PIPL compliance package


On Nov. 1, 2021 the China’s Personal Information Protection Law (PIPL) is into effect, aimed to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).

With its entry into force, the broader cyber and data security governance in China is regulated by three pieces of legislation: the PIPL, the Cybersecurity Law, and the Data Security Law. Related implementing regulations have been adopted and some have yet to be adopted, making it complex to comply with the mentioned framework without proper legal and cybersecurity guidance.

On a comparative perspective, the PIPL aligns with the strictest international privacy benchmarks of the European Union’s General Data Protection Regulation (EU GDPR) in large part, but it differs from the EU framework to a relevant extent. For instance, the PIPL includes certain substantive obligations that differ from the EU GDPR but there are also obligations found in the EU GDPR that are not included in the PIPL.


Impact of the PIPL on companies and entities:

  • Data subjects are given more rights over the use of their data. They can request to edit, remove, restrict the use of their data, or withdraw consent given previously.
  • There are more stringent requirements on data sharing and data transfer, which your organization and any third party joint data controllers may need to conduct data related impact assessments.
  • Penalties and fines for data breaches and violations of the law can amount to up to 50 million RMB, revenue confiscation up to 5% annual revenue, business cessation, and individual responsibility of managers.
  • Mandatory cybersecurity controls must be applied when storing and processing personal information, and training has to be provided to responsible personnel who handles such personal information.
  • Obligatory data localization when the amount of personal information exceeds the threshold set by the Cybersecurity Administration of China (CAC).

PrivacyRules has created an efficient and cost-effective package to assess your legal and technical obligations towards the PIPL, and to rapidly adopt the appropriate steps in order to continue operating with peace of mind.

We are proud to underline that the package is developed and implemented with PrivacyRules top level legal and cybersecurity experts from China, and with other PrivacyRules experts for national compliance depending on the jurisdiction you are interested into.

Contact us for more information and to subscribe for the package.