GDPR vs PIPL: EU and China Data Privacy Laws Compared (2026)
The GDPR and China's PIPL share a similar structure but diverge on several operationally critical points: PIPL Article 13 omits legitimate interests as a lawful basis, requires separate consent for third-party sharing and cross-border transfers, mandates data localization for high-volume handlers, and imposes personal liability on responsible individuals.
The EU's General Data Protection Regulation (GDPR) and China's Personal Information Protection Law (PIPL), effective November 1, 2021, represent two fundamentally different philosophies of data protection. Both laws grant individuals rights over their personal information, but the PIPL reflects China's distinct emphasis on state authority and data sovereignty. For organizations operating across both jurisdictions, the differences in legal bases, consent requirements, cross-border transfer rules, and supervisory structure create material compliance complexity.
This article covers the two frameworks side by side, including 2025-2026 regulatory developments under both regimes.
Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.
Jurisdiction scope: This article addresses the EU General Data Protection Regulation (GDPR, applicable in all 30 EEA member states) and China's Personal Information Protection Law (PIPL, effective November 1, 2021), along with China's Cybersecurity Law (as amended, effective January 1, 2026) and Data Security Law (effective September 1, 2021). It does not address US state privacy laws (for those, see US data privacy laws) or other national privacy regimes. For the full PIPL context within China's broader legal framework, see our China data privacy laws guide.
GDPR vs PIPL: At a Glance
The table below captures the highest-leverage comparison points. Detailed analysis follows in each section.
| Feature | GDPR | PIPL |
|---|---|---|
| Jurisdiction | 30 EEA member states | China (People's Republic) |
| Effective date | May 25, 2018 | November 1, 2021 |
| Extraterritorial reach | Yes (Art. 3) | Yes (Art. 3) |
| Lawful bases | 6, including legitimate interests | 7, but NO legitimate interests |
| Separate consent required for third-party sharing | No | Yes (Art. 23) |
| Data localization | Not required | Required for CIIOs and high-volume handlers |
| Cross-border transfer mechanisms | Adequacy, SCCs, BCRs, certification, derogations | Security assessment, standard contract (filed with CAC), certification |
| Max fine (organization) | EUR 20M or 4% global revenue | RMB 50M or 5% of prior year's revenue |
| Personal liability (individuals) | Not typically imposed | Yes: up to RMB 1M; career prohibition |
| Supervisory body | National DPAs + EDPB | CAC (lead) + MIIT, MPS, SAMR, financial regulators |
| Response time for rights requests | 1 month (extendable) | "Timely" (no fixed deadline) |
| Rights for deceased persons' family | No | Yes (Art. 49) |
| Mandatory compliance audits | Not required | Yes: every 2 years for 10M+ individual processors (effective May 1, 2025) |
Background and Legislative Context
The GDPR emerged from the European tradition of privacy as a fundamental right, codified in Article 8 of the EU Charter of Fundamental Rights. It replaced the 1995 Data Protection Directive and harmonized data protection across 30 EEA countries starting May 25, 2018.
China's PIPL is one pillar of a three-law stack that governs cybersecurity, data security, and personal information in China. The other two are the Cybersecurity Law (CSL) and the Data Security Law (DSL, effective September 1, 2021). Together, these three laws form a comprehensive framework for information flows in and out of China. The PIPL was adopted by the Standing Committee of the National People's Congress on August 20, 2021, and became effective November 1, 2021.
The PIPL shares structural similarities with the GDPR -- Chinese regulators studied the European model during drafting. However, the PIPL was also shaped by China's distinct policy objectives around data sovereignty, national security, and the regulation of large technology platforms. The result is a law that looks familiar in structure but diverges sharply on some of the most operationally important details.
Scope and Territorial Application
Both laws apply extraterritorially, but through different mechanisms.
The GDPR applies under Article 3 to organizations established in the EEA and to organizations outside the EEA that offer goods or services to individuals in the EEA or monitor their behavior. Non-EU organizations within scope must appoint an EU representative under Article 27.
The PIPL applies under Article 3 to all processing of personal information within China, and also applies outside China when the purpose is to provide products or services to individuals in China, to analyze or evaluate the behavior of individuals in China, or in other circumstances specified by law. Organizations outside China within scope must establish a dedicated entity or appoint a representative in China for personal information protection matters (PIPL Article 53).
The practical enforcement leverage differs. The EU relies on sanctions, processing bans, and -- for EU-to-third-country transfers -- the adequacy mechanism. China can restrict market access directly for non-compliant foreign organizations, giving the PIPL enforcement reach that the GDPR lacks.
