Clym Logo
CN flag

CN

Personal Information Protection Law (PIPL) China 

Overview

The Personal Information Protection Law of the People's Republic of China (PIPL) is a comprehensive regulation aimed at safeguarding the personal information rights and interests of individuals. Adopted on August 20, 2021, and effective from November 1, 2021, it provides a legal framework for the collection, processing, storage, and sharing of personal information. The law sets requirements for both domestic and international entities that process the data of individuals within China, with a focus on transparency, user rights, and the protection of sensitive information.

Regulation Summary

  • Enacted: August 20, 2021
  • Effective: November 1, 2021

  • Organizations and individuals within China processing personal information.
  • Entities outside China providing products or services to Chinese residents.
  • Entities monitoring behaviors of individuals within China.

  • Personal or household data processing.
  • Processing required for national security or public interest.

  • Obtain informed, explicit consent for data processing.
  • Conduct personal information protection impact assessments (PIAs) for high-risk activities.
  • Ensure data minimization and transparency in processing.
  • Implement robust security measures to prevent unauthorized access, leaks, or breaches.
  • Notify authorities and affected individuals of data breaches.
  • Localize storage of critical data and conduct security assessments for cross-border transfers.
  • Designate a data protection officer (DPO) for organizations handling significant amounts of personal information.

  • Provide clear, accessible privacy policies.
  • Obtain explicit consent for cookies and similar tracking technologies.
  • Ensure individuals can exercise their rights easily, such as access, correction, or deletion.

  • Sensitive Data Protections: Special safeguards for biometrics, health data, financial data, and data of minors under 14.
  • Automated Decision-Making: Transparency in algorithms and options for individuals to contest decisions.
  • Data Localization: Critical data must remain within China unless specific requirements for cross-border transfer are met.

  • Be informed about data processing activities.
  • Access, correct, and delete their personal data.
  • Restrict or object to data processing.
  • Port their data to another processor.
  • Withdraw consent at any time.

  • Supervisory Authority: The Cyberspace Administration of China (CAC).
  • Penalties: Fines up to RMB 50 million (USD 7 million) or 5% of annual turnover for severe violations. Lesser violations may result in fines up to RMB 1 million (USD 140,000).