China’s Personal Information Protection Law (PIPL)

The Personal Information Protection Law (PIPL) is a comprehensive data privacy law that went into effect in China in 2021. 

Effective date: November 1, 2021

Official text: China PIPL (in Chinese)

PIPL is China’s comprehensive data protection legislation that governs the processing of personal information within the People’s Republic of China. Enacted in August 2021, the PIPL came into full effect on November 1, 2021, after a grace period for organizations to become compliant.

The PIPL provides guidelines on the lawful processing of personal data, including obtaining consent, collecting only necessary data, and implementing appropriate security measures based on data sensitivity. It establishes heightened protections for minors and sensitive personal information.

The Cyberspace Administration of China is the main regulatory authority under PIPL. The State Council also authorizes various departments, such as the Ministry of Public Security, the State Administration for Market Regulation, and the Ministry of Science and Technology to enforce the law.

This Law applies to personal information processors or organizations in mainland China that process personal information of natural persons within the territory. 

It also applies to organizations outside mainland China that process the personal information of individuals within mainland China when:

• Providing products or services to individuals in mainland China
• Analyzing or evaluating activities of individuals in mainland China
• Other situations stated in laws and regulations

PIPL defines personal information as information related to identified or identifiable individuals recorded electronically or by other means, except anonymized information.

Processing of personal information includes collecting, storing, using, handling, transferring, providing, publishing, and deleting personal information.

Like GDPR, PIPL also has a separate category known as ‘Sensitive personal information’. It refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm to personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

They require special data protection measures to handle them.

Principles for processing personal information:

• Process lawfully, legitimately, and in good faith. Do not use misleading, fraudulent, coercive, or other improper means. Only process when necessary.
• Have a clear, reasonable purpose directly related to processing. Minimize collection to only what is necessary for the purpose.
• Disclose processing rules openly and transparently. Clearly state the purpose, manner, and scope.
• Ensure accuracy and completeness of personal information to avoid harm.
• Do not illegally collect, use, process, transmit, trade, provide, disclose, or endanger national security or public interest.
• Adopt necessary security measures when processing personal information.

Personal information may only be processed under these circumstances:

1. With consent from the individual

2. Necessary to execute or fulfill a contract with the individual

3. Necessary to implement human resource policies, rules, regulations, and collective bargaining agreements

4. Necessary to carry out statutory duties and obligations

5. Necessary to respond to public health emergencies or protect the life, health, or safety of an individual

6. Reasonable processing for news reporting or public oversight that serves the public interest

7. Reasonable processing of information that was voluntarily disclosed by the individual or obtained through other lawful means

8. Other situations specified in laws, regulations, and rules

Consent from the individual is required for processing personal information under other clauses in this Law. However, consent is not required for circumstances 2 through 7 above.

Under PIPL, consent holds paramount importance in the processing of personal information. Here’s a breakdown of key points regarding consent under the PIPL:

• Voluntary and explicit: Consent for processing personal information must be provided voluntarily and explicitly by the individual, ensuring a comprehensive understanding of the information being processed.

• Separate or written: If laws or administrative regulations stipulate the necessity of separate or written consent for processing personal information, these provisions take precedence.

• Re-consent: Should there be any changes in the purpose, method, or type of personal information processing, the individual’s consent must be obtained again.

• Withdraw consent: Individuals have the right to withdraw their consent for the processing of their personal information. The organization must offer convenient means for individuals to do so. Withdrawing consent doesn’t invalidate previous processing activities based on the individual’s prior consent.

• No discrimination: An organization cannot refuse to provide products or services if an individual declines to have their personal information processed or withdraws their consent unless such processing is deemed necessary for providing said products or services.

When handling the information of minors under 14, organizations must obtain consent from their parent or guardian and establish special processing rules.

Notification requirements

Before processing personal information, the organization must inform the individual in a clear, understandable, and conspicuous manner:

• organization’s name and contact information
• Purpose, method, type of information, and retention period
• How the individual can exercise their rights
• Other matters required by laws and regulations

The organization must notify the individual if any of the above details change.

The organization does not need to inform the individual of matters that should be kept confidential by law or where notification is unnecessary.

In an emergency where informing the individual would harm life, health, or safety, the organization can delay notification until after the emergency passes.