The Guangzhou Internet Court issued the first published judgment on PIPL extraterritoriality in Fall 2024. A Chinese hotel guest sued an unnamed French hotel group after the group transferred the guest's personal information to third parties without obtaining the separate consent required by PIPL Article 23. The court found the hotel group liable. The case confirms that Chinese courts will apply PIPL standards to foreign organizations' processing of Chinese residents' data.
Definitions and Protected Data
| Term | GDPR | PIPL |
|---|---|---|
| Protected individual | Data subject | Individual (personal information subject) |
| Protected data | Personal data | Personal information |
| Sensitive data | Special categories (Art. 9) | Sensitive personal information (Art. 28) |
| Data collector | Controller | Personal information handler |
| Processing agent | Processor | Entrusted party |
| Privacy officer | Data Protection Officer (DPO) | Person responsible for personal information protection |
The PIPL defines personal information as any information related to an identified or identifiable natural person recorded by electronic or other means, excluding anonymized information. The GDPR's personal data definition is substantively equivalent.
The PIPL's sensitive personal information category (Art. 28) includes biometric data, religious beliefs, specific identity information, medical and health information, financial accounts, location tracking, and the personal information of minors under 14 years old. The GDPR's special categories (Art. 9) cover racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, and sexual orientation data. The PIPL adds minors' data and financial account data to the sensitive category; the GDPR adds political opinions, trade union membership, and sexual orientation.
Legal Bases for Processing
The GDPR provides six lawful bases under Article 6: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.
The PIPL's Article 13 provides seven circumstances under which personal information handlers may process personal information. The critical omission is legitimate interests.
| Legal Basis | GDPR | PIPL |
|---|---|---|
| Consent | Yes (Art. 6(1)(a)) | Yes (Art. 13(1)) |
| Contract performance | Yes (Art. 6(1)(b)) | Yes (Art. 13(2)) |
| Legal obligation | Yes (Art. 6(1)(c)) | Yes (Art. 13(3): statutory duties) |
| Vital interests | Yes (Art. 6(1)(d)) | Partially, via emergency provisions |
| Public interest | Yes (Art. 6(1)(e)) | Yes (Art. 13(5): news reporting, public oversight) |
| Legitimate interests | Yes (Art. 6(1)(f)) | Not available |
| Public health emergency | Covered by vital interests | Yes (Art. 13(4)) |
| Publicly available data | Must still have a lawful basis | Yes (Art. 13(6): within reasonable scope) |
| Other statutory provisions | N/A | Yes (Art. 13(7)) |
The absence of a legitimate interests basis in the PIPL is one of the most significant practical differences for multinational organizations. Under the GDPR, legitimate interests is the legal basis most commonly used for direct marketing, fraud prevention, network and information security, intra-group data sharing, and analytics. Under the PIPL, organizations must typically obtain consent for these activities or restructure them to fall under another enumerated basis.
Consent Requirements: Separate and Granular
The PIPL's consent requirements are more granular than the GDPR's. Both laws require consent to be freely given, specific, informed, and capable of being withdrawn as easily as it was given.
The PIPL goes further by requiring separate consent (a higher standard than standard consent) in five specific situations:
- Providing personal information to third parties (Art. 23)
- Publicly disclosing personal information (Art. 25)
- Processing sensitive personal information (Art. 29)
- Transferring personal information outside China (Art. 39)
- Using images or personal identification collected by public surveillance equipment for non-public-safety purposes (Art. 26)
The GDPR requires explicit consent only for special categories of personal data under Article 9 and as a derogation for international transfers under Article 49. The PIPL's separate consent requirements for third-party sharing and public disclosure go beyond what the GDPR demands.
| Consent Feature | GDPR | PIPL |
|---|---|---|
| Standard consent | Freely given, specific, informed, unambiguous (Art. 7) | Voluntary, explicit, fully informed (Art. 14) |
| Sensitive/special categories | Explicit consent required (Art. 9) | Separate consent required (Art. 29) |
| Cross-border transfer | Not required if other mechanisms used (Art. 46) | Separate consent required regardless of mechanism (Art. 39) |
| Third-party sharing | Standard consent sufficient | Separate consent required (Art. 23) |
| Public disclosure | Standard consent sufficient | Separate consent required (Art. 25) |
| Children's data | Parental consent under 16 (member states may lower to 13) | Parental or guardian consent under 14 (Art. 31) |
| Withdrawal | Must be as easy as giving consent (Art. 7(3)) | Same principle (Art. 15) |
| Bundled consent | Must be specific; bundling for unrelated purposes is invalid | Bundled consent prohibited (Art. 17) |
Individual Rights: PIPL Articles 44-50 vs GDPR Chapter 3
Both laws grant individuals substantial rights over their personal information, with the PIPL largely tracking GDPR Chapter 3 in structure but differing on timelines and scope.
