Compliance China

The PIPL protects the rights and interests in personal information, regulates processing activities and promotes the reasonable use of personal information (Art. 1).

It applies to processing carried out within China and, extraterritorially (Art. 3), where the purpose is to provide products or services to individuals in China or to analyze/evaluate their behavior.

Processing must observe the principles of lawfulness, legitimacy, necessity and good faith, with a clear and reasonable purpose, limited to the minimum scope and conducted transparently (Arts. 5–7).

A controller may process personal information only on a valid basis (Art. 13): consent; necessity for a contract or HR management; compliance with legal duties; response to public-health emergencies; news reporting in the public interest; processing of lawfully disclosed information; or other circumstances provided by law.

Consent must be given voluntarily and explicitly, with full knowledge, and may be withdrawn at any time (Arts. 14–16).

Sensitive personal information (biometrics, religion, specific identity, health, financial accounts, location, and data of minors under 14) requires separate consent, strict necessity and enhanced protection (Arts. 28–32).

To transfer personal information abroad (Art. 38), a controller must meet at least one condition: pass a security assessment organized by the State cyberspace authority; obtain certification from a specialized body; sign a contract based on the standard clauses; or meet other legal conditions.

The individual must be informed and provide separate consent (Art. 39). Critical-information-infrastructure operators and high-volume processors must store data domestically and undergo a security assessment to transfer it abroad (Art. 40).

Individuals have the right to know and decide about the processing of their data, and to restrict or refuse it (Art. 44); to access and obtain a copy, and to portability (Art. 45); to correction and completion (Art. 46); and to deletion under the listed circumstances (Art. 47). Controllers must establish accessible mechanisms to handle these requests (Art. 50).

Controllers must adopt internal management systems, classified handling, encryption/de-identification, access controls, training and incident-response plans (Art. 51). High-volume processors must appoint a person in charge of personal information protection (Art. 52), and foreign controllers in scope must designate a representative or establishment in China (Art. 53).

A prior personal information protection impact assessment is required for sensitive data, automated decision-making, sharing/disclosure and cross-border transfers (Art. 55). Security incidents must be remediated and notified (Art. 57).

The State cyberspace authority coordinates protection and supervision (Art. 60). Serious violations may result (Art. 66) in orders to rectify, confiscation of unlawful gains, and fines of up to RMB 50 million or 5% of the prior year's revenue, plus suspension of business and personal fines for responsible individuals.