Jan 22 / Punit Bhatia

Understanding Chinese Data Protection Law

Drag to resize

What is the Personal Information Protection Law (PIPL) in China? Is this the only law to protect personal information? What other security measures and legislations apply to the processing of personal information? How about transferring personal information from one organization to another or to a foreign country? These questions are discussed in detail, in a conversation between Heidi Waem and Punit Bhatia in the FIT4PRIVACY Podcast.  

Overview of data privacy and cyber security laws in China

In China, there are three extensive laws that govern data protection, privacy, and cyber security. These provide a clarification on the approach to be taken by the organizations dealing with the personal information of the data subjects. These three laws are:

The Cybersecurity Law (s)

The Cybersecurity Law amalgamated various regulations, supplemented diverse guidelines, and was brought into force on 1st June 2017 with an intention to protect national security, improve information and network security, and fight online crimes. This law expanded the focus of cybersecurity laws in China. 

The Data Security Law (s)

The Data Security Law came into effect on 1st September 2021 and focused on classifying data based on its collection & storage and its effect on national security. Further, it regulates the transfer of data, keeping into consideration the type of data. This law provides an expansion to the Cybersecurity Law, 2017, and highlights the need for data localization and regulation the cross-border data transfers.  

Personal Information Protection Law (PIPL)

The most recent is the Personal Information Protection Law or PIPL which came into effect on 1st November 2021 and is intended to protect the personal information of data subjects, regulate the processing of personal data and promote its reasonable use. A number of provisions of this legislation are reminiscent of the European Union’s General Data Protection Regulation (GDPR), however, the applicability of the law is what the experts in the field are looking forward to. As Heidi Waem, Counsel at DLA Piper states, although it looks as if the newer data protection regulations are a replica of the GDPR, each of such regulations has its own unique application considering the culture and geopolitical situation of that country.

Overview of Personal Information Protection Law 

The PIPL or Personal Information Protection Law consists of 8 chapters, being: 
  • General Provisions; 
  • Personal Information Processing Rules; 
  • Rules for Cross-Border Provision of Personal Information; 
  • Individuals' Rights in Personal Information Processing Activities; 
  • Obligations of Personal Information Processors; 
  • Departments Performing Personal Information Protection Functions; 
  • Legal Liabilities; and 
  • Miscellaneous Provisions.  
These chapters comprise articles, which emphasize what is personal information, the basis of processing the data, what measures to undertake while processing such data or while dealing with cross-border transfers, the rights of data subjects, obligations of the organizations, liability of the organization in circumstances of a breach of data, etc.  
The PIPL does not limit its applicability to within its territorial boundaries but extends its scope to include entities that process personal information outside of China, provided that such purpose of the processing is to provide a product/service to data subjects in China or to analyze the behavior of data subjects in China or for any such circumstances as provided by the law. The PIPL requires entities operating from outside the territory of China, to establish a dedicated office or to appoint a designated representative in China for the purpose of protection of personal information. It is stipulated that the data processing activities of foreign companies or individuals may be restricted and/or prohibited where they pose threat to national security. 
With such requirements under the PIPL, the Cybersecurity Law also encompasses certain data localization measures and requires that the companies operating in critical sectors have to store personal information on the servers in China and in case of transferring such personal information aboard, need to have the process approved by the Cyberspace Administration of China. Such organizations are required to obtain a certificate regarding the protection of personal information from a professional institution and are required to sign a standard contract prepared by the Cyberspace Administration of China. 

Rights of Data Subjects as per PIPL 

The PIPL or Personal Information Protection Law provides data subjects with various rights with respect to their personal information, including: 
  • Right to know and to decide relating to their personal information; 
  • Right to restrict or prohibit the processing of their personal information; 
  • Right to consult and copy their personal information from the processors; 
  • Right to correct and delete their personal information; and 
  • Right to request the processors to explain the processing rules. 
It is pertinent to note that the law has empowered the data subjects with better protection measures and control over their personal information and in furtherance thereof, it is important to note that the PIPL provides that a close relative of a natural person has the right to use the above-mentioned rights for their own legitimate and reasonable interests after the natural person has died unless the deceased data subject had made different arrangements while they were alive. 

Legal Bases for processing personal information under PIPL 

Heidi Waem discusses that the legal bases for processing personal information are quite similar to those carved out in the GDPR, and these are: 
  • Consent: The organizations can process personal information of the data subject only when they have consented to such processing for the particular, specific purpose/s; 
  • Performance of Contract: When a data subject has entered into a contract or has taken steps thereof, then the organization may process the personal information of the data subject under this basis. 
  • Legal Obligation: If the organization has a legal duty and if in compliance thereof, the organization is permitted to process the personal information of the data subject. 
  • Public Interest: If the organization is required to process personal information in the public interest or under the official authority, such processing is permitted. 
  • Legitimate Interest: Organizations can process the personal information in a proportionate and fair manner, as a data subject would treat their personal information , for the continuance of its business; and such other conditions as imposed by the authorities. 