Retention

Personal information should only be kept for the minimum time needed to fulfill the processing purpose unless laws and regulations specify a different retention period.

Joint processing

When multiple organizations jointly determine the purpose and method of processing, they should agree on their rights and obligations. However, this does not affect an individual’s rights against any organization.

If joint processing infringes on personal information rights and causes damages, the organizations shall bear joint and several liability according to law.

Entrusting processing to others requires agreements on handling the information and supervision. Entrusted parties are limited in how they can process the data and must return or delete it when done. They cannot re-entrust it to others without consent.

Transferring personal information

Organizations transferring information must notify individuals and ensure continued protection. Recipients need new consent if changing original processing details.

Sharing with third parties

If an organization provides personal information to a third-party organization, it must inform the individual of the third party’s name, contact details, processing purpose, method, and type of information. It must obtain separate consent.

The receiving party can only process the information as agreed. If they change the original purpose or method, they must notify the individual and obtain new consent per this law.

Automated decision-making

When using personal information for automated decision-making:

• Ensure transparency, fairness, and non-discrimination in results
• For marketing/ads via automated decisions, provide options not based on personal characteristics or ways to opt-out
• For significant impacts on rights/interests, individuals can ask for an explanation and object to the automated decision

Disclosure

organizations cannot disclose personal information unless they have consent or are required by law.

Public security

Installation of image-capturing and identification equipment in public spaces is essential for public security compliance with state regulations. Clear, noticeable signs must accompany these installations. Any personal images or identifiable information gathered should solely serve the purpose of public security. Use for other purposes requires the individual’s explicit consent.

Process limitation 

organizations can process disclosed or lawfully obtained personal information within a reasonable scope, except in cases where individuals explicitly refuse. If the processing significantly affects an individual’s rights and interests, organizations must obtain the individual’s consent as per legal provisions.

To process sensitive personal information, a specific purpose, necessity, and strict protective measures are essential.

• Processing such data requires individual consent, adhering to specific legal requirements
• Individuals must be informed of the impact and necessity of processing sensitive data, except where legally exempt
• For minors’ data, consent from a parent or guardian is mandatory, and specific rules must be established
• Legal requirements for administrative permissions or restrictions on sensitive information processing take precedence

When an organization in China needs to share personal information outside the country for business or other purposes, they must meet these conditions:

• Pass a security assessment by the State Cyberspace Administration
• Obtain certification for personal information protection from an authorized body
• Establish a contract with overseas recipients using a standard template from the State Cyberspace Administration, outlining rights and duties
• Comply with other conditions specified by laws, regulations, or the State Cyberspace Administration

If international treaties have conditions for sharing personal information abroad, organizations must follow those provisions. They should ensure overseas recipients adhere to the data protection standards stated in Chinese law.

Organizations need individual consent for transferring data across borders. They must tell individuals about the foreign recipient’s details, how they’ll use the data and ways individuals can control their information.

PIPL grants the following rights:

• Right to know: Individuals have the right to know how their personal information is processed. 
• Right to limit processing: They can limit or deny others from processing their information, except as allowed by laws and administrative rules.
• Right to access: Individuals can view or copy their data from an organization, except in specified cases. Organizations must promptly provide the requested information. (Read about GDPR/CPRA DSAR)

• Right to port/transfer: If an individual wants to transfer their data to a chosen organization, the current organization must enable this if it meets cyberspace administration conditions.
• Right to correct: Individuals can ask the organizations to correct or add to their personal information if it’s inaccurate or incomplete. organizations must promptly verify and make necessary corrections or additions when requested.
• Right to delete: An organization must proactively delete personal information or upon request by the individual in these cases:
  • When the data’s purpose is achieved or no longer necessary
  • When services end or the agreed storage period is over
  • If an individual withdraws consent
  • When processing breaches of laws or agreements
  • Other circumstances per legal regulations

If legal storage periods haven’t expired or deletion is technically challenging, the organization should cease active processing, ensuring necessary security measures except for storage.

• Right to be explained: Individuals have the right to ask organizations for an explanation of their personal information processing rules.
• Right to opt out of automated decision-making: Individuals have the right to opt out of automated decision-making used for marketing/ads.

