apac
China
China's PIPL sits within a broader digital regulation stack, and any public summary needs careful handling of transfer, localization, security review, and sector-specific obligations.
Editorial caveat
Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.
medium confidence, Requires dedicated treatment of localization, transfer assessments, security review, and interaction with broader Chinese digital regulation.
Breach
- Breach deadline (hours)
- 0
- Breach notification required
- Yes
Marketing
- Cookie consent rule
- Online tracking is influenced by consent rules, app governance, and broader cybersecurity compliance expectations.
Transfers
- Cross-border transfer restricted
- Yes
- Data localization required
- Yes
Governance
- DPO required
- Yes
- Impact assessment required
- Yes
- Records of processing required
- Yes
Identity
- Effective date
- 2021-11-01
- Effective status
- in-force
- Last amended
- 2021-11-01
- Law status
- active
Scope
- Extraterritorial application
- Yes
- Private sector coverage
- Applies broadly to private-sector personal information handlers.
- Public sector coverage
- Public authorities are also subject to data and cybersecurity obligations, with additional state-sector requirements.
- Territorial scope
- Applies domestically and extraterritorially where processing outside China targets individuals in China or serves specified legal purposes.
Legal Basis
- Legal bases
- consent, contract necessity, HR management, statutory duty, public interest
- Requires legal basis
- Yes
Enforcement
- Maximum fine
- PIPL permits very substantial fines, business suspension risk, and personal liability for responsible individuals.
- Private right of action
- Yes
- Regulator or enforcement authority summary
- CAC and broader state authorities
Definitions
- Personal data definition
- Personal information means all kinds of information related to identified or identifiable natural persons recorded electronically or otherwise.
- Sensitive data recognized
- Yes
Rights
- Right of access
- Yes
- Right to appeal
- Yes
- Right to deletion
- Yes
- Right to erasure or delete summary
- Deletion rights in complex regulatory setting
- Right to object
- Yes
- Right to portability
- Yes
- Right to rectification or correction summary
- Correction and supplementation rights
Official sources
- CAC guidanceSecondary official material • en • html
- PIPL textPrimary official law • en • html