8.1 China's PIPL

On 1 November 2021, China's Personal Information Protection Law (PIPL) came into force — making China one of the world's major jurisdictions with a comprehensive privacy statute. Understanding PIPL is essential for any organisation that handles data relating to Chinese residents, regardless of where that organisation is located.

Scope and extraterritorial reach

PIPL applies to the processing of personal information of natural persons within China. Critically, it also has extraterritorial scope: organisations outside China that process personal information of Chinese residents in order to provide products or services to them, or to analyse their behaviour, must comply (PIPL, Art. 3). This mirrors the approach taken by the GDPR and signals China's intention to regulate data about its citizens globally.

Lawful bases for processing

PIPL defines six lawful bases (Art. 13). Consent is the primary basis — but others include: necessity for contract performance, necessity to fulfil statutory responsibilities, necessity for response to public health emergencies, and where personal information has already been made public by the individual. Unlike GDPR's balancing of legitimate interests, PIPL's consent requirements are strict and granular.

Consent requirements

Consent under PIPL must be informed, voluntary, explicit, and specific. Separate consent is required for each distinct processing purpose. Individuals must be able to withdraw consent as easily as they gave it, and withdrawal cannot be made a condition of continued service (Art. 16). For sensitive personal information — biometrics, health, finance, location, under-14 data — explicit written consent is required (Art. 29).

Data localisation

PIPL imposes significant data localisation requirements on Critical Information Infrastructure Operators (CIIOs) and processors above a volume threshold set by regulators. These entities must store personal information collected within China on servers located in China (Art. 40). Cross-border transfers are permitted only after a government security assessment, certification by an approved institution, or execution of a standard contractual arrangement.

Data subject rights

PIPL grants individuals rights to: access and copy their personal information; correct inaccurate data; request deletion; receive an explanation of automated decision-making; and transfer their personal information to another platform (portability). These rights broadly mirror those in GDPR, though enforcement mechanisms differ substantially.

Processor obligations and enforcement

Personal information processors must designate a responsible person, conduct privacy impact assessments, and implement security measures. The Cyberspace Administration of China (CAC) is the primary regulator, with power to issue fines of up to 50 million RMB or 5% of annual revenue for serious violations.

The political context

PIPL protects individuals against corporate misuse of data — but it cöxists with an extensive state surveillance infrastructure. The law explicitly carves out government and national security processing from individual rights. In practice, PIPL is a consumer and corporate compliance framework, not a constraint on state surveillance.

Your takeaway

PIPL is a serious, technically sophisticated privacy law with real teeth for corporate violators. Any business operating in or targeting China must treat PIPL compliance as a genuine legal obligation — while recognising that its protections operate in a specific and constrained political context.