The rights under PIPL Articles 44-50 are:
- Right to know and decide (Art. 44): individuals may restrict or refuse processing of their personal information. This maps to the GDPR's right to object (Art. 21) and right to restrict processing (Art. 18).
- Right of access (Art. 45): individuals may access a copy of their personal information held by an organization. The GDPR equivalent is Article 15.
- Right to correction (Art. 46): individuals may request correction of inaccurate personal information. The GDPR equivalent is Article 16.
- Right to erasure (Art. 47): organizations must delete personal information where the processing purpose has been achieved, the retention period has expired, consent has been withdrawn, processing was unlawful, or other grounds apply. The GDPR equivalent is Article 17.
- Right to data portability (Art. 45): individuals may request transfer of personal information to another handler, but only where the conditions specified by the CAC are met. The GDPR's Article 20 portability right applies more broadly to consent-based and contract-based processing.
- Right regarding automated decisions (Art. 24): where automated decision-making has a significant effect on an individual's rights and interests, the individual may request explanation and may refuse to accept decisions made solely through automated means. The GDPR's Article 22 covers automated individual decision-making with a similar scope.
- Rights for deceased persons' family (Art. 49): family members of a deceased individual may exercise access, correction, and deletion rights in their legitimate interests. The GDPR has no equivalent provision.
| Right | GDPR | PIPL |
|---|---|---|
| To be informed | Arts. 13-14 (at collection) | Art. 17 (notice required at collection) |
| Access | Art. 15 (1 month to respond) | Art. 45 ("timely" response) |
| Rectification | Art. 16 | Art. 46 |
| Erasure | Art. 17 | Art. 47 |
| Restrict processing | Art. 18 | Art. 44 (restrict or refuse) |
| Data portability | Art. 20 (broad) | Art. 45 (CAC conditions apply) |
| Object to processing | Art. 21 | Art. 44 |
| Automated decisions | Art. 22 | Art. 24 |
| Response timeline | 1 month, extendable to 3 (Art. 12) | "Timely" -- no statutory deadline |
| Deceased persons' family | Not provided | Art. 49 |
The absence of a fixed response deadline in the PIPL creates enforcement asymmetry. Organizations in China cannot plan their request-response infrastructure around a specific statutory clock, and individuals exercising rights have less certainty about when to expect a response.
Supervisory Structure: EDPB/DPAs vs CAC and Multi-Regulator Model
The two frameworks use fundamentally different supervisory architectures.
Under the GDPR, each EU member state designates one or more national supervisory authorities (DPAs). These DPAs are required to be fully independent and exercise their powers impartially (Art. 52). For organizations operating across multiple EU member states, the one-stop-shop mechanism (Art. 56) allows the DPA of the member state where the organization's main establishment is located to act as lead supervisory authority for cross-border processing. The European Data Protection Board (EDPB) coordinates consistency across national DPAs, issues binding decisions in cross-border disputes, and publishes guidelines, recommendations, and opinions that shape how DPAs enforce the GDPR across the EEA.
China's PIPL uses a multi-regulator model set out in Article 60. No single authority has jurisdiction equivalent to a national DPA. The Cyberspace Administration of China (CAC) takes the lead and coordinating role. Other regulators exercise authority within their designated sectors:
- MIIT (Ministry of Industry and Information Technology): apps, telecommunications, internet services, software
- Ministry of Public Security: security-related personal information processing, surveillance, facial recognition
- SAMR (State Administration for Market Regulation): consumer-facing products and services, e-commerce
- Financial sector regulators (People's Bank of China, CBIRC, CSRC): financial data processed by institutions under their supervision
- Health regulators: health and medical data
- Local counterparts of each ministry: enforcement at the provincial and municipal level
In 2025, the CAC led multi-departmental enforcement actions alongside MIIT and public security agencies, targeting six high-incidence areas: apps and mini-programs, software development kits (SDKs), smart terminals, facial recognition in public places, offline consumer scenarios, and data-related criminal activity.
For organizations subject to both frameworks, the practical difference is significant. Under the GDPR, a company can identify its lead DPA based on its main EU establishment and engage primarily with that authority. Under the PIPL, responsibility is distributed across sector regulators, and multiple agencies may have concurrent jurisdiction over a single organization's activities.
Government Access to Personal Data
This is the area of greatest philosophical divergence between the two frameworks.
