GDPR vs PIPL: EU vs China Data Protection Comparison (2026)

The EU's General Data Protection Regulation (GDPR) and China's Personal Information Protection Law (PIPL), which took effect on November 1, 2021, represent two fundamentally different approaches to data protection. While both laws protect individual privacy rights, the PIPL reflects China's emphasis on state authority and data sovereignty in ways that create significant compliance challenges for organizations operating across both jurisdictions.

This guide examines every major point of divergence between the two frameworks.

Background and Legislative Context

The GDPR emerged from the European tradition of privacy as a fundamental right, codified in the EU Charter of Fundamental Rights. It replaced the 1995 Data Protection Directive and harmonized data protection across 30 EEA countries starting May 25, 2018.

China's PIPL is the third pillar of a regulatory triad that includes the Cybersecurity Law (2017) and the Data Security Law (2021). Together, these three laws form a comprehensive framework governing data, cybersecurity, and information flows in and out of China. The PIPL was adopted by the Standing Committee of the National People's Congress on August 20, 2021, and became effective on November 1, 2021.

The PIPL shares structural similarities with the GDPR, and Chinese regulators studied the European model during the drafting process. However, the PIPL was also shaped by China's distinct policy objectives around data sovereignty, national security, and the regulation of large technology platforms.

Scope and Territorial Application

Both laws apply extraterritorially, but through different mechanisms.

The GDPR applies to organizations established in the EEA, or organizations outside the EEA that offer goods or services to individuals in the EEA or monitor their behavior. Non-EU organizations must appoint an EU representative under Article 27.

The PIPL applies to all processing of personal information within China. It also applies to processing outside China when the purpose is to provide products or services to individuals in China, to analyze or evaluate the behavior of individuals in China, or under other circumstances specified by law. Organizations outside China that fall within scope must establish a dedicated entity or appoint a representative in China to handle personal information protection matters (PIPL Article 53).

The practical impact of the PIPL's extraterritorial reach is amplified by China's ability to restrict market access for non-compliant organizations, giving the law enforcement leverage that the GDPR lacks.

Definitions and Protected Data

Term	GDPR	PIPL
Protected individual	Data subject	Individual (personal information subject)
Protected data	Personal data	Personal information (gerén xìnxī)
Sensitive data	Special categories (Art. 9)	Sensitive personal information (Art. 28)
Data collector	Controller	Personal information handler
Processing agent	Processor	Entrusted party
Privacy officer	DPO	Person responsible for personal information protection

The PIPL defines "personal information" as any kind of information related to an identified or identifiable natural person recorded by electronic or other means, excluding anonymized information. This aligns with the GDPR's definition of personal data.

The PIPL's sensitive personal information category includes biometric data, religious beliefs, specific identity, medical health, financial accounts, and location tracking, as well as the personal information of minors under 14 years old. The GDPR's special categories cover racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sexual orientation data.

Legal Bases for Processing

The GDPR provides six lawful bases under Article 6: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

The PIPL's Article 13 provides seven circumstances under which personal information handlers may process personal information:

Legal Basis	GDPR	PIPL
Consent	Yes (Art. 6(1)(a))	Yes (Art. 13(1))
Contract performance	Yes (Art. 6(1)(b))	Yes (Art. 13(2))
Legal obligation	Yes (Art. 6(1)(c))	Yes (Art. 13(3): statutory duties)
Public health emergency	Covered by vital interests	Yes (Art. 13(4))
Public interest activities	Yes (Art. 6(1)(e))	Yes (Art. 13(5): news reporting, public oversight)
Legitimate interests	Yes (Art. 6(1)(f))	Not available as a legal basis
Processing publicly available data	Must still have a lawful basis	Yes (Art. 13(6): within reasonable scope)
Other statutory provisions	N/A	Yes (Art. 13(7))
Vital interests	Yes (Art. 6(1)(d))	Partially covered by emergency provisions

The absence of a legitimate interests basis in the PIPL is one of the most significant practical differences. Under the GDPR, legitimate interests serves as a flexible legal basis that organizations frequently rely on for direct marketing, fraud prevention, network security, and intra-group data sharing. Under the PIPL, these processing activities typically require consent or must fall under one of the other enumerated bases.

