What is PIPL?
The Personal Information Protection Law (PIPL) is China’s comprehensive data protection law, effective from November 1st, 2021. It establishes a full privacy governance structure regulating how organizations collect, use, store, share, and transfer the personal information of individuals located in China.
PIPL is enforced by the Cyberspace Administration of China (CAC) and works alongside the Cybersecurity Law (CSL) and the Data Security Law (DSL). Collectively, these laws form China’s overarching data governance regime.
Since 2021, the CAC has issued additional official measures and guidance, including the Cross-Border Transfer Standard Contract Measures, the Security Assessment Measures, and the PIPL Compliance Audit Draft Measures (2024). These clarify operational requirements for cross-border transfers, contractual filings, due diligence, auditing, and high-risk processing.
Although PIPL is conceptually similar to GDPR, it contains strict consent rules, explicit duties for handling sensitive personal information, strong security requirements, mandatory impact assessments for high-risk processing, and detailed cross-border transfer conditions. Penalties can reach 50 million yuan or 5 percent of annual revenue, making it one of the most stringent privacy regimes globally.
What are the requirements for PIPL?
PIPL applies to any entity inside or outside the People’s Republic of China that processes the personal information of individuals in China.
Key requirements include:
- Identifying a lawful basis for each processing activity
- Providing clear and complete privacy notices
- Implementing mechanisms for individual requests such as access, correction, deletion, and restriction
- Applying strict measures when handling sensitive personal information
- Conducting PIPIA (Personal Information Protection Impact Assessments) for high-risk processing such as cross-border transfers, SPI handling, or automated decision-making
- Maintaining strong technical and organizational security controls
- Notifying authorities and individuals in the event of a data breach
- Meeting the conditions for cross-border transfers, including SCC execution and CAC filing, certification, or security assessments
- Appointing a PRC-based representative if the organization is located outside China
- These requirements have been further clarified by the CAC’s more recent official measures and enforcement guidance.
Why should you be PIPL compliant?
Non-compliance can result in significant regulatory and financial consequences, including:
- Fines up to 50 million yuan or 5 percent of annual turnover
- Confiscation of profits
- Suspension of business operations in China
- Personal liability and administrative penalties for responsible individuals
- Blacklisting or restrictions on cross-border data flows
For overseas companies, enforcement depends on cooperation with foreign jurisdictions. However, Chinese companies are prohibited from transferring personal information to partners who fail to meet PIPL standards.
This means Chinese customers, vendors, and partners may be unable to work with you unless you demonstrate PIPL compliance.
How to achieve compliance?
PIPL compliance typically includes:
- Determining whether you must appoint a PRC-based representative for overseas handlers
- Identifying your lawful basis for each processing activity
- Providing clear, accessible privacy notices
- Implementing procedures for handling individual requests
- Obtaining consent and separate SPI consent where required
- Establishing internal PI management rules and security controls
- Maintaining data handling logs and retention limits
- Conducting PIPIAs for high-risk scenarios
- Meeting cross-border transfer requirements, including SCC execution and CAC filing or security assessments
- Preparing incident response and breach notification procedures
- Compliance is ongoing and requires monitoring CAC guidance, updated filing obligations, and sector-specific requirements.
The Centraleyes platform includes an up-to-date PIPL questionnaire framework aligned with the latest CAC measures. It helps organizations assess compliance quickly, identify gaps, manage remediation, and generate real-time reports for leadership.
Read more:
Full English translation (Stanford):
Technical considerations for companies:
Yahoo pulls out of China:
