The China Data Security Law (DSL) and the Personal Information Protection Law (PIPL) establish a comprehensive framework for data protection in China. These laws impose overlapping obligations on data processing organizations, requiring them to navigate complex compliance landscapes. This guide provides an in-depth analysis of the key requirements, penalties, and best practices for organizations operating under these regulations.
| Regulation | PIPL / China DSL |
|---|---|
| Max Penalty | Up to RMB 50M or 5% of revenue |
| Enforcing Authority | Cyberspace Administration of China (CAC) |
| Official Source | PIPL |
What Is PIPL / China DSL?
The Personal Information Protection Law (PIPL) and the China Data Security Law (DSL) are pivotal regulations that govern data protection in China. The PIPL, effective from November 1, 2021, focuses on the protection of personal information, establishing rights for individuals and obligations for organizations that process such data. Conversely, the DSL, which came into effect on September 1, 2021, addresses broader data security issues, including the management of data risks and the protection of national security.
Both laws reflect China’s commitment to enhancing data privacy and security, aligning with global standards while catering to domestic needs. The PIPL emphasizes individual rights, such as the right to access and delete personal information, while the DSL focuses on the security of data across its lifecycle. As organizations navigate these overlapping frameworks, understanding their interconnections is crucial for compliance.
Who Must Comply
Compliance with the PIPL and DSL is mandatory for a wide range of entities. Data processing organizations. Any organization that processes personal information of individuals in China, regardless of its location, must adhere to the PIPL. This includes foreign companies that handle data of Chinese citizens.
Data handlers. The DSL applies to all entities that manage data, including state-owned enterprises, private companies, and foreign entities operating in China. Organizations that collect, store, process, or transmit data related to Chinese citizens must ensure compliance with both laws, regardless of their operational base.
Exemptions. Certain exemptions exist under both laws, such as for personal data processed for personal use or data that is anonymized. However, organizations must carefully evaluate their activities to determine if they fall under these exemptions, as non-compliance can lead to severe penalties.
Core Compliance Requirements
Organizations must navigate a complex array of compliance requirements under both the PIPL and DSL.
Lawful grounds for processing. Every processing activity must be tied to a recognized legal basis. Accepted grounds typically include consent, contractual necessity, or compliance with legal obligations. Organizations must ensure that they have a valid justification for processing personal data, as failure to do so can result in significant penalties.
Transparency and notice. Data subjects must receive clear, accessible information about what data is collected, how it is used, and their rights regarding their personal information. This includes providing privacy notices that are easy to understand and readily available, ensuring that individuals are informed about their data processing activities.
Data minimization and purpose limitation. Organizations are required to limit data collection to what is necessary for the specified purpose. This principle mandates that organizations only collect personal information that is relevant and adequate for their intended processing activities, thereby reducing the risk of over-collection and misuse of data.
Data security measures. Both laws mandate that organizations implement appropriate technical and organizational measures to protect personal information. This includes risk assessments, data encryption, and access controls to safeguard against unauthorized access and data breaches.
Cross-border data transfers. The DSL imposes strict requirements on the transfer of data outside of China. Organizations must conduct security assessments and ensure that adequate protections are in place before transferring data abroad. This requirement is critical for organizations that operate globally and handle data from Chinese citizens.
Data subject rights. Under the PIPL, individuals have specific rights concerning their personal information, including the right to access, correct, and delete their data. Organizations must establish processes to facilitate these rights and respond to requests in a timely manner.
Accountability and governance. Organizations must appoint a data protection officer (DPO) or a similar role responsible for overseeing compliance with the PIPL and DSL. This individual should be well-versed in data protection laws and practices, ensuring that the organization meets its obligations effectively.
Penalties and Enforcement
The enforcement of the PIPL and DSL is stringent, with significant penalties for non-compliance. Maximum penalties. Organizations that violate these laws can face fines of up to RMB 50 million or 5% of their annual revenue, whichever is higher. This financial risk underscores the importance of robust compliance programs.
Enforcement authority. The Cyberspace Administration of China (CAC) is the primary enforcement body for both the PIPL and DSL. The CAC has the authority to conduct investigations, impose fines, and order corrective actions against organizations that fail to comply with the regulations.
Reputational damage. Beyond financial penalties, non-compliance can lead to reputational harm, loss of customer trust, and potential business disruptions. Organizations must recognize that maintaining compliance is not only a legal obligation but also a critical aspect of sustaining their business operations.
Building a Defensible Compliance Program
To effectively navigate the complexities of the PIPL and DSL, organizations should establish a comprehensive compliance program. The following steps can guide this process:
-
Conduct a data inventory to identify what personal information is collected, processed, and stored.
-
Assess existing data processing activities against the requirements of the PIPL and DSL.
-
Develop and implement data protection policies that reflect the organization’s commitment to compliance.
-
Train employees on data protection principles and the organization’s specific obligations under the PIPL and DSL.
-
Establish processes for handling data subject requests and ensuring individuals can exercise their rights.
-
Implement technical and organizational measures to safeguard personal information.
-
Monitor compliance continuously and conduct regular audits to identify and address potential gaps.
-
Engage with legal and compliance experts to stay informed about regulatory changes and best practices.
Practical Implementation Priorities
Organizations must prioritize specific actions to ensure compliance with the PIPL and DSL.
Risk assessment and management. Conducting a thorough risk assessment is essential to identify potential vulnerabilities in data processing activities. Organizations should implement risk management strategies to mitigate identified risks and ensure ongoing compliance.
Data protection impact assessments (DPIAs). DPIAs are crucial for evaluating the impact of data processing activities on individual privacy. Organizations should conduct DPIAs for high-risk processing activities, documenting findings and implementing necessary measures to address identified risks.
Documentation and record-keeping. Maintaining comprehensive records of data processing activities is vital for demonstrating compliance. Organizations should document their processing activities, including the legal basis for processing, data retention periods, and security measures in place.
Engagement with stakeholders. Organizations should engage with stakeholders, including customers, employees, and regulators, to foster a culture of privacy and compliance. Open communication can help build trust and ensure that all parties understand their rights and obligations under the PIPL and DSL.
Regular training and awareness programs. Continuous training for employees on data protection principles and compliance obligations is essential. Organizations should implement regular training sessions to keep staff informed about changes in regulations and best practices.
Run a Free Privacy Scan
Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against PIPL / China DSL requirements within minutes.
Run your free scan or speak with a privacy expert to discuss your compliance obligations under PIPL / China DSL and build a prioritized remediation plan.
Regulatory Crosswalk
Organizations subject to this regulation often operate under these overlapping frameworks: PIPL, China CSL, GDPR. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.