China Data Privacy Laws: PIPL Compliance Guide (2026)

China has built one of the most comprehensive data privacy frameworks in the world. While many countries modeled their privacy laws on the European Union's General Data Protection Regulation (GDPR), China took a parallel but distinct path that reflects its national security priorities, state-driven governance model, and rapidly growing digital economy.

For any business operating in China, collecting data from Chinese residents, or transferring personal information across Chinese borders, understanding these laws is not optional. The penalties are severe, enforcement is accelerating, and the regulatory landscape continues to evolve.

This guide covers the three core data privacy laws, their requirements, enforcement history, and what compliance looks like in practice as of 2026.

The Three Pillars of China's Data Privacy Framework

China's data protection regime rests on three foundational laws, often called the "three pillars." Each addresses a different dimension of data governance, but they overlap in important ways.

Cybersecurity Law (CSL) -- Effective June 1, 2017

The Cybersecurity Law was China's first major piece of legislation addressing network security and data protection at the national level. It establishes baseline requirements for network operators, defines critical information infrastructure, and introduced the concept of data localization for certain categories of operators.

Key provisions include mandatory security assessments for network products and services, incident reporting obligations, real-name registration requirements, and restrictions on transferring personal information and "important data" outside of China.

Data Security Law (DSL) -- Effective September 1, 2021

The Data Security Law focuses on the classification, protection, and governance of data broadly, not just personal information. It introduced a tiered data classification system distinguishing between "core data," "important data," and general data, with escalating protection requirements for each tier.

The DSL applies to all data handling activities within China and can reach data handling activities outside China that may harm national security, the public interest, or the lawful rights of Chinese citizens and organizations.

Personal Information Protection Law (PIPL) -- Effective November 1, 2021

The PIPL is China's dedicated personal data protection statute. It defines the rights of data subjects, the obligations of personal information handlers (the PIPL equivalent of "data controllers"), and the rules governing cross-border data transfers.

The PIPL applies to any organization or individual that processes the personal information of natural persons within China. It also has extraterritorial reach: foreign entities that process personal information of people in China for the purpose of providing products or services to them, or analyzing and assessing their behavior, must comply with the PIPL and designate a representative within China.

Who Enforces China's Data Privacy Laws

The Cyberspace Administration of China (CAC) is the lead regulator for data protection and privacy. It oversees overall planning and coordination of personal information protection efforts.

Several other agencies share enforcement responsibilities within their respective sectors:

• Ministry of Industry and Information Technology (MIIT) handles telecommunications and internet services
• Ministry of Public Security (MPS) handles cybersecurity investigations and criminal enforcement
• State Administration for Market Regulation (SAMR) oversees consumer protection and certification standards
• Sector-specific regulators in finance, healthcare, transportation, and other industries enforce compliance within their domains

Local CAC offices and cybersecurity bureaus carry out investigations at the regional and municipal levels. This decentralized enforcement structure means that companies can face scrutiny from multiple regulators simultaneously.

Legal Basis for Processing Personal Information

Unlike the GDPR, the PIPL does not recognize "legitimate interest" as a standalone legal basis for processing personal information. This is one of the most significant practical differences for multinational companies.

Article 13 of the PIPL provides the following lawful bases for processing:

• Consent of the individual (the default and most common basis)
• Necessity to perform a contract to which the individual is a party
• Necessity to fulfill statutory duties or obligations
• Necessity to respond to public health emergencies or protect natural persons' life, health, or property in emergency situations
• Reasonable processing of already-public personal information for news reporting and public interest supervision
• Conducting human resources management in accordance with lawfully established labor rules and collective contracts

Consent must be informed, voluntary, and explicit. Individuals may withdraw consent at any time, and handlers cannot refuse to provide products or services solely because a user declines consent for non-essential processing.

Sensitive Personal Information: Heightened Requirements

The PIPL defines sensitive personal information as data that, if leaked or illegally used, could easily lead to harm to a natural person's dignity or safety, or harm to their person or property. The law explicitly identifies the following categories:

• Biometric data (including facial recognition features and fingerprints)
• Religious beliefs
• Specific identities (ethnicity, political affiliation)
• Medical and health information
• Financial account information
• Location tracking data
• Personal information of minors under 14 years of age

Processing sensitive personal information requires a specific purpose, sufficient necessity, and strict protective measures. Handlers must obtain separate consent from the individual, distinct from general processing consent. For minors under 14, consent must come from a parent or guardian.

Before processing sensitive personal information, the handler must conduct a Personal Information Protection Impact Assessment (PIPIA) and retain the assessment results and processing records for at least three years.