The GDPR limits government access to personal data through the principles of necessity and proportionality (Art. 23). EU law requires government surveillance to be subject to judicial or independent oversight. The Court of Justice of the EU (CJEU) has struck down international transfer mechanisms on the grounds that foreign government access was insufficiently limited, including the US-EU Privacy Shield in 2020 (Schrems II).
China's framework requires broad cooperation with government authorities. The National Intelligence Law (2017) Article 7 requires all organizations and citizens to "support, assist, and cooperate with national intelligence work." The Counter-Espionage Law, substantially amended in 2023, expanded the categories of information that may not be transmitted abroad. PIPL Article 35 provides that government agencies processing personal information for statutory duties must comply with the PIPL's requirements, but the National Intelligence Law, the Data Security Law (which governs "important data" in the national interest), and the amended CSL together create broad state-access obligations.
The EDPB has identified government access regimes in third countries as a factor that organizations must weigh in transfer impact assessments. The absence of an EU adequacy decision for China reflects, in part, concerns about these provisions. As of May 2026, no adequacy negotiation between the EU and China is underway.
Cross-Border Data Transfers
Cross-border transfer rules represent one of the starkest operational differences between the two frameworks.
The GDPR allows transfers through: adequacy decisions (Art. 45), Standard Contractual Clauses (SCCs, Art. 46), Binding Corporate Rules (BCRs, Art. 47), codes of conduct and certification (Art. 40-42), or derogations for specific situations (Art. 49). Organizations have multiple pathways with significant flexibility, and no transfer mechanism requires pre-filing with a government regulator.
The PIPL's Article 38 establishes three transfer mechanisms with mandatory government involvement in two of the three:
| Transfer Mechanism | GDPR | PIPL |
|---|---|---|
| Adequacy decision | Yes (Art. 45) | Not available |
| Standard contractual clauses | Yes (Art. 46); no government filing | Yes (Art. 38(3)); must be filed with CAC |
| Security assessment by CAC | Not required | Required for CIIOs and high-volume handlers |
| Certification by institution | Yes (Art. 42) | Yes (Art. 38(2)); CAC-designated institution; CAC/SAMR joint measures effective 2026 |
| Binding corporate rules | Yes (Art. 47) | Not explicitly available |
| Consent of data subject | Derogation only (Art. 49) | Required separately for ALL transfers (Art. 39) |
The security assessment by the CAC is mandatory for Critical Information Infrastructure Operators (CIIOs) and for non-CIIO organizations that, in the prior year, processed the personal information of 100,000 or more individuals, processed the sensitive personal information of 10,000 or more individuals, or have cumulatively transferred the personal information of 1 million or more individuals overseas. Organizations below these thresholds may use the standard contract route (with CAC filing) or the certification route.
The certification route was formalized when the CAC and SAMR jointly issued the Measures for Certification of Cross-border Transfers of Personal Information in 2025-2026. Certification institutions must register with the CAC within 10 working days of receiving SAMR approval. This completed the three-track transfer framework that the PIPL had contemplated since its enactment.
Regardless of which mechanism is used, PIPL Article 39 requires the organization to separately inform the individual data subject and obtain their separate consent before each cross-border transfer. This requirement has no equivalent in the GDPR.
Data Localization
The PIPL, in conjunction with the CSL and DSL, imposes data localization requirements that have no GDPR parallel.
CIIOs must store personal information collected and generated within China domestically (PIPL Art. 40; CSL Art. 37). Non-CIIO personal information handlers that cross the security assessment thresholds must also store data locally and may only transfer data abroad after passing the CAC security assessment. The amended CSL (effective January 1, 2026) expanded the scope of network operators subject to localization-adjacent obligations and aligned the penalty structure for violations with the PIPL's tiered fines.
The GDPR contains no data localization requirement. Data flows freely within the EEA, and cross-border transfers outside the EEA are permitted through the mechanisms described above. There is no requirement to maintain a copy of personal data within EU territory.
This divergence creates a structural compliance problem for organizations that operate integrated EU-China data systems. Maintaining separate data silos for Chinese and European operations is the most common solution -- but it entails ongoing infrastructure cost and limits the operational benefits of data centralization.