Consent Requirements: Separate Consent

The PIPL's consent requirements are more granular than the GDPR's in several respects.

The PIPL requires "separate consent" (a higher standard than standard consent) in specific situations:

• Providing personal information to third parties (Art. 23)
• Publicly disclosing personal information (Art. 25)
• Processing sensitive personal information (Art. 29)
• Transferring personal information outside China (Art. 39)
• Using images or personal identification collected by public surveillance equipment for non-public-safety purposes (Art. 26)

The GDPR requires explicit consent only for special categories of data under Article 9 and for international transfers under Article 49. The PIPL's separate consent requirement for third-party sharing and public disclosure goes beyond what the GDPR demands.

Consent Feature	GDPR	PIPL
Standard consent	Freely given, specific, informed, unambiguous (Art. 7)	Voluntary, explicit, fully informed (Art. 14)
Sensitive data	Explicit consent required	Separate consent required
Cross-border transfer	Not required if other mechanisms used	Separate consent required
Third-party sharing	Standard consent sufficient	Separate consent required
Public disclosure	Standard consent sufficient	Separate consent required
Children's data	Parental consent under 16 (states may lower to 13)	Parental consent under 14
Withdrawal	Must be as easy as giving consent	Same principle (Art. 15)

Government Access to Data

This is the area of greatest philosophical divergence between the two frameworks.

The GDPR limits government access to personal data through the principles of necessity and proportionality. EU law requires government surveillance to be subject to judicial or independent oversight, and the Court of Justice of the EU (CJEU) has struck down data retention laws and international transfer mechanisms (including the Privacy Shield) on the grounds that foreign government access was insufficiently limited.

The PIPL's Article 35 states that government agencies processing personal information for statutory duties must comply with the law's requirements. However, China's Cybersecurity Law, Data Security Law, National Intelligence Law (2017), and Counter-Espionage Law grant government authorities broad access to data held by organizations in China. The National Intelligence Law's Article 7 requires all organizations and citizens to "support, assist, and cooperate with national intelligence work."

These provisions create a structural tension with the GDPR. The European Data Protection Board (EDPB) has identified government access regimes in third countries as a factor in transfer impact assessments, and the absence of an EU adequacy decision for China reflects, in part, concerns about these access provisions.

Cross-Border Data Transfers

Cross-border transfer rules represent one of the starkest differences between the two frameworks.

The GDPR allows transfers through adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, certification mechanisms, or derogations under Article 49. Organizations have multiple pathways and significant flexibility.

The PIPL establishes a tiered system under Article 38 with fewer options and heavier government involvement:

Transfer Mechanism	GDPR	PIPL
Adequacy decision	Yes (Art. 45)	Not available as a mechanism
Standard contractual clauses	Yes (Art. 46)	Yes, must be filed with the CAC (Art. 38(3))
Security assessment by government	Not required	Required for CIIO operators and handlers processing above thresholds (Art. 40)
Certification	Yes (Art. 42)	Yes, by specialized institution (Art. 38(2))
Binding corporate rules	Yes (Art. 47)	Not explicitly provided
Consent	Derogation only (Art. 49)	Required (separate consent, Art. 39)

Critical Information Infrastructure Operators (CIIOs) must store personal information collected in China domestically. If cross-border transfer is necessary for business purposes, they must pass a security assessment conducted by the Cyberspace Administration of China (CAC). Non-CIIO organizations that process personal information exceeding certain volume thresholds (currently 1 million individuals or certain cumulative transfer volumes) also face the security assessment requirement.

