Overview On China's New Data Protection Law, The PIPL

Privacy Compliance
December 14, 2021
On November 1st, 2021, China's new data privacy law, The Personal Information Privacy Law (PIPL) went into effect. Here are all the details you need to know about the newest data privacy law out there.

Overview On China's New Data Protection Law (PIPL)

Like any other country worldwide, China also has a system of rules that helps regulate the actions and safety of its citizens.

On August 20, 2021, China's 13th Standing Committee of the National People's Congress passed the Personal Information Protection Law (PIPL). This is following the trend of many countries passing legislation to set the standards for the handling and protection of their citizen’s personal data. 

But What is This Law?

It's China's first law that caters to all the personal information of the citizens. It is in many ways modeled after other countries’ broad data protection regulations. Among these inspirations is the EU General Data Protection Regulation (GDPR).

Following the initial passing of the PIPL on August 20, 2021, it has just recently become effective as of November 1, 2021. The law will change how companies with data or business-related functions within the country will operate. For these companies to face the added layer of complexity, they'll have to understand and closely follow China's new security and data laws and regulations.

Who Does the Law Apply To?

The law will govern individuals and entities within China who process personal information. It will also apply to other entities outside China that tend to process the personal data of Chinese citizens. This will include companies offering services or goods to those in China.

An outside entity that tries to evaluate or analyze the behavior of specific people in China will also have to face this law. This will help ensure that Chinese residents can have confidence in those who handle their confidential data.

How Does the Law Define Personal Information? 

Personal Information is any information that relates to naturally identified or identifiable persons. Such information can be electronically recorded or obtained by any other means. Even so, the collected data does not include that obtained without a prescription.

The processing of this information will entail: 

  • The collection of data
  • Public disclosure
  • Deletion of Individual Information
  • Use
  • Storage
  • Provision
  • Refining 
  • Transmission

What are the Rights Under the PIPL?

Generally, the Personal Informational Privacy Law has some relationship with the GDPR (General Data Protection Regulation). Among these is the individuals' data rights.

Despite this, the law has no language that addresses such rights. It doesn't state where certain exemptions or restrictions may apply.

Besides, it doesn't provide a specific timeline for response. Instead, it relies on processing entities that will later respond to the necessary details.

Below Are Some of The Rights That Will Apply in This Law:

  • Right to access
  • Right to withdraw consent
  • Right to erasure
  • Right to information
  • Right to correction or rectification
  • Right to complain with the regulator
  • Right not to be subjected to automotive decision making
  • Right to object and restrict the processing of personal data
  • Right to data portability (has to meet all the conditions as per the Cyberspace Administration of China)

Suppose a natural person within China has their request of exercising their rights rejected,

With this provision, everyone in China will have access to their personal information rights. Suppose their request is not accepted. They'll have to take legal action against those who prevent them. They'll do this by reporting the matter to the Chinese courts. Afterward, the affected individuals will receive compensation. This will depend on how their rights were affected.

What Are the Key Features of The Law?

Establishes Guiding Principles for The Protection of Personal Data

The law emphasizes that any entity that processes personal information should have a clear and reasonable purpose for doing so. Meaning that no organization will process personal information without having a valid purpose.

Even though organizations will still be able to collect individuals' data, this regulation that will prevent them from doing it recklessly or without just cause. 

After collecting the information, there will be guidelines to ensure that it's well protected from misuse.

To achieve this, there are some minimum requirements for the Personal Information Processing Entities (PIPEs). Among these are the expectations that the PIPEs will: :

  • Establish procedures and policies of protecting all individuals' information
  • Implement technological solutions for enhanced data security
  • Ensure there is a risk assessment before engaging in the processing activities
  • Take a risk-based approach for imposing the minimum requirements in the specified high-risk situations

The law insists that all PIPEs must appoint an officer responsible for personal data protection. This will apply to those that exceed the expected minimum requirements.

The officer will ensure maximum supervision of the processing of personal data.

Suppose there are PIPEs whose internet platforms have a lot of users. They must include an external independent organization.