Organizations must create an easy system for individuals to apply for and execute their rights. If a request is denied, reasons must be provided. If an organization refuses an individual’s rights request, the individual can file a lawsuit in court as per the law.

Organizations that handle the processing of personal information must follow certain rules mandated by the law.

Data protection measures

An organization handling personal information must:

• Create rules and procedures for managing data internally
• Organize the data based on its sensitivity
• Use security techniques like encryption to protect the data
• Decide who has permission to handle the information and regularly train employees about keeping it safe
• Have plans in place for dealing with data security issues
• Follow any additional measures required by the law to protect personal information

Designate responsible person

If an organization handles a large amount of personal information, it needs to appoint someone in charge of protecting that information. They must make this person’s contact information public and share it with the relevant department.

Chinese representative

If an organization is outside China but deals with Chinese people’s personal information, they must have a representative in China and share their contact information with the authorities responsible for information protection.

Regular audits

organizations must regularly check if they are following the laws and regulations regarding personal information.

Record keeping

An organization must assess and keep records when:

• Handling sensitive personal information
• Using information for automated decisions
• Sharing or providing personal information to others
• Sending personal information to parties outside the country
• Engaging in other activities that significantly impact individuals’ rights and interests

The records must be retained for at least three years.

Personal information risk assessment 

When evaluating how personal information is handled, it involves:

• Checking if the reason for using personal information is fair, necessary, and lawful
• Assessing how the use of this information affects people’s rights and the security risks involved
• Reviewing the adequacy and effectiveness of security measures in place for the level of risk involved

Also, a report of this assessment and records of how the information is managed must be kept for at least three years.

Data breach reporting

 If there’s a risk that personal information has been leaked, altered, or lost, the organizations or the person handling that information must act quickly to fix the problem. They have to tell the authorities responsible for protecting information and the people affected. The notice should include

• What caused the violation and the potential harm it could cause
• Steps taken to fix the issue by the organizations handling the information and what individuals can do to lessen the harm
• Contact details of the organizations handling the information

If the organization manages to prevent harm from happening because of a leak or loss, they might not tell the people affected. But if the department overseeing information protection thinks there could still be harm, they can make the organizations inform the affected people.

Large-scale service providers

Platforms with many users and diverse businesses must:

• Develop and refine protection systems for personal information in line with government rules. Establish an independent group to safeguard this information.
• Create fair and clear rules for how personal information is handled on the platform, outlining the responsibilities of businesses using the platform to protect this information.
• Cease providing services to businesses on the platform that seriously violate rules about handling personal information.
• Regularly publish reports on how they protect personal information, open to public scrutiny.

Entrusted parties

Any party entrusted with processing personal information must also follow these rules and help the main organizations meet their obligations.

When personal information is mishandled, fines up to RMB 1 million can be imposed on the data processor, along with potential suspension of services. In severe cases, fines can reach up to RMB 50 million or 5% of the previous year’s turnover, with business suspension and permit revocation. Individuals in charge may face fines from RMB 10,000 to RMB 1 million and potential bans from specific roles within the organization.

If an organization mishandles personal data and hurts people’s rights, then prosecutors, consumer groups, or agencies appointed by the cyberspace department can sue them in court.

• Obtain explicit, informed consent from users for data collection and processing
• Separately obtain explicit consent for collecting sensitive personal information
• Clearly inform users of data processing details including purpose, type of data, retention periods
• Only collect personal information necessary for specified, lawful purposes
• Establish heightened protections when processing minors’ or sensitive personal information
• Enable user rights requests – access, correct, delete, port personal information and promptly respond to them
• Report data breaches to authorities and affected users
• Conduct security assessments and obtain separate consent before transferring data abroad
• Ensure third-party processors have security measures in place

What is PIPL China?

PIPL is the Personal Information Protection Law, China’s comprehensive data protection legislation that governs the processing of personal data within mainland China. It establishes guidelines for lawful data handling practices.

Does PIPL apply to China?

Yes, the PIPL applies to all organizations and individuals processing personal data within mainland China. It also applies to organizations outside China that handle data on Chinese citizens.

What does PIPL stand for?

PIPL stands for Personal Information Protection Law. It is the common name used for China’s comprehensive data protection legislation.