The CAC published the Measures for the Standard Contract for Cross-border Transfer of Personal Information in 2023, providing a standard contract mechanism for smaller-scale transfers. However, even this path requires filing with the CAC, creating a government review layer that has no GDPR equivalent.

Data Localization

The PIPL, in conjunction with the Cybersecurity Law and Data Security Law, imposes data localization requirements that have no parallel in the GDPR.

CIIOs and personal information handlers processing above CAC-defined thresholds must store personal information within China (PIPL Article 40). Cross-border transfer is permitted only after passing a security assessment, and only for the amount of data necessary for the business purpose.

The GDPR does not require data localization within the EU. Data can flow freely within the EEA, and transfers outside the EEA are permitted through the mechanisms described above. There is no requirement to store a copy of data within EU territory.

Enforcement and Penalties

The PIPL's penalty structure exceeds the GDPR's in several respects.

Enforcement Aspect	GDPR	PIPL
Primary enforcing authority	National DPAs (30+)	CAC and local departments (Art. 60)
Administrative fine (standard)	Up to EUR 10M or 2% global revenue	Up to RMB 1 million for the organization; RMB 10,000-100,000 for responsible individuals
Administrative fine (severe)	Up to EUR 20M or 4% global revenue	Up to RMB 50 million or 5% of prior year's revenue; responsible individuals fined up to RMB 1 million
Personal liability	Not typically imposed	Responsible individuals can be fined personally
Disqualification	Not typically imposed	Responsible individuals can be prohibited from serving as directors, supervisors, or senior management
Service suspension	Processing bans possible	Authorities can order cessation of services or revoke business licenses
Social credit	N/A	Violations recorded in credit files (Art. 67)

The PIPL's 5% revenue threshold exceeds the GDPR's 4%. Perhaps more significantly, the PIPL imposes personal liability on responsible individuals, including fines of up to RMB 1 million (approximately USD 140,000) and potential career-ending prohibitions on serving as corporate officers. The GDPR does not generally impose personal liability on individual employees or officers.

The social credit system integration under Article 67 adds a unique enforcement dimension. Personal information protection violations are recorded in the organization's and responsible individual's credit files, potentially affecting their ability to conduct business in China.

Data Protection Officers

The GDPR requires DPOs for public authorities, organizations engaged in large-scale systematic monitoring, and organizations processing sensitive data at scale. DPOs must be independent and report to senior management (Article 37-39).

The PIPL's Article 52 requires personal information handlers that process personal information above thresholds set by the CAC to designate a person responsible for personal information protection. This person must be named, and their contact information must be publicly disclosed and reported to the relevant department. The PIPL does not specify independence or reporting requirements with the same detail as the GDPR.

Practical Compliance for Dual-Jurisdiction Operations

Organizations subject to both the GDPR and PIPL face a challenging compliance landscape because the laws conflict in key areas:

• Data localization vs free flow: The PIPL's localization requirements for CIIOs and high-volume processors conflict with the GDPR's principle of free data flows within the EEA.
• Government access: The PIPL's government access provisions create risk under GDPR transfer impact assessments, making it difficult to justify EU-to-China data transfers.
• No legitimate interests basis: Processing activities that rely on legitimate interests under the GDPR (marketing, analytics, fraud detection) need an alternative legal basis under the PIPL, often consent.
• Separate consent requirements: The PIPL's separate consent rules for third-party sharing and cross-border transfers add consent collection requirements that the GDPR does not impose.

Many multinational organizations address these tensions by segmenting their data processing, maintaining separate data systems for Chinese and European operations, and minimizing cross-border transfers between the two jurisdictions.

For more detail on the GDPR framework, see our complete GDPR guide. For China's PIPL, see our [China data privacy laws guide](/world-laws/world-data-privacy-laws/china-data-privacy-laws).

This information reflects the law as of March 2026. Both frameworks continue to evolve through implementing regulations and enforcement actions. Consult an attorney for advice specific to your situation.