The entity will ensure that all organizations with all the measures of personal data protection.

PIPEs will also have to ensure the regular publishing of social responsibility reports. Such reports will focus on the efforts they input to protect the collected data.

Besides, there must be additional protection for sensitive individuals' data because some forms of personal data might negatively affect the person if released to the public. This category of information includes: 

  • Special status
  • Religious information 
  • Biometric data
  • Medical information
  • Location data 
  • Financial information 

Suppose PIPEs insist on using individuals' data. They'll only do it under strict protective measures.

Creates Legal Rights for Data Subjects

​​No one within or outside China will be allowed to process individuals' data without a clear statement from the authorities. Besides, entities will at some point get a limitation on how they get their information.

This will be important in the following situations:

  • Handling information for initiating new reporting
  • Supervising public opinions
  • Monitoring activities relating to the public interest

This entity is also responsible for facilitating a proper way by which individuals can withdraw their consent.

Besides, the peoples' information will be safe since the organizations will no longer keep it after getting what they want.

Data collectors will also abide by the law by being transparent when collecting data using computer algorithms.

Besides, they shouldn't use automated decision-making on individuals' data. It might interfere with the newly collected data since computers are programmed machines that only take command.

The Personal Information Privacy Law has up to 74 articles included in at least eight chapters. Among these are the:

  • Legal liabilities
  • General provisions
  • Rules for cross-border provision of personal data
  • Miscellaneous provisions
  • Individuals' rights in personal data processing activities
  • Personal data processing rules
  • Obligations of individuals' information rules
  • Departments performing individuals' information protection function

Extraterritorial Effects

Another advantage of PIPL is that it has “extraterritorial effects” which allow the Chinese government to use their legal authority beyond the normal boundaries of their own country and residents. They are able to have this authority in this context to protect their resident’s personal data as it is being processed in any location. 

While a majority of the data processing of Chinese residents likely occurs within their border, this process can also occur outside China, but it should be for the following reasons only:

  • Providing products or services to those within China
  • Analyzing the behavior of individuals within China
  • Other circumstances condoned within the law and regulation

With such extraterritorial effects, foreign companies that process individuals' data for residents of China will have to adhere to the new law just like the local organizations do. 

The companies operating outside of China should have a dedicated entity to carry out this business in China. Besides, they should have an agent based in China who will be responsible for all their business of collecting individuals' data within the country.

It is expected that these local agents will identify themselves with the relevant authorities, sharing their names and appropriate contact information with those authorities before beginning that work.  

Penalties For Violation

If you are found in violation of the Personal Information Privacy Law; you'll face an administrative fine of at least RMB 50 million. The following charges can also apply:

  • 5% of processor's turnover in the next year
  • Requisition of unauthorized gains
  • Revocation of business licenses or permits

Other individuals linked to the activity within the PRC will be considered guilty. As a result, they'll be fined up to RMB 1 million. It will also apply to those affected by the extraterritorial effects.

As a result, the respective individuals will not serve as:

  • Supervisors
  • Directors
  • Personal data protection officer
  • Senior managers

Suppose any processor is going against the rights and interests of personal data; the law will impose tortious liability on them. It does this to facilitate the damaged claims for the defendant's information to impose the burden of proof in a civil action.

The processor may face criminal charges or civil claims. This happens when the infringement affects many individuals. Such might be brought to the light by authorized entities from the CAC, prosecutor, or the consumer groups.


As stated earlier, the Personal Information Privacy Law is now officially in effect. This means many data processing companies within China should be evaluating their eligibility if they have not already.

Such companies have to quickly ensure that they develop or update their data privacy policy to meet the requirements of the PIPL.

The new law adopts the international principles of individuals' information privacy protection. It also reflects other international data privacy regulations, including the GDPR and California Consumer Privacy Act (CCRA).

This law will also create a new dawn in handling personal data within China. In accomplishing this, the law will enhance new measures to adopt with the developing technology such as AI, facial recognition, and data analysis.

With such remarks, the participating companies need to re-examine their qualifications of the new requirements.

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals