Skip to Main Content
Main Menu
Regulation

Personal Information Protection Law (PIPL)

China’s PIPL applies to personal data processed within the People’s Republic of China.

Are you subject to the PIPL?

The PIPL applies to businesses conducting cross-border transfers processing activities outside the borders of China and Macau.

Key obligations under the PIPL

Maintain a data inventory

PIPL requires organizations to maintain records of processing activities, including the classification of data into general, important, and core categories.

Breach response responsibilities

The PIPL outlines remedial measures and notification procedures (immediate requirement v. 72 hours under EU GDPR) in the case of leakage, falsification, or loss of personal information.

Consent and privacy notice requirements

Under the PIPL, individuals must provide informed consent for their personal information to be collected, used, or disclosed by organizations. This means that organizations must clearly explain their data collection practices and obtain explicit consent from individuals before processing their personal information.

Large-scale data processing and data localization requirements

The PIPL also includes data localization requirements for those entities considered to conduct a significant volume of personal information processing (critical information infrastructure operator (CIIO)) meaning that personal information collected in China must be stored on servers located within Chinese territory.

Cross-border data transfers (CBDT)*

If not classified as a CIIO entity, and an entity wants to transmit or share personal information outside China, it must fulfill at least one of the following conditions:

  • Complete a security review subject to review by CAC
  • Complete PIPL’s standard contractual clauses (SCCs)
  • Complete certification requirements through an independent provider selected by CAC

*This area of PIPL continues to be evolving and subject to change, including several draft PIPL “Draft Measures” under review by the Cybersecurity Administration of China (CAC).

Organizational management

If classified as a critical information infrastructure operator (CIIO), those organizations must appoint a personal information protection officer (DPO) to oversee obligations. All others, it is highly recommended to have a privacy lead to oversee the processing of personal information and implement plans for cross-border processing activities in accordance with PIPL.

Conduct impact assessments and security audits

Processors must adhere to the regulations outlined in the PIPL and conduct a personal information protection impact assessment (PIPIA) prior to the transfer (transfer of sensitive personal information (SPI) for human resource purposes. This includes identifying the types of personal information being processed, assessing the risks to individuals’ rights and freedoms, and implementing measures to protect this data. Conducting impact assessments and regular security audits is recommended.

Flash Guidance

China’s Personal Information Protection Law (PIPL)

PIPL, a major privacy law in China, impacts global businesses and now protects 1.5 billion people — roughly 20% of the world’s population. Learn about the requirements of PIPL and how your organization can comply.

PIPL FAQ

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top