age.

PIPL emphasises several key principles for data processing:

• Lawfulness

• Appropriateness

• Necessity and good faith

• Clear and legitimate purpose (including data minimisation)

• Transparency and openness

• Data quality and accountability (including accuracy and security)

According to PIPL, data must only be collected and processed for a clear and reasonable purpose—and only to the extent necessary. The law also requires businesses to implement strong technical and organisational security measures, establish clear policies and procedures for data protection, and conduct risk assessments before engaging in certain data processing activities.

When processing sensitive data, PIPL imposes especially strict requirements. You must always obtain explicit and separate consent from the individual. Consent is in fact the primary legal basis under PIPL. Unlike the GDPR, businesses cannot rely on “legitimate interests” to justify processing. This means you must ensure that consent is always clear, voluntary, and informed—particularly when dealing with or transferring sensitive personal data.

Organisations are required to set up mechanisms to receive and respond to individuals’ requests to exercise their rights. While PIPL does not impose specific time limits or extension deadlines, if a request is denied, the organisation must provide a clear explanation. Individuals also have the right to take legal action in a People’s Court if they believe their request has been unfairly rejected.

Individuals have ‘the right to know and the right to decide’ when it comes to their personal information; and request handlers explain their handling rules. The PIPL includes an additional requirement for personal information handlers to notify individuals of the name/personal name and contact method of the receiving party when sharing their data with third-parties.

Individuals have the right to access and copy their personal information from the data controllers. Following are few exceptions to this right:

• Where state organs process personal information for the purpose of fulfilling statutory duties and responsibilities.
• Where laws or administrative regulations provide that confidentiality of personal information shall be preserved.

A unique characteristic of the PIPL is that all data rights extend beyond an individual’s death and can be exercised by close relatives of the deceased unless otherwise arranged by the decedent during their lifetime.

Individuals have the right to deletion and requires a data controller to proactively delete personal information where one of the following circumstances occurs; if the personal information handler has not deleted their data in these circumstances, individuals have the right to request deletion when:

• The processing purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the processing purpose
• Data controllers cease the provision of products or services, or the retention period has expired
• The individual rescinds consent
• The data controller processed the personal information in violation of laws, administrative regulations, or agreements
• Other circumstances provided by laws or administrative regulations

Where the retention period provided by laws or administrative regulations has not expired, or personal information deletion is technically hard to realise, data controllers shall cease personal information processing except for storage and taking necessary security protective measures. The PIPL also provides individuals the right to limit, or refuse the processing of their personal information by others, unless laws or administrative regulations stipulate otherwise.

Individuals have the right to request personal information handlers correct or complete their personal information. Where individuals request to correct or complete their personal information, data controllers are required to verify the personal information and correct or complete it in a timely manner.

Individuals have the right to request a data controller to transfer their personal information to another data controller. However, specific conditions for moving data will be determined by state cybersecurity and information departments.

In PIPL, individuals have the right to withdraw consent. However, PIPL states that withdrawal of an individual’s consent does not affect the effectiveness of the personal information processing activities that have been carried out based on the individual’s consent before the withdrawal.

PIPL does not explicitly grant individuals the right to object to automated decision-making. However, if a data controller uses automated methods to personalise information or conduct commercial marketing, they are required to provide individuals with a way to opt out or avoid profiling based on their personal characteristics.

Organisations should conduct risk assessments and record them before conducting “specific personal information processing activities” that have a significant impact on individuals, such as processing sensitive PI, automatic decision-making, entrusting processors, providing PI to third parties and so on. Even when the high-risk standard is not met, it is still prudent to conduct a DPIA to minimise liability and ensure best practices for data security and privacy are being followed in your organisation.

PIPL does not provide an explicit requirement for having a record of data processing activities. However, the PIPL compliance requires audits of their personal information activities and adherence to laws and administrative regulations. It also requires you to save personal information protection impact assessment reports and handling status records for at least three years.

Offshore organisations that process data belonging to Chinese citizens must establish a dedicated office or appoint a representative in China to be responsible for personal information protection in China.

In PIPL, transferring personal information outside the territory of China should meet three necessary conditions: (1) obtaining the personal information subject’s separate and informed consent; (2) conducting personal information protection impact assessment and making record; and (3) adopting one of the measures set forth in the PIPL to ensure that adequate safeguards would be provided for the transfer.

For PIPL compliance, you must also ensure data protection standards are met after transfer. The PIPL stipulates that without the approval of the Chinese regulatory authority, personal information stored in China shall not be provided to judicial or law enforcement agencies outside China. This provision is in line with the newly enacted Data Security Law of China.

You may need to appoint a Personal Information Protection Officer in specific situations, depending on the volume of personal information you process. China’s state cybersecurity and informatisation department will provide clarity on the volume threshold. Data controllers are also required to disclose the methods of contacting Personal Information Protection Officers and report the names of the officers and contact methods to the departments in charge of personal information protection duties and responsibilities.

According to PIPL, the data controller must have an internal management structure and operating rules, processing limits framework, and technical security measures such as encryption & de-identification. Data controllers should also have a mechanism for the categorised management of personal information. Data controllers should conduct audits of their processing activities and compliance with other laws; conduct security education and training of its employees; and implement additional safeguards for sensitive personal information and processing.

If your organisation experiences a personal data breach under PIPL, immediate action is required. You must notify the Cyberspace Administration of China and inform affected individuals. However, if you can swiftly contain the incident and ensure that no harm will come to those affected, the individual notifications may be waived. Still, transparency and rapid response are essential — both to stay compliant and to maintain trust.

In Safe Online, we create tools that comply with international data regulations such as PIPL.

• Ultimate Guide to PIPL Compliance: Navigating China’s Personal Information Protection Law