PIPL (Personal Information Protection Law / 个人信息保护法), effective 1 November 2021, is the People’s Republic of China’s comprehensive personal-data protection framework. Together with the Cybersecurity Law (CSL) and Data Security Law (DSL), PIPL forms the three-pillar structure of China’s data-governance regime.
For connected-product operators, SaaS companies, and AI-product organizations processing personal information of individuals located in mainland China, PIPL compliance is operationally mandatory regardless of operating-entity location.
PIPL applicability — when does it apply
PIPL applies to:
- Processing of personal information inside mainland China, by any operator
- Processing of personal information of individuals located in mainland China, by operators outside the territory, where the processing has any of:
- The purpose of providing products or services to individuals in mainland China
- The purpose of analyzing or evaluating the behavior of individuals in mainland China
- Other circumstances prescribed by law or administrative regulation
The extraterritorial scope mirrors GDPR’s reach in structural terms — overseas operators serving Chinese users are inside PIPL’s scope even with no operational footprint inside the territory.
Legal bases for processing
PIPL specifies the legal bases that authorize processing of personal information. The most common in practice:
- Consent — the foundational basis for most consumer-facing operations
- Performance of a contract — where processing is necessary to conclude or perform a contract with the individual
- Performance of legal obligations or statutory duties
- Response to public-health emergencies or protection of life and property in emergency situations
- News reporting and public-interest journalism within reasonable scope
- Other circumstances prescribed by law or administrative regulation
Notably absent from PIPL is the GDPR-style “legitimate interest” basis — PIPL does not include a broad legitimate-interest legal basis. Operations that would rely on legitimate interest under GDPR typically require explicit consent under PIPL.
Separate consent — the mechanism that differentiates PIPL
PIPL imposes separate consent requirements that go beyond general processing consent. Separate consent is required for:
- Processing sensitive personal information (biometrics, religious beliefs, specific identity, medical health, financial accounts, geolocation, personal information of minors under 14)
- Cross-border transfer of personal information
- Disclosure of personal information to other personal-information processors
- Public disclosure of personal information
- Automated decision-making with significant impact on the individual
Separate consent is distinct from the general consent for processing. It must be specifically informed (the recipient identity, processing purpose, retention period, channels for exercising rights) and must be a separate affirmative act by the data subject.
Cross-border transfer mechanisms
PIPL imposes a three-mechanism structure for cross-border transfer of personal information out of mainland China:
- CAC Security Assessment — mandatory for CII operators, for transfers above volume thresholds, and for sensitive personal information transfers above thresholds. Operated by the Cyberspace Administration of China (CAC).
- CAC-approved Standard Contractual Clauses (SCC) — a contractual mechanism similar in structure to GDPR SCCs, with PRC-specific clauses
- Personal Information Protection Certification — issued by accredited certification bodies under State Administration for Market Regulation (SAMR) oversight
The CAC Security Assessment thresholds have been revised over the regulatory history — current thresholds should be confirmed at engagement time with current CAC guidance.
For most overseas operators below CAC Security Assessment thresholds, the SCC route is the practical choice.
Data Subject Rights under PIPL
PIPL establishes data-subject rights that mirror but do not exactly replicate GDPR’s rights catalogue:
- Right to be informed
- Right of access
- Right of correction
- Right of deletion
- Right to restrict or refuse processing
- Right to data portability
- Right to withdraw consent
Operators must establish accessible mechanisms for exercising these rights, with response timelines bounded by PIPL’s regulatory expectation (typically within reasonable time, with sector-specific guidance more concrete).
PIPL interaction with MLPS and DSL
PIPL operates alongside MLPS (cybersecurity classified protection) and DSL (data security and classification). The three frameworks address overlapping but distinct objectives:
| Framework | Focus | Triggered by |
|---|---|---|
| MLPS 2.0 | System cybersecurity classified protection | System-based classification |
| PIPL | Personal information protection | Processing personal information of individuals in PRC |
| DSL | Data security across all data categories | Processing any data inside PRC, with Important Data heightened obligations |
For connected-product and SaaS operators, the practical implication is parallel-tracked compliance — the technical controls overlap substantially, but the documentation, governance, and reporting obligations are distinct per framework.
Designated Representative requirement
PIPL Article 53 requires non-PRC operators processing personal information within PIPL’s extraterritorial scope to designate a representative inside the PRC and to file the representative’s contact information with the relevant authority. This is typically a contractual relationship with a PRC entity that takes on the representative role — not necessarily a directly-employed natural person.
Frequently asked questions
Is PIPL effectively China’s GDPR?
PIPL is structurally similar to GDPR — extraterritorial scope, legal-bases framework, data-subject rights, cross-border-transfer regulation — but is not a direct port. Material differences include the separate-consent regime, the absence of legitimate-interest legal basis, the localization requirements for certain categories, and the CAC-driven cross-border-transfer mechanism. GDPR experience accelerates PIPL implementation work but does not substitute for it.
Do we need PIPL compliance if our subsidiary in China processes the data, not our overseas headquarters?
If your Chinese subsidiary processes personal information of individuals inside the PRC, PIPL applies to the subsidiary’s processing directly. The overseas headquarters’ role depends on its actual involvement in the processing — whether it makes processing decisions, receives data via cross-border transfer, or is a joint controller with the subsidiary. See Does PIPL apply if my product never touches mainland-China users but my Chinese subsidiary processes their data? — FAQ.
What’s the difference between separate consent and the GDPR’s “freely given, specific, informed, unambiguous” consent?
PIPL’s separate consent is an additional consent requirement layered on top of general consent. GDPR’s consent definition is structural (how consent must be obtained); PIPL’s separate consent is operational (separate consent acts required for specific processing scenarios). They are not direct equivalents and the two regimes can require different operational consent flows even when handling the same processing.
Can we share PIPL data with our cloud provider in mainland China without separate consent?
Sharing personal information with a personal-information processor (a typical cloud-services arrangement) without separate consent may be permissible if the cloud provider is acting as an entrusted processor under a documented processing agreement and the original processing consent covered the entrusted-processing scope. The detailed answer depends on the cloud-services contractual structure and the original consent scope — consult China-licensed legal counsel.
Related
- What is PIPL?
- DSL pillar (companion framework)
- MLPS pillar (companion framework)
- Cross-Border Data Transfer pillar
- PIPL consent vs CAC assessment — FAQ
Placeholder — pending founder + China-licensed legal review. Specific regulatory citations (article numbers, current threshold values) must be verified against current CAC and NPC publications before publication.