PIPL Principles

The PIPL includes the following principles for processing personal information : 
  • Lawfulness: Personal information must be processed in a lawful, transparent, and in a fair manner. 
  • Data Minimization: Personal information that may be required for a particular purpose must only be processed and the processing of unnecessary data must be avoided.  
  • Storage Limitation: Personal information that is no longer required must be deleted and data required for purposes of statistical or research purposes or for public interest must be stored for longer periods than the retention period.  
  • Transparency: Personal information must be processed in a transparent manner without any ambiguity or vagueness.  
  • Accuracy: Personal information must be accurately collected and kept up to date. Further, the rectification of inaccurate data must be done in a timely manner and unnecessary data must be deleted.  
  • Data Security – The organizations must undertake adequate security measures to ensure that the personal information of the data subjects are protected and safe from breaches. They must also ensure that the processors, sub-processors if any; must have similar or adequate security measures.  

What is data transfer? And what amounts to the transfer of data? 

Data transfer is any information that is transferred from one location to another through a communication method. There is often a misconception pertaining to the information collection and information transfer. However, when an individual (data subject) shares personal information with the organization (the data controller) in their local jurisdiction, i.e., within their territory, it does not mean that data is transferred. When data is transferred by the data controller to an organization outside their territory, it amounts to data transfer and appropriate safeguards must be undertaken. Similarly, if an organization that collects information from the data subjects, shares the personal information with another entity within its territorial scope, it amounts to data transfer, and accordingly, appropriate safeguards must be undertaken. 

Transfer of data 

If a data controller wishes to share, disclose or otherwise transfer a data subject’s personal information to a third party, the data controller must: 
  • Inform the data subject of the purposes of the sharing or transfer of the personal information and the details of the transferee organization, and obtain prior express consent from the data subject; 
  • Perform a Personal Information Impact Assessment (PIIA), and take effective measures to protect the data subjects’ personal information according to the assessment results; 
  • Ensure that the personal information is only transferred for processing purposes; 
  • Not share or transfer any personal biometric information or other types of sensitive personal information, which are prohibited under relevant laws or regulations of China; and 
  • Ensure contractual measures are entered into, to require the transferee organization to comply or assist the data controller in complying with obligations under the PIPL.

Cross-Border Transfer of Personal Information

Cross-border transfers of personal data can only be performed for legitimate reasons, such as business necessity, and the transferor organization is required to take the appropriate steps to ensure that the transferee organization's processing activities meet the protection criteria outlined in the PIPL. Additionally, both a sufficient legal foundation and agreement from the data subjects would be required for such cross-border transfer to be permitted. 
The legal basis for cross-border transfers of personal information under the PIPL includes passing a security review organized by the cyberspace administration if the transferor organization is an operator of Critical Information Infrastructure (CII) or if the volume of the affected personal data reaches the threshold specified by the authority, being the Cyberspace Administration of China (CAC). It further encompasses obtaining personal information protection certification from a professional agency in accordance with the rules of the CAC and entering into an agreement with the transferee organization based on a standard contract form formulated by the CAC; or such other conditions provided by laws, administrative regulations or the CAC. 
Data subjects must be notified of the details such as name, contact details of the transferee organization, kind of personal information shared, purpose and method of processing, methods, and procedures for exercising their rights with respect to the transferee organization, etc. and give separate consent to the cross-border transfer of their personal information. 

Transfer of information to a foreign judicial or law enforcement 

Furthermore, companies are expressly forbidden from transmitting personal information held within China to foreign judicial or law enforcement agencies without the approval of Chinese authorities, regardless of whether there is a legal basis or consent is obtained. However, it remains unclear whether this extends to, requests from overseas industry regulators. In this respect, the PIPL clarifies that Chinese authorities may provide personal information stored within China to overseas legal or enforcement authorities upon request, if and to the extent that there are international treaties or regulations in place to maintain fairness and for mutual benefit. 
Moreover, according to the PIPL, a list of new publicly available entities may be published, listing the foreign organizations to which the organizations of China may not transfer personal information, where such transfer may harm national security or public interest.


China’s laws on personal information and data security have aligned strongly compared to other international standards. China’s laws intended to govern the use of personal information by organizations established in China, while also providing data subjects with control over their personal information. Though PIPL incorporates certain GDPR requirements, there are some significant variations between the two legislations and there is often a debate between the scope of the GDPR and PIPL and even with respect to certain interpretations, but it is pertinent to note that there are various factors that play a role such the geographical location of the country, its political situation, international treaties, its culture, its relation with foreign governments, etc.  
It is noteworthy that in many areas, the PIPL is pending supplementation and that crucial areas that regulation may clarify, include notification requirements, the threshold for the amount of personal information that would qualify as personal information, and more stringent requirements and retention periods, etc. The regulation has yet to go into effect and therefore, though the law looks rigorous in respect of data transfers, its true implementation will only be clarified once it is properly executed.  

About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who helps CXOs and DPOs to identify and manage privacy risks by creating a privacy strategy and implementing it through setting and managing your privacy program and providing scenario based training to your key staff.  In a world that is digital, AI-driven, and has data in the cloud, Punit helps you to create a culture of privacy by establishing a privacy network and training your company's management and staff. 
For more information, please click here.

About Heidi Waem

Heidi Waem is a Counsel at DLA Piper and is data protection and privacy lawyer with almost 15 years of experience advising clients in the FMCG, technology, media, life sciences, financial and public sector on all aspects of European Union regulatory data protection compliance, including cybersecurity and assisting them in data protection and privacy litigation before the Belgian Data Protection Authority and the regular courts. Heidi regularly publishes articles on data protection and privacy and frequently speaks on such topics during webinars and events from organizations like Beltug, DPO Circle, and the VUB Brussels Privacy Hub.

Listen to the top ranked EU GDPR based privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with