Enforcement and Penalties
Both frameworks carry significant penalties, but the PIPL's personal liability provisions make it uniquely severe for individual officers.
| Enforcement Aspect | GDPR | PIPL |
|---|---|---|
| Primary enforcing authority | National DPAs (30+) coordinated by EDPB | CAC (lead) + MIIT, MPS, SAMR, financial regulators |
| Standard administrative fine | Up to EUR 10M or 2% of global annual revenue (Art. 83(4)) | Up to RMB 1 million for the organization |
| Severe administrative fine | Up to EUR 20M or 4% of global annual revenue (Art. 83(5)) | Up to RMB 50 million or 5% of prior year's revenue |
| Personal liability for individuals | Not typically imposed | Fines of RMB 100,000-1,000,000 on responsible individuals |
| Career disqualification | Not typically imposed | Prohibition on serving as director, supervisor, or senior management |
| Service suspension | Processing bans possible | Authorities may order cessation of services or revoke licenses |
| Social credit recording | N/A | Violations recorded in credit files of organization and responsible individuals (Art. 67) |
| Breach notification | 72 hours to regulator (Art. 33) | "Immediately" to regulator (Art. 57) |
GDPR enforcement has accelerated: total fines issued since May 2018 exceeded EUR 5.65 billion as of early 2025. Notable 2024 enforcement actions include LinkedIn Ireland (EUR 310 million, Irish DPC, behavioral advertising), Uber (EUR 290 million, Dutch DPA, inadequate EU-US transfer safeguards), and Meta (EUR 251 million, Irish DPC, 2018 data breach). The Irish DPC has issued over EUR 3.5 billion in fines since 2018, principally against large US technology companies with EU main establishments in Ireland.
PIPL enforcement has expanded similarly. In 2024, the CAC interviewed 11,159 platforms, fined or warned 4,046, and shut down 10,946 websites. Notable cases include Dior's Shanghai subsidiary (September 2025, penalized for unauthorized cross-border data transfers, inadequate consent, and insufficient security measures) and the Guangzhou Internet Court's first PIPL extraterritoriality judgment (Fall 2024, finding a French hotel group liable for transferring guest data without separate consent).
The Wider Chinese Data-Law Stack: CSL, DSL, and PIPL
Organizations doing business in China face three interlocking statutes that interact with the PIPL.
Cybersecurity Law (CSL, amended effective January 1, 2026). Originally enacted in 2017, the CSL governs network operators and Critical Information Infrastructure Operators. The Standing Committee of the National People's Congress passed amendments on October 28, 2025, and the revised CSL took effect January 1, 2026. Key changes in the amended CSL include:
- Tiered penalty structure: fines up to RMB 10 million for businesses and RMB 1 million for individuals for particularly serious violations (versus lower prior caps)
- First-time AI governance provisions: Article 20 promotes AI R&D and training data development while mandating AI ethical standards, risk monitoring, and security measures against AI-enabled threats
- Expanded extraterritorial scope: the amended law covers any foreign organization or individual whose activities "endanger the cybersecurity of China" -- broader than the prior law's focus on activities harming critical information infrastructure
- Supply chain obligations: CII operators face fines of 1-10 times the procurement value for using unauthorized network products; both purchasers and suppliers now bear direct legal obligations
- Mitigating circumstances: new Article 73 allows reduced penalties for violations promptly corrected, proactively disclosed, or of minor consequence with full cooperation
Data Security Law (DSL, effective September 1, 2021). The DSL governs data other than personal information -- specifically "important data" and "core data" in the national interest. It requires organizations to classify data by importance level, implement security measures proportionate to the classification, and obtain government approval before transferring important or core data abroad. The DSL applies to data processing activities in China and, under Article 2, to activities outside China that harm China's national security, public interests, or citizens' or organizations' lawful rights and interests.
PIPL. Governs personal information specifically, sitting on top of the DSL's data security requirements. A single piece of data (e.g., a database of Chinese consumers) can trigger obligations under all three laws simultaneously.
For organizations outside China, the amended CSL's expanded extraterritorial scope means that cybersecurity-related activities affecting Chinese networks -- not only personal information processing -- can now directly expose foreign organizations to Chinese regulatory jurisdiction.
Recent Developments (2025-2026)
PIPL Compliance Audit Management Measures (effective May 1, 2025). The CAC promulgated these measures on February 14, 2025. Organizations processing personal information of more than 10 million individuals must conduct self-initiated compliance audits at least every two years. Regulators may also order mandatory audits for any organization when processing activities involve significant risk, widespread impact on individual rights, or a major security incident affecting 1 million or more individuals. Audit elements include: lawful bases, notice and consent, cross-border transfer compliance, automated decision-making, sensitive data handling, retention and deletion, data subject request procedures, and incident response. Third-party auditors may not audit the same organization more than three times.
Cross-Border Certification Measures (effective 2026). The CAC and SAMR jointly issued the Measures for Certification of Cross-border Transfers of Personal Information, completing the three-track transfer framework contemplated by PIPL Article 38. The certification route is available to non-CIIO organizations transferring between 100,000 and 1 million personal information records (or below 10,000 sensitive records) annually. Certification institutions must register with the CAC within 10 working days of SAMR approval.
