Top 5 Operational Impacts of China’s PIPL

China’s Personal Information Protection Law, or PIPL, enacted Nov. 1, 2021, has rewritten the rules of the global privacy landscape. Many commentators have described it as one of the strictest privacy regimes on the planet. Akin to EU General Data Protection Regulation, it also applies extraterritorially to companies that handle any personal data from China, provide products or services to Chinese residents, or analyze the behavior of Chinese consumers.

This five-part IAPP series is written by a host of experts on Chinese law. It explores the most important features of China’s PIPL, from requirements around sensitive personal information, data subject rights and international data transfers, to the bases for handling data, DPO responsibilities, and enforcement mechanisms and penalties.

Series Overview

Scope, key definitions and lawful processing of data
This article explains the scope of the PIPL, including its broad applicability to personal information handling both inside China and extraterritorially, and highlights key definitional distinctions from the GDPR, such as “personal information,” “handling,” and “handlers.” It also outlines the conditions under which entities outside China must appoint a representative and describes exclusions for household uses and certain government statistical activities.
View article

Obligations and rights
This article details the legal obligations imposed on personal information processors (PIPs), including notification, valid consent, and expanded permissible legal bases for processing beyond consent, while emphasizing that “notification + consent” will remain most common due to the absence of a “legitimate interest” basis under the PIPL. It also explains the rules for obtaining informed, explicit, voluntary consent and the requirement to re‑obtain consent when processing purposes or categories change.
View article

Personal information protection officer
This article examines the PIPL’s requirement for certain organizations to appoint a personal information protection officer (PIPO), a role analogous to the GDPR’s DPO, responsible for supervising personal information handling activities. It further notes that entities outside China subject to the PIPL must establish a dedicated agency or representative within China to manage compliance obligations.
View article

Penalties and enforcement mechanisms
This article outlines the PIPL’s multi‑layered enforcement system, including powers granted to numerous supervisory authorities such as the Cyberspace Administration of China, and describes available investigatory tools including inspections, document reviews, and equipment seizure. It summarizes the tiered penalty structure, ranging from fines up to RMB 1 million for general violations to RMB 50 million or 5% of annual revenue for grave violations, along with potential personal liability for management.
View article

International data transfers
This article describes the PIPL’s framework for cross‑border data transfers, including requirements for separate consent, ensuring equivalent protection by overseas recipients, and conducting personal information protection impact assessments. It also explains interactions with China’s Cybersecurity Law and Data Security Law and emphasizes the PIPL’s role in China’s broader regulatory landscape governing outbound data flows.
View article