Facial Recognition Rules

China has issued specific regulations governing facial recognition technology. Facial recognition may only be used in public spaces for public security purposes unless each individual provides separate, informed consent. The judicial interpretation further prohibits bundling consent for facial recognition with consent for other services.

Individual Rights Under the PIPL

The PIPL grants data subjects a comprehensive set of individual rights over their personal information:

• Right to be informed about the handler's identity, processing purposes, retention periods, and how to exercise rights
• Right of access to their personal information, including the right to obtain a copy
• Right to rectification of inaccurate or incomplete personal information
• Right to deletion when processing purposes have been achieved, consent has been withdrawn, services have ceased, or processing violates laws or agreements
• Right to data portability to transfer personal information to another handler under conditions prescribed by the CAC
• Right to refuse or restrict processing
• Right to an explanation of automated decision-making that significantly affects individual rights
• Right to object to automated decisions and request human review
• Rights of deceased persons' relatives to access, copy, correct, or delete the personal information of a deceased individual for legitimate interests

Handlers must establish convenient mechanisms for individuals to exercise these rights and must respond to requests in a timely manner.

Cross-Border Data Transfer Rules

One of the PIPL's most consequential provisions governs the transfer of personal information outside of China. This affects any multinational company that processes data from Chinese users at overseas offices or data centers.

Three Pathways for Lawful Transfer

As of 2026, China has finalized a "3+1=4" cross-border data framework consisting of three core laws, one administrative regulation (the Network Data Security Management Regulations), and four implementing rules. Personal information handlers must use one of three mechanisms:

1. CAC Security Assessment (mandatory for high-risk transfers)

Required for Critical Information Infrastructure Operators (CIIOs), handlers transferring "important data," and handlers that have processed personal information of more than 1 million individuals. The handler submits a self-assessment to the CAC, which then conducts its own security review.

2. Standard Contractual Clauses (SCCs)

Best suited for lower-volume, lower-risk transfers. The handler enters into a contract with the overseas recipient using the CAC-prescribed template. The contract imposes obligations on the foreign recipient equivalent to PIPL requirements.

3. Personal Information Protection Certification

The certification pathway was finalized with the Measures for the Certification of the Outbound Transfer of Personal Information, issued October 17, 2025 and effective January 1, 2026. Certification is conducted by CAC-accredited institutions and is better suited for enterprises with frequent, high-risk, or high-volume transfers.

Regardless of which mechanism is used, handlers must always obtain separate consent from the data subjects whose information will be transferred and must conduct a PIPIA before the transfer.

First Enforcement Case on Cross-Border Transfers

In May 2025, Shanghai authorities imposed the first publicly disclosed administrative penalty specifically targeting unlawful cross-border transfers. A multinational company was penalized for transferring Chinese users' personal information to its French headquarters without completing any of the three required mechanisms.

Critical Information Infrastructure Operators (CIIOs)

An entity is classified as a CIIO if its incapacitation or destruction, or the leakage of its data, could seriously endanger national security, the national economy, or the public interest. Sectors likely to contain CIIOs include public communication and information services, energy, transportation, water resources, finance, public services, e-government, and national defense.

CIIOs face the strictest requirements under the framework:

• Data localization: All personal information and "important data" collected and generated during operations in China must be stored within mainland China
• Mandatory CAC security assessment before any cross-border data transfer (the SCC and certification pathways are not available)
• Appointment of a personal information protection officer (DPO equivalent)
• Regular security assessments and inspections by the CAC
• Incident reporting obligations with compressed timelines

Data Protection Officer Requirements

Under Article 52 of the PIPL, entities processing personal information exceeding certain volume thresholds must appoint a personal information protection officer (the Chinese equivalent of a Data Protection Officer).

The CAC has set the threshold at processing personal information of more than 1 million individuals. In July 2025, the CAC launched an online portal for DPO registration, requiring companies to submit detailed information including company details, the DPO's identity, nationality, and contact information, and the scope of data processing activities the DPO oversees.

The DPO is responsible for overseeing compliance with the PIPL, including conducting or commissioning personal information protection compliance audits.

Compliance Audit Requirements

The Measures for Personal Information Protection Compliance Audits, issued February 14, 2025 and effective May 1, 2025, made compliance audits a mandatory obligation under the PIPL.

