In recent years, China has witnessed substantial changes in its regulatory framework for handling personal information, with more updates on the horizon. While the compliance burden has eased, companies must still adhere to the fundamental requirements of the Personal Information Protection Law. Systematic enforcement by the authorities has also begun, making compliance more critical than ever.
Reading time 8 minutes
The Personal Information Protection Law (PIPL), akin to the EU's General Data Protection Regulation (GDPR), applies to companies processing the personal information of individuals in China, even if the processing is done abroad. Since its implementation in 2021, the relevant implementing rules and regulations in relation to PIPL have undergone frequent updates to enhance safeguards for the collection and processing of personal information.
One of the most significant aspects of PIPL for foreign companies is the regulation of cross-border transfers of personal information. Initially, only three mechanisms were available for legal cross-border transfers under PIPL:
Given the complexity of the certification process and security assessment, most processors (similar to GDPR's "controllers") opted for the standard contract route. This means entering into a standard contract with the overseas recipient, filing the contract with the CAC, and performing a personal information impact assessment. Although less burdensome than the alternatives, this route still imposes a significant administrative burden on companies handling cross-border data transfers.
Easing Compliance Burden and Exemptions
The 2024 Rules Regulating and Facilitating Cross-Border Data Flows (2024 Rules) have reduced the compliance burden for processors exporting personal information. In particular, these rules provide exemptions from the requirement to file a standard contract with the CAC for certain common data handling tasks and specific data types, thereby simplifying the process for foreign companies with operations in China.
The exemptions under the 2024 Rules include transfers necessary for HR management, fulfilment of international contracts, and emergency situations. Additionally, transfers of personal information (excluding sensitive personal information) involving fewer than 100,000 individuals per year are exempt. Transfers of data generated during international trade, cross-border transportation, academic cooperation, and other related activities are also exempt, provided they do not involve important data or personal information (see Fact Box below for more information on what might constitute 'important data').
Despite these exemptions, certain scenarios still require compliance with specific mechanisms. For instance, if the cross-border data contains sensitive personal information, a standard contract must be filed if the transfer involves fewer than 10,000 individuals per year, and if more, a security assessment must be passed. Security assessments also remain mandatory for CIIOs transferring data cross-border and for companies exporting any important data.
Sensitive personal information is information that may easily lead to infringement of human dignity or harm to the personal safety or property of the individual if leaked. Examples of sensitive personal information include data related to:
Network Data Security Management Regulation (2025)
The new Network Data Security Management Regulation (2025 Regulations), effective from 1 January 2025, refines existing data protection requirements under Chinese law. The 2025 Regulations build on the existing data protection framework, including PIPL. While the 2025 Regulations primarily apply to network data handlers, the definition of network data is so broad as to encompass most data processing activities.
Key changes in the 2025 Regulations that impact PIPL obligations are new requirements on incident reporting, data portability and data processing agreements. There is an obligation to immediately address security risks, notify users, and report to regulators within 24 hours if national security or public interest is affected. Also, data subjects can request the transfer of their personal information under specific conditions, and data handlers must enter into data processing agreements with third parties, retaining records for at least three years.
Additionally, foreign companies should note the obligation to establish a local entity or designate a representative within mainland China when processing personal information of mainland China residents, and to report contact information to the CAC.
The 2025 Regulation further clarifies to a certain extent what constitutes "important data," emphasising information that could impact national security, economic stability, or critical industries. This includes a wide range of data, and while processors are assisted by catalogues of important data published by industry regulators, these catalogues are not exhaustive lists. Ultimately, it is the data handlers that must identify and report important data based on guidance from the applicable catalogues and considering the impact on national security, economic operations, social stability, public health and safety.
Green Channels for Data Transfers in Free Trade Zones
China is actively implementing measures to facilitate cross-border data transfers through the establishment of various pilot projects in its Free Trade Zones (FTZ). These initiatives aim to streamline cross-border data transfers in a way that ensures sufficient safeguards remain in place.
Each FTZ has its own rules based around categorisation and green channels, essentially providing a new mechanism for compliant cross-border data transfers. For example, Shanghai Lingang FTZ has introduced a classification system dividing data into core data, important data and general data. Core data cannot be exported, important data requires a security assessment and general data can be exported freely. Shanghai Lingang FTZ has also launched a "Carbon Data Cross-Border Green Channel" for exchange of carbon related data to help companies meet compliance requirements. Beijing FTZ and Tianjin FTZ on the other hand, have introduced negative lists for data where exports are subject to additional compliance procedures, typically a security assessment. For Beijing FTZ, data not included on the negative list can be exported freely by companies in the FTZ.