Amended Cybersecurity Law (effective January 1, 2026). As described above, the amended CSL introduced tiered penalties, AI governance, expanded extraterritorial scope, and new supply chain obligations. For organizations already subject to the PIPL, the amended CSL adds an additional compliance layer for network and cybersecurity obligations.
GDPR enforcement trajectory (2024-2025). GDPR fines exceeded EUR 1.2 billion in 2024 alone, with enforcement expanding beyond large technology companies into financial services and energy sectors. The EDPB's expanded use of Art. 65 urgency procedures has accelerated cross-border case resolution.
Dual-Compliance Guidance
Organizations subject to both the GDPR and PIPL face conflicts in several key areas. The following checklist maps the divergences most likely to require structural compliance choices.
| Issue | GDPR Requirement | PIPL Requirement | Compliance Strategy |
|---|---|---|---|
| Legal basis for marketing | Legitimate interests or consent | Consent (no legitimate interests) | Obtain consent for China; legitimate interests acceptable for EU if balance test met |
| Third-party data sharing | Standard consent or another lawful basis | Separate consent | Implement granular consent UX capturing separate consent for sharing |
| Cross-border transfer from China | N/A (data arriving into EU only needs GDPR basis) | Security assessment, standard contract, or certification; separate consent | Use SCC + CAC filing for below-threshold; security assessment for CIIOs and high-volume; always obtain separate consent |
| Data localization (China) | Not required | Required for CIIOs and above-threshold handlers | Maintain separate Chinese data infrastructure; minimize cross-border transfers |
| Government access response | Must assess necessity and proportionality; EU reps should escalate | Must cooperate with intelligence and security agencies | Legal entities in China face direct obligation; EU entities receiving access requests from China should consult EU law |
| DPO/Privacy officer | DPO required for public bodies, large-scale monitoring, sensitive data | Person responsible for PI protection required above CAC threshold (currently 1M+ individuals processed) | Appoint DPO in EU; appoint person responsible in China; roles may overlap but responsibilities are distinct |
| Rights request timeline | Respond within 1 month | Respond "timely" | Aim for 30-day response for all requests to satisfy GDPR; document response time for PIPL |
| Breach notification | 72 hours to DPA; without undue delay to individuals for high-risk | "Immediately" to regulator; timely to individuals | Breach response plan should target same-day regulator notification to satisfy PIPL; 72 hours covers GDPR |
| Compliance audit | Not mandated by GDPR; recommended as accountability measure | Mandatory every 2 years for 10M+ individual processors | Build audit cycle into compliance calendar; align with GDPR accountability documentation |
Many multinational organizations address GDPR-PIPL conflicts by operating separate data processing environments for Chinese and European operations, minimizing the need for cross-border transfers between the two jurisdictions, and maintaining independent consent records for each regime.
For more detail on the GDPR framework, see our complete EU data privacy laws guide. For China's full privacy framework, see our China data privacy laws guide.
Disclaimer
This article presents general legal information about the EU General Data Protection Regulation and China's Personal Information Protection Law. It does not constitute legal advice. The information reflects the laws as of May 19, 2026. Both frameworks continue to evolve through implementing regulations, regulatory guidance, and enforcement actions. Organizations subject to the GDPR or PIPL should consult a lawyer licensed in the relevant jurisdiction for advice specific to their situation.
