Introduction to china personal information protection law (pipl)

November 8, 2023

What is the PIPL?

The Personal Information Protection Law of the People’s Republic of China is a particular law enacted for the purposes of protecting the rights and interests on personal information, regulating personal information processing activities, and promoting reasonable use of personal information (Art.1).

When did the PIPL take effect?

The PIPL entered into force as of the 1st of November 2021, nearly 3 months after being adopted at the 30th Meeting of the Standing Committee of the Thirteenth National People’s Congress on August 20, 2021.

Did the PIPL replace any other laws on personal information protection in China?

No, the PIPL is the first national-level law of the People’s Republic of China (the PRC) to address personal information processes in order to protect legal rights and interests of the data subjects.

What is the territorial scope of the PIPL?

According to Art.3, the PIPL generally applies to all personal information processes within the territory of the PRC. Besides, the PIPL also has extra-territorial effect, regulating the process of within the PRC natural persons’ data, however, conducted outside the territory of the PRC, under some circumstances, such as for the purpose of providing products or services for natural persons inside the PRC.

Who are the regulated entities of the PIPL?

According to Art.2, the personal information of natural persons shall be the main entity of protection by the law. Therefore, the PIPL applies to all organizations or individuals in both the public and private sectors having relevance to personal information processes within the preceding-mentioned territorial scope.

What are the main contents of the PIPL?

Generally, the PIPL has 8 chapters and 73 articles, regulating on:

(i)  Process of normal and sensitive personal information within and across border of the PRC;
(ii)  State organs data use;

(iii) Individuals’ rights in personal information processing activities;

(iv) Obligations of personal information processors;

(v)  Legal liabilities;

(vi) Miscellaneous supplementary provisions.

What is the definition of personal information (PI)?

According to Art.4, “personal information” is considered as any sort of information recorded by electronic means or others, which is related to an identified or identifiable natural person within the PRC but does not include anonymized information.

What does the PI processing include?

According to Art.4, personal information processing consists of personal information collection, storage, use, processing, transmission, provision, disclosure, deletion and so on.

 What are the basic principles of legally PI processing?

According to Art.5 and Art.6, personal information processing shall be mainly based on the following principles:

(i)   According to law, with justified reasons, in good faith, and the processing may not involve misguidance, fraud, coercion, and the like.

(ii)   Resulting from explicit and reasonable purposes and directly related to those purposes, and shall exert the minimum impacts on the rights and interests of individuals.

(iii) Limiting the scope of data collection to the minimum required by the purpose of processing, and personal information may not be collected excessively.

What are the legal bases for PI processing?

According to Art.13, there are seven legal bases for processing personal information:

(i)  Obtaining the data subject’s consent;

(ii)  Where necessary for the conclusion or performance of a contract in which the individual is a party, or for personnel management;

(iii) Where necessary for the performance of statutory duties or obligations;

(iv) Where necessary for public health emergencies’ response, or for protecting the life, health, and property safety of natural persons in emergencies;

(v)  Information utilization for news reporting, media supervision, and other activities for the purpose of the public interest;

(vi)  Information which has been already disclosed personal information by the individual himself or other legal disclosure;

(vii) In other circumstances permitted by laws or administrative regulations.

Furthermore, individual consent shall be required if any other relevant regulations so provide, except for the preceding specified cases.

What are the individual’s rights under the PIPL?

The PIPL entitles the data subjects (individuals) some rights in order to support their PI self-protection:

(i)    Be informed and allowed to decide on the processing of their personal information (Art.44).

(ii)   Be entitled to access and make a copy of their personal information (Art.45).

(iii)  Be entitled to transfer their personal information from one processor to another (Art.45).

(iv) Be entitled to request to correct and/or supplement their personal information if incorrect or incomplete (Art.46).

(v)  Be entitled to request the processor to delete their personal information in regulated cases (Art.47).

(vi) Be entitled to request an interpretation for the processor’s personal information processing regulations (Art.48).

(vii) The deceased’s close relatives shall be entitled to exercise the rights to handle their personal information (Art.49).

Who enforces the PIPL?

According to Art.60, the national cyberspace department and the relevant departments of the State Council, the Ministry of Science and Technology, the Ministry of Public Security, for instance, are entitled to enforce the PIPL.

The former shall take the responsibility for the overall planning and coordination of personal information protection and related supervision and administration.

Meanwhile, the latter shall be responsible for personal information protection and related supervision and administration within the scope of their respective duties.


Privacy Compliance

Layered Notice – A Robust Demonstration Of Transparency

One of the fundamental principles for Personal Data Controllers is the unwavering commitment to transparency vis-à-vis data subjects. In their pursuit to address this requirement, Controllers have opted to issue lengthy Privacy Notices, aiming for comprehensive disclosure to relevant data subjects. However, the question arises: Does this approach represent the most optimal method to guarantee […]

Learn more

Privacy Compliance

Introduction to gdpr

KEY TAKEAWAYS: – GDPR is the EU’s current personal data protection regulation and the global standard in the field of data protection; – Predecessors of GDPR include the OECD’s 1980 Privacy Guidelines and the 1995 Directive 95/46/EC ; – GDPR stipulates many concepts and regulations regarding data protection such as the definitions, rights and responsibilities […]

Learn more

Privacy Compliance

Right to be forgotten in the information age

In the modern world, information of all forms, including personal data, is a valuable resource that is beginning to show its true worth. In order to protect ordinary people from personal data infringement, many countries in the world have enacted legislation stipulating the rights of the data subject. Among many such rights, there is one […]

Learn more