China’s Personal Information Protection Law

Organizations greatly use the personal data of the users for their businesses, those organizations are legally obliged to protect those data according to the concerned data protection laws. The increased concern over data privacy has led many countries to pass laws on protecting the data of individuals. Following General Data Protection Regulation (GDPR) many countries have passed their data protection laws. One such law concerning data protection was passed by China.  


China’s Personal Information Protection Law (PIPL) is China’s first comprehensive data protection law that came into effect on 1 November 2021. This protects the personal data of the data subjects of the individuals in China and also the organizations must comply with China PIPL law if the data of the individuals in China are used. PIPL China provides certain rights to the data subjects’ control over their personal data. 

The PIPL China generally governs the processing of personal information of the individuals of China and also together with the other laws on Cybersecurity and data protection which are the Cybersecurity law and the Data Security Law.  

There are specific industry sectors that are governed, in which there are specific requirements under laws and regulations. The specific industry sectors include telecommunications, finance, network services, transportation, e-commerce, and healthcare. 

China's Personal Information Protection Law


China’s Personal Information Protection Law greatly resembles the European Union’s, General Data Protection Regulation (GDPR) which is a comprehensive framework for data privacy and protection.  

Definition – The terms “personal information” and “Processing of Personal Information” are defined similarly in GDPR and PIPL. However, there is the usage of different terms when considering GDPR and PIPL, like “entrusted party” in PIPL which refers to the “data processor” in the case of GDPR. 

Scope of Applicability – The GDPR and PIPL extend their territorial scope, that is the extraterritorial applicability where the processing activity of personal information is carried out in china as well as conducted outside China. 

Cross-border transfer of personal information – Both GDPR and China’s law align with the cross-border transfer of personal information. It also includes some of the additional requirements. 

Personal Information Rights – The GDPR provides certain rights to the data subjects in dealing with their personal data, similar to this PIPL also provides information rights. The following are the rights provided:  

  • Right to be informed – In PIPL, before the processing of personal information, the person who is handling the personal information must provide a notice to the individuals, informing them on how the processing of their personal information will take place. A special notice will be provided in the case of processing the personal information of children under 14 years of age.   
  • Right to access – In the case of handling personal information, the individuals are entitled to request the person who is handling the data to access their information in a lawful manner. 
  • Right to rectification – The individual is entitled to request the person who handles the data for rectification in the case of any error in the personal data that has been provided. 
  • Right to erasure – The individuals are provided with the right to the erasure of their personal information, they can request the person who handles their data to delete their personal information when no longer necessary by the organization or the circumstances that are mentioned in the law. 
  • Right to object – Individuals have the right to object to the processing of their personal information. 
  • Right to data portability – The individuals can request the personal information handler to transfer their personal information to the designated person who is handling the personal information, in the case of Personal Information Protection Law, in case of data portability there needs to satisfy the conditions stipulated by the cyberspace administration of China. 
  • Right not to be subjected to automated decision-making – The individuals are provided with the right to object the automated decision-making when the personal information handler adopts the method of automated decision-making. 
  • Right in the case of deceased individuals – The personal information of the deceased individual’s kin may exercise the rights to delete, copy, correct, etc., except when other arrangements are done by the deceased individual before his death.  

The legal basis of processing personal information – However GDPR works on the concept of “legitimate interest” with respect to the processing of personal information but this is not applicable in the case of China’s PIPL. 

Consent – The definition of consent in GDPR and PIPL is similar, where the essential ingredients are greatly satisfied. 

Principles – The GDPR principles are adopted by China’s Personal Information Protection Law, which include lawfulness in processing the information, data minimization, storage limitation on the collected personal information, openness, and transparency in processing the data, accuracy, and ensuring security.   

Data Protection Impact Assessment (DPIA) – In GDPR, conducting a data protection impact assessment is mentioned in the provisions as well the same is mentioned in PIPL China.  

Appointment of Data Protection Officer (DPO) – The GDPR mandates the appointment of a Data Protection Officer to protect the collected data of the individuals and to comply with the existing privacy laws, in China’s personal information protection law also there is a provision for the appointment of Data Protection Officer.  

Effect of non-compliance – When the Organization that collects personal information must generally comply with the privacy laws. If the organization fails to comply in the case of both GDPR and PIPL there are penalties the organization must pay. 


Compliance with this law includes the implementation of the principles in processing the personal data of individuals. 

Mapping data flow by covering the personal information that is processed, based on what, why, and where the personal information is transferred must be mapped. The mapping must include, the categories of the information used, the business activities that are related to the personal information, the lawful basis for handling the personal information, the entire list of the contractors who are involved in the data handling, the physical location of the data storage, the transfer of personal information in the case of overseas transfers to the foreign companies. This final record can be used as a basis for implementing the measures under this law. 

Obtaining consent, that is freely given and specifications on for what purposes the personal information is used must be explicitly mentioned.  

The organizations must ensure that the users can make decisions that are related to their personal information and the tools for the option to opt out. Reviewing the privacy policies, and notices greatly helps in compliance. 

Providing options to refuse the cookies and other automated profiling mechanisms. 

These are some of the measures that can be implemented, to comply with China’s PIPL laws, The failure to implement these laws by organizations may subject to a fine of not more than RMB 1 million (approx. €136,260) and a responsible person may be subject to fines between RMB 10,000 (approx. €1,360) to 100,000 (approx. €13,630). 

Checkout Other Whitepapers

Unlocking the Potential of Generative AI: Balancing Innovation with Privacy Generative AI is revolutionizing industries, but with great power comes great responsibility …

This paper is an in-depth analysis of the newly introduced Digital Personal Data Protection Act 2023. The Act is a simple and …

In an age defined by technological leaps, the convergence of Generative AI and Data Privacy emerges as a pivotal crossroads.As Generative AI …

The European Commission introduced a proposal in April 2021 to regulate artificial intelligence (AI) in a 108-page document, aiming to establish a …