Authorities Cited
- Personal Information Protection Law of the People's Republic of China (PIPL), adopted August 20, 2021, effective November 1, 2021. http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
- Regulation (EU) 2016/679 (General Data Protection Regulation), Art. 3, 6, 7, 9, 12-22, 27, 33-34, 37-39, 45-49, 52, 56, 83. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
- Cybersecurity Law of the People's Republic of China (CSL), originally effective June 1, 2017; amended version effective January 1, 2026. http://www.npc.gov.cn/npc/c12435/201611/9b4396b62c9e4b16b3b42d109e41c02e.shtml
- Data Security Law of the People's Republic of China (DSL), effective September 1, 2021. http://www.npc.gov.cn/npc/c30834/202106/7c9af12f51334a73b56d7938f99a788a.shtml
- National Intelligence Law of the People's Republic of China, Art. 7 (2017). Available via China Law Translate: https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-peoples-republic-of-china-2017/
- Cyberspace Administration of China (CAC). Administrative Measures for Personal Information Protection Compliance Audits, promulgated February 14, 2025, effective May 1, 2025. https://www.cac.gov.cn/
- European Data Protection Board (EDPB). Guidelines, recommendations, and opinions. https://edpb.europa.eu/edpb_en
- European Commission. Adequacy Decisions. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- DLA Piper Privacy Matters. China: Mandatory Data Protection Compliance Audits from 1 May 2025 (February 2025). https://privacymatters.dlapiper.com/2025/02/china-mandatory-data-protection-compliance-audits-from-1-may-2025/
- DLA Piper Privacy Matters. China: Draft Regulation on Certification for Cross-Border Data Transfers Published (January 2025). https://privacymatters.dlapiper.com/2025/01/7523/
- Linklaters Tech Insights. China's 2025 Cybersecurity Law Amendments: Enhanced Penalties, Expanded Extraterritorial Application, and AI Governance. https://techinsights.linklaters.com/post/102lrz5/chinas-2025-cybersecurity-law-amendments-enhanced-penalties-expanded-extraterr
- IAPP. Analyzing China's PIPL and How It Compares to the EU's GDPR. https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr
- IAPP. First Case on PIPL's Extraterritorial Scope Highlights Key Compliance Priorities. https://iapp.org/news/a/first-case-on-pipl-s-extraterritorial-scope-highlights-key-compliance-priorities
- IAPP. A Case Study in China Privacy Operations: The Dior Wake-Up Call. https://iapp.org/news/a/a-case-study-in-china-privacy-operations-the-dior-wake-up-call
- Baker McKenzie Resource Hub. Regulators, Enforcement Priorities and Penalties: China. https://resourcehub.bakermckenzie.com/en/resources/global-data-and-cyber-handbook/asia-pacific/china/topics/regulators-enforcement-priorities-and-penalties
- DLA Piper GDPR Fines and Data Breach Survey: January 2025. https://www.dlapiper.com/en-us/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2025
Last updated: 2026-05-19. Laws cited reflect their in-force versions as of 2026-05-19.
Frequently Asked Questions
Is the PIPL stricter than the GDPR?
In several areas, yes. The PIPL imposes higher maximum fines (5% of revenue vs. 4%), personal liability on responsible individuals (up to RMB 1 million plus career prohibitions), mandatory data localization for CIIOs and high-volume handlers, government security assessments for cross-border transfers, and separate consent requirements for third-party sharing and public disclosure. The GDPR is stricter in other respects: it provides more detailed DPO independence requirements, requires responses to rights requests within a fixed one-month deadline (vs. PIPL's 'timely' standard), and limits government access to personal data through stronger judicial oversight requirements.
Does the PIPL apply to companies outside China?
Yes. PIPL Article 3 applies extraterritorially to organizations outside China that process personal information to provide products or services to individuals in China, or to analyze and evaluate the behavior of individuals in China. Such organizations must establish a dedicated entity or appoint a representative in China under Article 53. The Guangzhou Internet Court's Fall 2024 judgment confirmed that Chinese courts will apply PIPL standards to foreign organizations processing Chinese residents' data -- the first published judgment on PIPL extraterritoriality.
What are the three cross-border transfer routes under China's PIPL?
The PIPL's Article 38 provides three routes: (1) a CAC security assessment, mandatory for Critical Information Infrastructure Operators and organizations that in the prior year processed the personal information of 100,000 or more individuals, processed sensitive personal information of 10,000 or more individuals, or cumulatively transferred 1 million or more individuals' data; (2) a standard contract filed with the CAC; and (3) certification by a CAC-designated institution, a route formalized by the joint CAC/SAMR certification measures effective in 2026. Separate consent from the data subject is required for all cross-border transfers regardless of which route is used (Art. 39).
Why does the PIPL not include legitimate interests as a legal basis?
The PIPL's omission of legitimate interests reflects a policy choice to limit organizational discretion in determining when processing is lawful without consent. Under the GDPR, legitimate interests allows organizations to process data based on their own balancing assessment of their interests against individuals' rights. China's approach, reflected in PIPL Article 13, requires processing to fall within one of seven enumerated bases, giving regulators more predictable authority over what processing is permissible. Organizations that use legitimate interests under GDPR for marketing, analytics, or fraud prevention must obtain consent or find another Article 13 basis for the same activities in China.
Does China have an EU adequacy decision?
No. As of May 2026, the European Commission has not granted China an adequacy decision, and no adequacy negotiation is underway. Concerns center on China's government access regime -- particularly the National Intelligence Law's Article 7 requirement for organizations to cooperate with intelligence work and the Counter-Espionage Law's restrictions on data leaving China. These provisions make it difficult for the European Commission to find that China offers an 'essentially equivalent' level of protection to the GDPR. Transfers from the EU to China must use Standard Contractual Clauses or another Article 46 mechanism, supplemented by a transfer impact assessment.
