Policy Briefing — China Personal Information Protection Law Passed

Executive briefing: The Standing Committee of the National People’s Congress adopted China’s Personal Information Protection Law (PIPL) on August 20, 2021, creating the country’s first comprehensive privacy statute. Organisations processing personal information of individuals in China must comply by November 1, 2021, including localisation, consent, and cross-border transfer assessments.

Immediate compliance priorities

Jurisdiction scoping. Determine whether overseas operations target individuals in China or process their behaviour data, triggering extraterritorial PIPL obligations.
Data localisation. Identify critical information infrastructure operators and processors reaching thresholds set by the Cyberspace Administration of China (CAC) that must store data domestically and undergo security assessments.
Cross-border transfers. Prepare lawful transfer mechanisms such as CAC security reviews, certification, or standard contracts, coupled with impact assessments.

Control alignment

Consent and transparency. Update notices and consent flows for sensitive personal information, minors, and automated decision-making disclosures.
Data subject rights. Establish processes to honour access, correction, deletion, and portability requests within mandated timelines.
Governance. Appoint responsible personnel or representatives in China, implement regular compliance audits, and maintain processing records.

Enablement moves

Monitor CAC implementing regulations on security assessments, standard contracts, and certification schemes.
Localise incident response runbooks to meet PIPL reporting deadlines and state council directives.
Deliver bilingual training for China-focused teams covering lawful bases, individual rights, and enforcement penalties.

Sources

Zeph Tech enables PIPL compliance with cross-border assessment templates, localisation gap analyses, and governance playbooks for multinational teams.