PIPL
Personal Information Protection Law
The PIPL is China's first comprehensive personal information protection statute, effective 1 November 2021. It establishes a consent-based framework for processing personal information, grants individuals rights over their data, and adds distinctive data localization and cross-border transfer controls.
Who it applies to
The processing of personal information of individuals within China, and extraterritorially where the purpose is to provide products or services to people in China or to analyze their behavior. Foreign handlers must designate a local representative or establishment in China.
Identity requirements
- Obtain a valid legal basis, typically informed, voluntary, and specific consent, with separate consent for sensitive data and cross-border transfers
- Apply heightened safeguards to sensitive personal information, including biometric identifiers and financial accounts
- Meet one of the lawful cross-border transfer mechanisms: a CAC security assessment, CAC-accredited certification, or the CAC standard contract
- Store personal information within China where required (for example, critical information infrastructure operators and handlers exceeding CAC volume thresholds)
- Conduct a personal information protection impact assessment for high-risk activities such as sensitive data, automated decision-making, and overseas transfers
- Honor individual rights to access, correct, delete, and port personal information, and provide mechanisms to withdraw consent
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Consent must be informed, specific, and separately collected for sensitive data and cross-border transfers, shaping how customer identity systems capture permissions. |
| Data residency & cross-border transfer | Transferring identity data abroad requires a CAC security assessment, certification, or standard contract, and certain handlers must localize storage in China. |
| Identity verification (KYC/proofing) | Biometric and other identity-proofing attributes are treated as sensitive personal information requiring separate consent and stronger protection. |
| Audit, logging & accountability | Handlers must conduct and retain impact assessments and keep processing records to demonstrate accountability to regulators. |
| Breach notification | On a personal information leak, tampering, or loss, handlers must take remedial measures and notify the authorities and affected individuals. |
Penalties
Serious violations can draw fines up to 50 million yuan or 5 percent of the prior year's annual turnover, business suspension, and personal liability for responsible individuals.
PIPL: frequently asked questions
- Does the PIPL apply to companies outside China?
- Yes. The PIPL applies extraterritorially when an organization abroad processes the personal information of people in China to offer them products or services or to analyze their behavior, and such organizations must appoint a local representative in China.
- How can a company legally transfer personal data out of China under the PIPL?
- It must use one of the approved mechanisms: passing a CAC-led security assessment, obtaining CAC-accredited certification, or signing the CAC standard contract, and obtain the individual's separate consent.
- Is biometric data treated differently under the PIPL?
- Yes. Biometric identifiers are classed as sensitive personal information, so processing them requires a specific purpose, separate consent, and enhanced protective measures.