What is the PIPL Compliance Audit Measures requirement?
The CAC's Administrative Measures for Personal Information Protection Compliance Audits, effective May 1, 2025, require organizations processing the personal information of more than 10 million individuals in China to conduct self-initiated compliance audits at least every two years. Audits must cover lawful processing bases, consent procedures, cross-border transfer compliance, automated decision-making, sensitive data handling, retention and deletion, data subject request processing, and incident response. Regulators may also order mandatory audits for any organization found to have significant risks or following a major incident. Third-party auditors may not audit the same organization more than three times.
What changed with China's Cybersecurity Law in 2026?
The Standing Committee of the National People's Congress passed amendments to the Cybersecurity Law on October 28, 2025, effective January 1, 2026. Key changes include: tiered penalties (up to RMB 10 million for businesses and RMB 1 million for individuals for particularly serious violations); the first statutory AI governance provisions (supporting AI development while mandating ethical standards and risk monitoring); expanded extraterritorial scope (now covering any foreign organization whose activities endanger China's network security, not only critical infrastructure-related activities); enhanced supply chain security obligations; and new mitigating circumstances for prompt correction. The amended CSL integrates with the DSL and PIPL as part of China's three-law data governance framework.
What individual rights does the PIPL grant compared to the GDPR?
The PIPL's Articles 44-50 grant rights broadly parallel to GDPR Chapter 3: right to know and decide (similar to GDPR's right to object and restrict), right of access, right to correction, right to erasure, right to data portability (with CAC conditions), and the right to explanation of automated decisions. One unique PIPL provision is Article 49, which allows family members of a deceased individual to exercise access, correction, and deletion rights in their legitimate interests -- the GDPR has no equivalent. A key difference is response timelines: the GDPR requires responses within one month (Art. 12); the PIPL requires only 'timely' response without a fixed statutory deadline.
How does China's multi-regulator model differ from the EU's DPA system?
Under the GDPR, each EU member state has one or more independent DPAs, coordinated by the European Data Protection Board (EDPB) through the one-stop-shop mechanism. A company with its main EU establishment in Ireland deals primarily with the Irish DPC for cross-border cases. China's PIPL uses a multi-regulator model under Article 60: the CAC takes the lead role, but the MIIT, Ministry of Public Security, SAMR, and financial sector regulators each enforce PIPL within their sectors. Local counterparts also have enforcement authority. Multiple agencies may have concurrent jurisdiction over a single organization's activities, with no one-stop-shop equivalent.
What is 'separate consent' under China's PIPL?
The PIPL requires 'separate consent' for five specific activities: providing personal information to third parties (Art. 23), publicly disclosing personal information (Art. 25), processing sensitive personal information (Art. 29), transferring personal information outside China (Art. 39), and using images collected by public surveillance equipment for non-safety purposes (Art. 26). Separate consent is a higher standard than standard consent -- it cannot be bundled with general terms and conditions or consent for other processing activities. An organization must obtain a distinct, specific consent for each of these activities, even if the individual has already provided general consent to the organization's processing.
Sources and References
- PIPL Full Text (Personal Information Protection Law of the PRC)(npc.gov.cn).gov
- GDPR Full Text (Regulation (EU) 2016/679)(eur-lex.europa.eu).gov
- China Cybersecurity Law (2017, amended effective January 1, 2026)(npc.gov.cn).gov
- China Data Security Law (DSL, effective September 1, 2021)(npc.gov.cn).gov
- National Intelligence Law of the PRC, Art. 7 (China Law Translate)(chinalawtranslate.com)
- Cyberspace Administration of China (CAC)(cac.gov.cn).gov
- European Data Protection Board (EDPB)(edpb.europa.eu).gov
- European Commission Adequacy Decisions(commission.europa.eu).gov
- DLA Piper: China Mandatory Data Protection Compliance Audits from 1 May 2025(privacymatters.dlapiper.com)
- DLA Piper: China Draft Regulation on Certification for Cross-Border Data Transfers (January 2025)(privacymatters.dlapiper.com)
- Linklaters: China's 2025 Cybersecurity Law Amendments(techinsights.linklaters.com)
- IAPP: Analyzing China's PIPL and How It Compares to the EU's GDPR(iapp.org)
- IAPP: First Case on PIPL's Extraterritorial Scope(iapp.org)
- IAPP: China Privacy Operations - The Dior Wake-Up Call(iapp.org)
- Baker McKenzie: China Regulators, Enforcement Priorities and Penalties(resourcehub.bakermckenzie.com)
- DLA Piper GDPR Fines and Data Breach Survey: January 2025(dlapiper.com)