Similar pilot projects are expected to be introduced in other FTZs, and if successful, may be considered for national adoption.
Free Trade Zones in China are designated areas with special incentives for businesses, such as tailored economic policies, streamlined business registration and simplified trade regulations. FTZs are often used to trial new policies before nationwide implementation. Relevant FTZs at the time of writing include:
Compliance Obligations for Processors
While recent changes have made some aspects of compliance easier, processors must still comply with the other obligations under PIPL, such as obtaining explicit consent from individuals before exporting personal information. The consent process must be transparent, and individuals should be informed about the purpose, scope, and destination of the personal information transfer. Processors also need to implement appropriate security measures to protect personal information during transfer, including encryption, access controls, and other safeguards to prevent unauthorised access or disclosure.
Certain types of personal information must be stored within China, and foreign companies should assess the types of information they are collecting to ensure compliance with localisation requirements. Foreign companies exporting personal information should establish clear contractual agreements with overseas recipients, outlining the responsibilities and obligations of each party in ensuring the protection and lawful use of the transferred personal information. Individuals should be informed about the cross-border transfer of their personal information, and processors are required to maintain records of transfers to demonstrate PIPL compliance.
Individuals have the right to access, correct, and delete their personal information even when it is transferred cross-border, and it is the responsibility of the processor to establish mechanisms for individuals to exercise these rights. Foreign companies should also note that allowing access to personal information stored in China is in itself considered a cross-border transfer, and allowing such access to foreign law enforcement or judicial bodies requires CAC approval.
The upcoming Administrative Measures on Personal Information Protection Compliance Audits (2025 Measures), recently issued by the CAC and entering into force on 1 May 2025, further clarifies the requirements under PIPL in respect of compliance audits for processors handling large volumes of data. Under the 2025 Measures, processors handling the personal information of more than 10 million individuals must conduct compliance audits at least every two years. CAC can also order audits if there are significant risks or in the case of data breaches affecting over 1 million individuals or sensitive information pertaining to over 100,000 individuals. Additionally, processors handling the personal information of more than 1 million individuals must also designate a person in charge of compliance audits.
Enforcement and Penalties
Failure to comply with PIPL can lead to severe penalties, including fines up to RMB 50 million or 5% of the personal information processor's turnover in the last year. Other sanctions include revoking business licences and permits, rectification, confiscation of gains, and personal liability for key personnel.
Shanghai CAC disclosed the first administrative cases based on PIPL on 29 January 2024, following a special action called "Shining Sword", which lasted from June to December 2023. During this mission, the CAC investigated 6,043 companies, interviewed 520 companies, and filed 50 violation cases. The special action was renewed in June 2024, and so far, six cases have been disclosed against coffee shops in Shanghai, including COSTA coffee and Luckin Coffee. Additionally, 21 apps that collect and use personal information were found to be in violation of PIPL.
The industries that the investigations focused on in 2023 included restaurant order apps, parking QR codes, children's training institutions, financial institutions, car sales companies, and real estate agencies. In 2024, the focus has shifted to face recognition information by swimming pools and sports facilities, coffee shops, and online applications.
A typical breach uncovered by the Shining Sword mission includes forced consent to privacy policies, where apps did not provide an option to decline the privacy policy. Other significant breaches include automatic consent to privacy policies, lack of encryption, forced sharing of geolocation information, and lack of management and approval procedures for accessing large amounts of personal information. No case involving cross-border data transfer has been identified, and most companies avoid penalties by self-rectifying in a timely manner. However, even in these instances, the company name and specific offences are made public.
It is expected that CAC will continue investigations on an industry-by-industry basis according to their priorities. However, specific investigations can also be triggered by a whistleblower or data breach incident. One such example was disclosed by Shanghai CAC on 14 October 2024 in a case based on PIPL and Data Security Law (DSL). The investigation was triggered by a whistleblower leading to a medical technology company in Shanghai being investigated and punished. Breaches identified included system vulnerabilities leading to data leakage and large amounts of personal information data stolen by an offshore IP. The penalties imposed were warnings and fines pursuant to Article 45 of the DSL.
Conclusion
As the regulatory landscape in China continues to evolve, companies would be remiss in failing to stay alert to the changing requirements of PIPL. While the recent changes have provided some relief in terms of the compliance burden, the fundamental obligations remain. Companies must ensure they are compliant with PIPL to avoid significant penalties and maintain trust with both customers and authorities.