Compliance Briefing — China Personal Information Protection Law Takes Effect
China's Personal Information Protection Law (PIPL) entered into force on November 1, 2021, imposing GDPR-style consent, data minimization, and cross-border transfer requirements for organizations handling Chinese residents' data.
Executive briefing: The Personal Information Protection Law of the People's Republic of China (PIPL) took effect on . The comprehensive privacy regime introduces explicit consent rules, processor obligations, and penalties up to 5% of annual revenue for serious violations.
Key provisions
- Data processing legitimacy. Organizations must obtain informed consent, document necessity, or rely on other lawful bases such as contract performance or statutory duties.
- Cross-border transfer controls. Exporters must complete security assessments, certification, or standard contract filings when moving personal information overseas.
- Individual rights. Data subjects gain access, correction, deletion, and portability rights, with mandated response times and appeal channels.
Implementation guidance
- Data inventory. Map personal information flows touching China data subjects, including telemetry, customer support, and analytics pipelines.
- Transfer governance. Evaluate whether security assessments or CAC standard contracts are required for existing cross-border integrations.
- Policy updates. Refresh privacy notices, consent dialogs, and incident response procedures to align with PIPL timelines and penalties.
Enablement moves
- Designate a China representative and establish data protection officer responsibilities where processing thresholds are met.
- Implement request intake tooling that can localize responses and evidence compliance for audits.
- Coordinate with security teams on data localization strategies, encryption key residency, and vendor contract amendments.