China Compliance
PIPL
PIPL (Personal Information Protection Law, 个人信息保护法) is the People's Republic of China's comprehensive personal data protection law, enacted in 2021 and effective November 1, 2021. It establishes legal bases for processing personal information, data subject rights, and cross-border transfer requirements applicable to organizations processing personal information of individuals located in mainland China.
Definition
PIPL (Personal Information Protection Law, 个人信息保护法) is the People's Republic of China's comprehensive personal data protection law, enacted in 2021 and effective November 1, 2021. It establishes legal bases for processing personal information, data subject rights, and cross-border transfer requirements applicable to organizations processing personal information of individuals located in mainland China.
What it means
PIPL is widely characterized as China's GDPR equivalent, though with material differences. Both establish legal bases for processing, both define data subject rights, both impose extraterritorial obligations on organizations outside the jurisdiction handling resident data. Differences include PIPL's stricter consent regime (separate consent for specific use cases like cross-border transfer or processing sensitive personal information), its data localization requirements for certain categories, and its CAC (Cyberspace Administration of China) approval process for some cross-border data transfers.
For connected-device manufacturers and SaaS operators, PIPL compliance involves: data classification (personal information vs sensitive personal information), legal basis identification for each processing purpose, data subject rights fulfillment infrastructure, separate consent flows where required, and cross-border transfer assessment when data leaves mainland China.
The PIPL pillar covers the framework in depth, including the practical decision tree for IoT and SaaS organizations.
Related terms
Authoritative sources
- PIPL official text (NPC) - CAC guidance
---