What Is Personal Information Protection Law of the People's Republic of China?
The Personal Information Protection Law of the People's Republic of China (PIPL, 个人信息保护法) is China's first comprehensive personal information protection statute. Passed by the Standing Committee of the National People's Congress on 20 August 2021 and in force 1 November 2021, PIPL completes a trilogy with the Cybersecurity Law (2017) and Data Security Law (2021) that forms China's data protection regulatory framework. PIPL is modeled in part on GDPR (rights-based, consent-centric, extraterritorial) but reflects China-specific priorities: strict cross-border data transfer requirements, enhanced government oversight, and specific obligations for 'Critical Information Infrastructure Operators' (CIIOs) and processors handling large volumes of data. PIPL is enforced primarily by the Cyberspace Administration of China (CAC), with sectoral regulators (People's Bank of China, National Medical Products Administration, etc.) handling industry-specific violations. PIPL's cross-border transfer framework (Articles 38-43) is particularly consequential: transfers of personal information outside China generally require one of (a) a CAC security assessment, (b) Standard Contractual Clauses certified by CAC, (c) a personal information protection certification from a CAC-approved body, or (d) a legal basis under specific circumstances. March 2024 amendments significantly streamlined this — raising thresholds for CAC security assessment requirements and exempting certain employment and contract-related transfers.
At a glance
- Full name
- Personal Information Protection Law of the People's Republic of China
- Short code
- PIPL
- Jurisdiction
- China
- Enacted
- 2021
- Last major update
- In force November 1, 2021; Regulations on Cross-Border Data Flows amended March 2024
- Regulator
- Cyberspace Administration of China (CAC) + sectoral regulators
- Private right of action
- Yes
- Statutory citation
- Personal Information Protection Law of the People's Republic of China
Scope — who PIPL covers
Protected data
Data subject rights
Right to know the processing rules and make decisions about processing (Article 44)
Right to restrict or refuse processing by others (Article 44)
Right of access and copy of personal information (Article 45)
Right to correction and supplementation (Article 46)
Right to deletion (Article 47)
Right to data portability (Article 45) — receive data and transfer to designated processors
Right to an explanation of the processing rules
Right to challenge automated decisions and request human review (Article 24)
Right to file complaints and reports with regulators, and to bring lawsuits
Notable features
PIPL's distinctive features include: (1) strict cross-border data transfer requirements through CAC security assessment, SCCs, or certification — making data localization the practical default for many sectors; (2) specific obligations for 'Critical Information Infrastructure Operators' and large-scale processors (storing personal info of 1M+ individuals, sensitive info of 10K+ individuals, or transferring data of 100K+ individuals overseas); (3) burden-shifting in civil actions under Article 69 (data handler must prove no fault); (4) coordination with the Cybersecurity Law and Data Security Law for integrated compliance.
Enforcement & penalties
Regulator: Cyberspace Administration of China (CAC) + sectoral regulators
Penalties: Graduated sanctions under Articles 66-71: for ordinary violations, corrective order, warning, confiscation of illegal gains, fine up to RMB 1 million (approximately USD 140,000); for serious violations, fine up to RMB 50 million or 5% of annual revenue, plus suspension of operations, revocation of licenses. Individuals directly responsible face fines up to RMB 1 million and occupational bans. Personal information-related business deregistration has been used as a remedy.
Private right of action: Article 69 creates a tort-style private right of action: if processing infringes personal information rights, the data handler bears compensation liability unless it proves it was not at fault. The Supreme People's Court has issued several guiding cases on personal information torts. Class actions (Article 70) can also be brought by consumer associations or procuratorates (Public Interest Litigation) on behalf of affected individuals.
Relevance to data brokers
PIPL's Article 3 extraterritorial reach and Article 38 cross-border transfer requirements mean foreign data brokers handling data of individuals in China face substantial compliance burden. The CAC has been active on cross-border enforcement, notably against ride-hailing platforms (Didi paid RMB 8.026 billion — approximately USD 1.2 billion — in July 2022 for PIPL/Cybersecurity Law/Data Security Law violations). Foreign brokers aggregating data of Chinese residents without PIPL-compliant cross-border transfer mechanisms face enforcement risk.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing PIPL and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does PIPL apply to foreign companies?+
Yes. Article 3 provides extraterritorial scope: PIPL applies to processing outside China where the purpose is providing products or services to individuals in China, or where the processing involves analyzing or evaluating the behavior of individuals in China. Foreign data handlers meeting this test must designate a China-based representative and register with the CAC.
What are PIPL cross-border transfer requirements?+
Generally one of: (1) CAC security assessment (required for CIIOs, for volume thresholds above March 2024 amendments, or for transfer of 'important data'); (2) China Standard Contractual Clauses certified by CAC; (3) personal information protection certification from a CAC-approved body; or (4) specific legal bases such as contract performance with the data subject or cross-border employment relationships (clarified by 2024 amendments).
What is a 'Critical Information Infrastructure Operator' (CIIO)?+
CIIOs are operators of critical information infrastructure as defined under the Cybersecurity Law (2017) — typically in finance, energy, transport, water, public communications, radio and television, and government networks. CIIOs face enhanced PIPL obligations including mandatory CAC security assessment for all cross-border personal information transfers.
How do I file a PIPL complaint?+
PIPL complaints can be submitted to the local branches of the Cyberspace Administration of China, sectoral regulators (for industry-specific issues), or local market supervision authorities. Chinese residents can also pursue civil actions under Article 69 — with burden-shifting in their favor — in local people's courts.
Official sources & citations
Other international privacy regimes
PIPL sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: