China's data protection regime is one of the most demanding in the world. Three interlocking statutes - the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Cybersecurity Law (CSL) - create binding obligations for any business that collects, processes, or transfers personal data inside or outside China. Non-compliance carries fines reaching RMB 50 million or 5% of annual turnover, suspension of operations, and personal liability for executives. This article maps the legal framework, identifies the most consequential obligations, and offers a practical compliance roadmap for international businesses operating in or with China.
China does not have a single omnibus privacy code. Instead, three statutes operate in parallel, each with its own regulator, scope, and enforcement logic.
The Personal Information Protection Law (个人信息保护法, PIPL), effective November 2021, is the primary statute governing personal information. It applies to any organisation that processes the personal information of individuals located in China, regardless of where the processor is incorporated. The territorial reach is explicitly extraterritorial: a foreign company that provides products or services to Chinese residents, or that analyses the behaviour of Chinese residents, falls within PIPL's scope.
The Data Security Law (数据安全法, DSL), effective September 2021, governs data broadly - not just personal information - and introduces a national data classification system. Data is stratified into general, important, and core categories. Processing of 'important data' triggers enhanced security obligations, and cross-border transfer of 'core data' is effectively prohibited without state approval.
The Cybersecurity Law (网络安全法, CSL), effective June 2017, applies to 'network operators' - a category broad enough to cover virtually any business with an internet-connected system in China. CSL mandates data localisation for critical information infrastructure operators (CIIOs) and requires security assessments before certain cross-border data transfers.
Together, these three statutes create overlapping obligations. A business processing personal information on a cloud platform in China must simultaneously satisfy PIPL's consent and purpose-limitation rules, DSL's data classification requirements, and CSL's network security standards. The Cyberspace Administration of China (CAC) is the primary regulator for all three, though the Ministry of Public Security and sector-specific regulators such as the People's Bank of China retain concurrent jurisdiction in their domains.
PIPL Article 13 sets out seven lawful bases for processing personal information. Consent is the default, but it is not the only option. The other bases include: necessity for contract performance, necessity for legal obligations, necessity to respond to public health emergencies, necessity for news reporting in the public interest, processing of already-disclosed information within reasonable scope, and other circumstances prescribed by law.
Consent under PIPL is more demanding than under many other regimes. It must be freely given, specific, informed, and unambiguous. Bundled consent - where agreement to data processing is buried in general terms of service - does not satisfy the standard. Separate consent is required for sensitive personal information, which PIPL defines to include biometric data, religious beliefs, medical records, financial information, and personal information of minors under 14. Processing sensitive personal information requires both a specific lawful basis and a documented necessity assessment.
A common mistake made by international businesses entering China is to assume that a GDPR-compliant consent mechanism automatically satisfies PIPL. The two regimes share conceptual DNA but diverge on critical details. PIPL requires that the privacy notice be provided in Chinese and that consent withdrawal be as easy as consent provision. PIPL also imposes a separate obligation to notify individuals when the purpose, method, or scope of processing changes - a requirement that many foreign companies overlook when updating their global privacy policies.
The lawful basis of 'contract necessity' is narrower under PIPL than under GDPR Article 6(1)(b). Chinese regulators have interpreted this basis restrictively: it covers only processing that is objectively necessary to perform the specific contract with the individual, not processing that is merely convenient or commercially useful to the controller.
To receive a checklist on PIPL lawful bases and consent documentation for China, send a request to info@vlo.com.
Cross-border transfer of personal information out of China is the area where international businesses most frequently encounter enforcement risk. PIPL Article 38 establishes three permissible transfer mechanisms, and a business must satisfy at least one before any personal data leaves China.
The first mechanism is a security assessment conducted by the CAC. This is mandatory for critical information infrastructure operators, for any organisation that processes personal information of more than one million individuals, and for any organisation that has cumulatively transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals abroad since January 1 of the prior year. The CAC security assessment involves submitting a detailed application, a self-assessment report, and the data transfer agreement to the CAC, which then has 45 working days to complete its review - extendable by a further 15 working days for complex cases.
The second mechanism is certification by a professional institution accredited by the CAC. This route is available to multinational groups transferring data internally and to certain other organisations. The certification body evaluates the adequacy of the recipient's data protection standards against criteria published by the CAC and the National Information Security Standardisation Technical Committee (TC260).
The third mechanism is a standard contract published by the CAC. Organisations that do not meet the thresholds triggering mandatory security assessment may use the CAC Standard Contract (个人信息出境标准合同), which must be executed in its prescribed form without material modification. The standard contract must be filed with the local CAC office within 10 working days of coming into effect.
A non-obvious risk is that the thresholds for mandatory security assessment are cumulative and reset annually. A mid-sized e-commerce business that transfers modest volumes of customer data each month may cross the 100,000-individual threshold mid-year without realising it, triggering a retroactive compliance obligation. Businesses should implement a data transfer volume monitoring mechanism as a baseline control.
In practice, it is important to consider that the CAC security assessment is not a one-time exercise. Approved assessments are valid for two years and must be renewed. Material changes to the transfer - including changes in the recipient, the data categories, or the processing purpose - require a fresh assessment. Many businesses complete the initial assessment but fail to build a renewal calendar into their compliance programme.
The DSL adds a further layer for data classified as 'important data.' Organisations must identify whether any data they hold meets the important data definition under their sector's classification catalogue before initiating any cross-border transfer. Sector regulators - for example, the National Health Commission for health data, or the People's Bank of China for financial data - publish their own catalogues, and the definitions do not always align with PIPL's categories.
Data localisation under CSL applies primarily to critical information infrastructure operators. The CSL defines CIIOs as operators of infrastructure in sectors including energy, transport, finance, public services, and e-government whose disruption or damage would seriously harm national security, the national economy, or public welfare. The CAC and sector regulators jointly identify specific CIIOs, and the designation is not always publicly announced. A business that suspects it may qualify should seek a formal determination rather than assume it does not.
For non-CIIO organisations, localisation is not a blanket requirement, but the practical effect of the security assessment and standard contract mechanisms is that cross-border transfers are subject to meaningful friction. Many multinational companies respond by establishing a China-specific data environment - a separate cloud instance hosted in China, with data flows to the global environment governed by an approved transfer mechanism.
PIPL Article 51 requires personal information processors to implement technical and organisational measures proportionate to the risks of their processing activities. The measures must include data classification, encryption of sensitive personal information, access controls, regular security audits, and employee training. The CAC's technical standard GB/T 35273-2020 (Information Security Technology - Personal Information Security Specification) provides detailed implementation guidance, though it is formally a recommended rather than mandatory standard. In enforcement practice, however, regulators treat compliance with GB/T 35273-2020 as evidence of due diligence.
Breach notification under PIPL Article 57 requires processors to notify the competent authority 'immediately' upon discovering a personal information security incident that may harm individuals' rights. Where the incident is serious, the processor must also notify affected individuals directly. The CAC has not published a fixed notification deadline in hours, but enforcement guidance and sector-specific rules suggest that notification within 72 hours of discovery is the expected standard for serious incidents - mirroring GDPR practice but without explicit statutory codification.
A common mistake is to treat breach notification as a purely technical exercise. Under PIPL, the notification must include: the categories and approximate volume of personal information affected, the likely consequences of the breach, the remedial measures taken or planned, and contact information for the processor's designated point of contact. Submitting an incomplete notification can itself constitute a violation and may aggravate the regulator's assessment of the processor's overall compliance posture.
To receive a checklist on data breach response procedures and notification timelines for China, send a request to info@vlo.com.
PIPL Article 52 requires personal information processors that process personal information above a threshold set by the CAC to designate a person in charge of personal information protection - commonly referred to as a Data Protection Officer (DPO) in international practice, though PIPL uses the term '负责人' (person in charge). The CAC has set the threshold at processing personal information of more than one million individuals. The person in charge must supervise the processor's compliance with PIPL, conduct personal information protection impact assessments, and be accountable to the processor's highest management body.
Foreign organisations that process personal information of Chinese residents but have no establishment in China must designate a domestic representative or establish a dedicated entity in China to handle personal information protection matters. This obligation under PIPL Article 53 is analogous to the GDPR Article 27 representative requirement but carries additional substance: the domestic representative or entity must be registered with the CAC and must be reachable by Chinese regulators and individuals. Failure to designate a domestic representative is one of the most frequently cited violations in CAC enforcement actions against foreign platforms.
Personal information protection impact assessments (PIPIAs) are mandatory under PIPL Article 55 before: processing sensitive personal information, using personal information for automated decision-making, entrusting personal information processing to a third party, providing personal information to another processor, or disclosing personal information publicly. The PIPIA must document the processing purpose and method, the risks to individuals' rights, and the protective measures adopted. The assessment record must be retained for at least three years.
In practice, it is important to consider that the PIPIA obligation applies to each new processing activity meeting the criteria - not just to the initial deployment of a system. A business that adds a new AI-driven recommendation engine to an existing platform must conduct a fresh PIPIA before go-live. Many businesses conduct a one-time assessment at product launch and then fail to reassess when the product evolves, creating a latent compliance gap.
Automated decision-making under PIPL Article 24 carries specific obligations. Processors that use personal information for automated decisions affecting individuals - including personalised pricing, content recommendation, and credit scoring - must ensure the decisions are transparent, fair, and non-discriminatory. Individuals have the right to request an explanation of the decision logic and to opt out of decisions made solely by automated means. This provision has direct implications for businesses operating recommendation algorithms, dynamic pricing engines, or AI-based credit assessment tools in China.
The CAC is the primary enforcement authority for PIPL and DSL violations. The Ministry of Public Security has concurrent jurisdiction over CSL violations. Sector regulators - including the People's Bank of China, the National Medical Products Administration, and the Ministry of Industry and Information Technology - enforce data protection obligations within their respective domains.
