What is PIPL? Understanding China’s Personal Information Protection Law
China’s Personal Information Protection Law (PIPL), or the 中华人民共和国个人信息保护法 is one of the most comprehensive data protection laws in the world. Officially enforced on November 1, 2021, PIPL governs the collection, storage, and cross-border transfer of personal information (PI) and sensitive personal information (SPI) in China. If your business handles the data of Chinese users, to qualify as a fully compliant company, you must also be in full compliance with PIPL.
What is the Personal Information Protection Law (PIPL)?
PIPL is China’s equivalent of the EU’s GDPR, aiming to protect individuals’ personal data and regulate how it is processed. The law introduces strict rules on how companies collect, store, use, and share data of individuals located in mainland China. It is worth noting that the law has extraterritorial reach, meaning that it applies to entities outside mainland China if they process personal information of individuals within China for purposes such as offering products or services to them or analysing and assessing their behaviour. Therefore, any entity that handles personal data of individuals in mainland China under these conditions must comply with the PIPL.
Key Definitions Under PIPL:
- Personal Information (PI)—Data that can identify a person either directly (e.g., name, phone number, IP address) or indirectly (e.g., call history, browsing habits).
- Sensitive Personal Information (SPI)—data that could harm an individual if leaked—such as biometric data, medical records, financial information, and children’s data (under age 14).
- Important Data – Data related to national security, public interest, or economic operations (e.g., geographic info, macroeconomic statistics, infrastructure data).
- Critical Infrastructure Information (CII)—Data from sectors like telecoms, finance, energy, and government, where leaks could seriously impact national security or public interests.
Can I Transfer Data Outside of Mainland China?
Under PIPL, any data collected (including PI, SPI, important data, or CII) in China must be in mainland China before being transferred abroad—even for viewing by overseas personnel. There are three primary mechanisms for data export compliance:
1. Exemption (Low-Volume or Specific Use Cases)
According to Article 5 of the Provisions on Promoting and Regulating Cross-border Data Flows, you may be exempt from full compliance requirements if:
- You handle fewer than 100,000 individuals’ PI per year.
- You handle data related to cross-border shopping, HR, or emergency services.
- You’re not collecting SPI or Important Data.
In these cases, you are not required to conduct security assessments or sign Standard Contracts with overseas recipients.
2. Standard Contract + Protection Impact Assessment (Mid-Volume Transfers)
According to Article 8 of Provisions on Promoting and Regulating Cross-border Data Flows If you transfer:
- 100,000 to 1 million individuals’ PI, or
- Less than 10,000 individuals’ SPI,
You must:
- Sign a Standard Contract (also known as a Data Transfer Agreement).
- Conduct a Personal Information Protection Impact Assessment (PIA), according to Article 55 of the Personal Information Protection Law
This ensures the overseas recipient can provide adequate protection as required by Chinese law.
3. Security Assessment (High-Volume or Critical Data)
This is mandatory if you:
- Are a critical infrastructure operator, or
- Transfer over 1 million individuals’ PI, or
- Transfer over 10,000 individuals’ SPI, or
- Transfer Important Data.
In these cases, according to Article 7 of the Provisions on Promoting and Regulating Cross-border Data Flows, you must file for a Security Assessment with the Cyberspace Administration of China (CAC) and obtain approval before exporting any data.
Where Must the Data Be Stored?
All PI, SPI, and important data must first be stored on servers located in China before any processing or export can occur. This applies even if the data is only being viewed by individuals outside of China.
What are the Consequences of Non-compliance?
Non-compliance with the PIPL can lead to serious consequences. Financially, fines of up to CNY 50 million or 5% of annual revenue can be issued for data breaches. In more severe cases, individuals responsible for data breaches can be sentenced to up to 7 years in prison. The CAC, Ministry of Public Security, and State Administration for Market Regulation are authorised to enforce the PIPL. Consequently, it’s possible for multiple departments to impose fines simultaneously for different aspects of non-compliance.
Ride-sharing app Didi is the most widely used ride-sharing app in China. Didi was caught violating the PIPL in 2022 after it had illegally processed 64.7 billion pieces. Due to the severity of the data breach, Didi was fined CNY 8 billion, this includes fines issued for violations of the Data Security Law and Cybersecurity Law. This is the most prominent example of PIPL non-compliance since promulgation of the laws in 2021; however, there are many smaller-scale examples that continue to occur. It is therefore crucial to properly understand PIPL and ensure you are completely compliant.
How AppInChina Can Help You Stay Compliant with PIPL
As a leading expert in China’s digital landscape, AppInChina supports international companies in navigating PIPL compliance and cross-border data challenges by:
- Assisting with Standard Contracts and PIA submissions.
- Conducting a free consultation to ensure compliance with PIPL
- Guiding businesses through Security Assessments with the CAC.
- Advising on hosting your data in China and providing technical guidance to ensure that your architecture is fully compliant in China.
Ready to ensure your business is PIPL-compliant? Contact us today to access the Chinese market with full regulatory confidence.