Key requirements include:

• Entities processing personal information of more than 10 million individuals must conduct audits at least once every two years
• Processors of minors' personal information should conduct audits annually
• Audits may be self-conducted or commissioned to an external professional institution
• The CAC may order a mandatory audit by a professional institution if it identifies high risks or after a data security incident
• Audit results must be reported to the relevant authorities

The previous threshold of 1 million individuals was raised to 10 million in the final regulations, providing some relief for mid-sized data processors.

Penalties and Enforcement

Penalty Structure

The PIPL imposes a graduated penalty framework:

For standard violations:

• Orders to rectify and warnings
• Confiscation of illegal gains
• Suspension or termination of non-compliant applications or services
• Fines up to RMB 1 million for the organization
• Fines of RMB 10,000 to RMB 100,000 for directly responsible individuals

For serious violations:

• Fines up to RMB 50 million or 5% of annual revenue from the previous fiscal year
• Personal fines up to RMB 1 million for responsible individuals
• Prohibition from serving as director, supervisor, or senior manager of a company for a defined period
• Criminal liability in the most severe cases

Landmark Enforcement Actions

Didi Chuxing (July 2022): The CAC fined ride-hailing giant Didi Global RMB 8.026 billion (approximately USD 1.2 billion) for violations spanning seven years. The investigation found that Didi illegally processed more than 64.7 billion pieces of personal information, including excessive and forced collection of user data. Didi's chairman and president were each fined RMB 1 million personally. The penalty was calculated based on the 5% annual turnover provision and remains the largest data protection fine ever issued globally, surpassing Amazon's EUR 746 million GDPR fine.

Cross-Border Transfer Case (May 2025): Shanghai public security authorities penalized a European luxury brand's Shanghai subsidiary for illegally transferring personal information to its French headquarters without using any of the required cross-border transfer mechanisms. This was the first publicly disclosed enforcement action specifically targeting cross-border data transfer violations.

Ongoing Enforcement Trends: Throughout 2025, Chinese authorities conducted coordinated enforcement campaigns targeting six high-incidence areas: mobile apps and mini-programs, software development kits (SDKs), smart terminals, facial recognition in public spaces, offline consumer scenarios, and data-related crimes.

Network Data Security Management Regulations (Effective January 1, 2025)

The Network Data Security Management Regulations are administrative rules issued by the State Council to implement the three pillar laws. They provide detailed operational requirements that fill gaps in the primary legislation.

Notable provisions include:

• Raising the threshold for treating personal data as "important data" from 1 million to 10 million individuals
• Requiring that network platform operators with large user bases establish independent oversight bodies for personal information protection
• Mandating that data processors publish and maintain an accessible privacy policy covering specific required elements
• Strengthening requirements for data processors that provide services to minors

How China's PIPL Compares to GDPR

While the PIPL draws significant inspiration from the GDPR, several critical differences set it apart:

Feature	PIPL	GDPR
Legal basis	No "legitimate interest" basis	Includes legitimate interest
Government access	Broad government access provisions for national security	Subject to necessity and proportionality
Data localization	Mandatory for CIIOs and large-scale processors	No general data localization requirement
Cross-border transfers	Three specific mechanisms required, plus separate consent	Adequacy decisions, SCCs, BCRs, and other mechanisms
Consent withdrawal	Cannot refuse services for non-essential processing refusal	Similar but less explicit
DPO threshold	1 million+ individuals processed	Based on nature and scale of processing
Maximum fine	5% of annual revenue or RMB 50M	4% of global annual turnover or EUR 20M
Personal liability	Up to RMB 1M for individuals, career bans	Less emphasis on personal liability
Compliance audits	Mandatory at prescribed intervals	Not specifically mandated

The most significant practical difference is the absence of "legitimate interest" as a processing basis, which forces organizations that rely on it under the GDPR to identify alternative lawful bases for their China operations.

2026 Outlook and Recent Developments

Based on regulatory trends, enforcement in 2026 is expected to focus on:

• Enforcement effectiveness over new legislation: The regulatory framework is largely complete, and authorities are shifting focus from drafting rules to ensuring compliance
• Cross-border data transfer scrutiny: With all three transfer mechanisms now fully operational, regulators are expected to increase enforcement against unauthorized transfers
• Compliance audit implementation: The first mandatory audit cycle is now underway, and regulators will be reviewing audit results
• AI and automated decision-making: Additional guidance on AI-driven personal information processing is anticipated
• Sector-specific enforcement: Continued campaigns targeting mobile apps, facial recognition, and consumer data scenarios

The certification standard for cross-border transfers (GB/T 46068-2025) took effect on March 1, 2026, completing the regulatory toolkit for international data flows.