PIPL Article 66 establishes a tiered penalty structure. For general violations, the CAC may issue a warning, order rectification, and impose a fine of up to RMB 1 million on the organisation and up to RMB 100,000 on the responsible individual. For serious violations, the CAC may impose a fine of up to RMB 50 million or 5% of the prior year's annual turnover - whichever is higher - suspend or terminate the business's operations, and revoke business licences. Responsible individuals may be personally fined up to RMB 1 million and banned from serving as directors, supervisors, or senior managers of any company for a period determined by the regulator.
Consider three practical scenarios that illustrate the enforcement landscape.
A foreign software-as-a-service provider with no physical presence in China offers its platform to Chinese enterprise customers. The provider transfers customer data - including employee personal information - to servers in Europe for processing. Without a CAC security assessment or standard contract in place, every data transfer is unlawful under PIPL Article 38. The provider has also failed to designate a domestic representative. When a Chinese customer reports the arrangement to the CAC, the provider faces fines, a potential ban on providing services in China, and reputational damage with its Chinese customer base. The cost of retroactive compliance - including legal fees, CAC filing costs, and system reconfiguration - typically runs into the mid-to-high tens of thousands of USD, before any regulatory penalty.
A domestic Chinese e-commerce platform processes personal information of approximately 800,000 registered users - below the one-million threshold for mandatory DPO designation. The platform introduces a loyalty programme that uses purchase history and location data to generate personalised offers. The new processing activity involves sensitive personal information (location data) and automated decision-making. The platform fails to conduct a PIPIA and does not update its privacy notice to reflect the new processing purpose. A user complaint triggers a CAC investigation. The platform is ordered to suspend the loyalty programme, conduct a PIPIA, and pay a fine. The suspension causes measurable revenue loss during the remediation period.
A multinational pharmaceutical company transfers clinical trial data - including health information of Chinese participants - to its global headquarters for regulatory submissions. Health data is classified as sensitive personal information under PIPL and as important data under the health sector's data classification catalogue. The transfer requires both a CAC security assessment and approval from the National Health Commission. The company initiates the CAC process but overlooks the sector-specific approval requirement. The transfer proceeds before both approvals are obtained. The company faces dual enforcement action from the CAC and the National Health Commission, with compounded penalties and a requirement to repatriate the transferred data pending approval.
What is the most significant practical risk for a foreign company processing Chinese personal data without a local presence?
The most significant risk is operating outside PIPL's compliance framework entirely - specifically, failing to designate a domestic representative and failing to implement a lawful cross-border transfer mechanism. The CAC has demonstrated willingness to take enforcement action against foreign platforms that provide services to Chinese residents without meeting these baseline requirements. The consequences include fines, service suspension, and reputational damage in the Chinese market. Foreign companies should conduct a PIPL applicability assessment before launching any product or service directed at Chinese residents, even if the company has no physical establishment in China.
How long does a CAC security assessment take, and what does it cost in practice?
The CAC has 45 working days to complete a security assessment, extendable by 15 working days for complex cases. In practice, the preparation phase - compiling the self-assessment report, drafting the data transfer agreement, and coordinating with the recipient - typically takes two to four months for a well-resourced compliance team. Legal fees for preparing the application package generally start from the low tens of thousands of USD and can reach the mid-to-high tens of thousands for complex multinational arrangements. Businesses should budget for both the initial assessment and the two-year renewal cycle.
When should a business use the CAC Standard Contract rather than pursuing security assessment certification?
The standard contract route is available only to organisations that fall below the thresholds triggering mandatory security assessment - specifically, those that have not processed personal information of more than one million individuals and have not cumulatively transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals abroad in the relevant period. For businesses that qualify, the standard contract is faster and less resource-intensive than a full security assessment. However, the standard contract must be used in its prescribed form, filed with the local CAC within 10 working days of execution, and renewed whenever material changes occur. Businesses that are close to the thresholds should monitor their transfer volumes and be prepared to transition to the security assessment route if the thresholds are crossed.
China's data protection framework demands structured, ongoing compliance rather than a one-time exercise. PIPL, DSL, and CSL together create obligations that span consent management, cross-border transfer approvals, data localisation, breach notification, and organisational governance. The enforcement environment is active, and the penalties for serious violations are material. International businesses should treat China data compliance as a distinct workstream - not an extension of their GDPR programme - and build the necessary legal, technical, and organisational infrastructure before processing Chinese personal data at scale.
To receive a checklist on end-to-end PIPL and DSL compliance for businesses operating in or with China, send a request to info@vlo.com.
Our law firm Vetrov & Partners has experience supporting clients in China on data protection and privacy matters. We can assist with PIPL compliance assessments, CAC security assessment filings, standard contract preparation, domestic representative designation, and data breach response. To receive a consultation, contact: info@vlo.com.