A New Era: The Personal Information Protection Law of the People’s Republic of China
Introduction
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74. Although the Cybersecurity Law and Data Security Law have had an important role in cybersecurity and data protection in China, the PIPL aims to provide more comprehensive protection for personal information and establishes core principles on handling information.
The PIPL anticipates a similar structure as the EU General Data Protection Regulation (“GDPR”) which also regulates data protection and privacy. Through it, China has established a legal framework that will have an impact on the companies operating both inside and outside of China. Due to the extra-territorial effect of the law, Chinese companies operating in China, as well as foreign companies, will have to reconsider their data processing activities and their compliance practices. This Newsletter will focus on material provisions established under the PIPL and what to expect from the new era of data security.
Introduction to the PIPL
The PIPL consists of eight chapters, covering general provisions of personal information, rules of information handling, cross-border information handling, duties of handlers, duties and responsibilities of relevant authorities, and legal liability. The PIPL, similar to the GDPR, sets forth main principles of data protection and aims to provide protection for individuals, set forth rules of processing information and, lastly, establish the rational use of information. Therefore, companies who process data in compliance with the GDPR can presume that their data processing activities will be in line with the PIPL to a certain extent. Despite the PIPL not being as detailed as the GDPR, its extra-territorial effect, strict data localization approach and constraints on data exportation stand out.
In a manner similar to the GDPR, as well as to the Turkish Law on Protection of Personal Data numbered 6698 (“LPPD”), the PIPL requires data handlers to have a legal basis for processing data, such as consent of the individuals. However, the PIPL does not include “legitimate interests” pursued by the data handlers as a legal basis to process data. Like the GDPR and the LPPD, the PIPL also envisages notification duty for data breaches, as well as obligations for risk assessment and data security. Lastly, the PIPL also assigns similar rights to individuals as the GDPR and the LPPD do.
Scope of Application
Pursuant to Article 3, the PIPL applies to the activities of handling personal information of natural persons within the borders of China. The PIPL applies when one of the circumstances below is present in information handling activities taking place outside of China, of personal information of natural persons within China:
- In case the purpose is to provide products or services to natural persons inside China;
- In case the purpose is to analyze or assess activities of natural persons inside China;
- Other circumstances provided in laws or administrative regulations.[1]
As noted above, Article 3 of the PIPL extends its scope of application outside of China. Therefore, companies handling personal information of individuals in China will be subjected to the PIPL regardless of their presence there. In this regard, Turkish companies may be required to operate in compliance with the PIPL in case handling activities concern individuals in China.
Personal Information, Sensitive Personal Information, and Handling under the PIPL
The PIPL defines personal information under Article 4 as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.” Sensitive personal information, on the other hand, is defined under Article 28 as “personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons or grave harm to personal or property security.” Additionally, processing of personal information is defined under Article 4 as “personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.”.[2]
Rules of Handling Personal Information
The PIPL also consists of detailed provisions regarding consent and notification. The grounds of data handling are established under Article 13. Accordingly, the handlers may only handle personal information if they meet one of the following conditions:
- “Obtaining individuals’ consent;
- Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded collective contracts;
- Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
- Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
- Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
- When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of the PIPL;
- Other circumstances provided in laws and administrative regulations.[3]
Pursuant to Article 14, where handling personal information is based on the consent given, such consent must be given voluntarily with full knowledge and explicit statement. Article 15, on the other hand, suggests that individuals may rescind their consent and handlers are also required to offer individuals convenient ways to withdraw their consent. The PIPL also establishes the duty to inform individuals before handling personal information under Article 17 as with the GDPR and the LPPD. Moreover, personal information handlers may not refuse to provide products or service in case individuals do not consent. Personal information handlers may not disclose the personal information they handle; if they do, they have to obtain separate consent. If they handle sensitive information, separate consent of the individual should be obtained under Article 29.
The PIPL also establishes important provisions for notification. Personal information handlers are obliged to notify individuals when they provide other handlers with the personal information under Article 23. Additionally, where personal information handlers provide personal information outside of the borders of China, they shall notify the individual in accordance with Article 39 and obtain individuals’ separate consent.
The PIPL also foresees rules for personal information handlers who engage with automated decision making, which is defined as using automatic analyses or assessment of personal behavior, habits, interests, hobbies, financial, health or other status through computer programs to make decisions. Accordingly, transparency, fairness and justice are key principles when engaging with automated decision making; unreasonably different treatment of individuals in trading conditions is prohibited.
Duties of Personal Information Handlers
Personal information handlers are obliged to adopt various measures established under Article 51. These include considering criteria such as the purpose for personal information handling, the methods of handling, personal information categories, and influence of these activities on the individuals’ rights and interests. They also have the obligation to notify relevant parties in case of any personal information leak, distortion, or loss under Article 57.
Pursuant to Article 52, personal information handlers that handle personal information exceeding a certain threshold shall appoint personal information protection officers. Foreign companies are also responsible for establishing an entity or appointing a representative in China to be held responsible for information they handle under Article 53.
Article 58 establishes certain obligations for important internet platforms having a considerable number of users and operating with complex business structures. Operating in accordance with the principles of openness, fairness, and justice is one of them.
Rules on Cross-Border Transfer
Personal information handlers seeking to provide information outside the borders of China have to fulfill the requirements established under Article 38. These include passing a security assessment, undergoing personal information protection certification, concluding a contract with the foreign receiving side and other conditions provided under laws or administrative regulations or by the State cybersecurity and informatization department.
Article 40 regulates critical information infrastructure operators and personal information handlers dealing handling with large amounts of personal information. Under this article, personal information handlers handling quantities to be determined by the State cybersecurity and informatization department will have to store personal information collected and produced within the borders of China domestically. In another saying, Article 40 is important for data localization and the personal information handlers exceeding certain quantities of information are required to store information only within China. Article 40 also requires that personal information handlers who need to provide information abroad need to pass a security assessment.
Conclusion
Cross-border transfer of personal information is likely to be a hot topic for many companies. Many international companies will have to consider the requirements for cross-border transfers, and obligations for obtaining consents and notification should also be closely monitored. The PIPL is of special importance due to its extra-territorial effect and foreign companies have to pay attention and assess their risks. It is highly suggested for companies to determine whether their activities are within the scope of the PIPL. Establishing categories of personal information handled and thresholds met are also worth study, since additional duties may arise for personal information handlers subjected to the PIPL. In case personal information reaches a certain quantity, cross-border transfer may not be possible; handlers may be required to store personal information collected and produced within the borders of China.
- Creemers, Rogier/ Webster, Graham; “Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021”, the Digichina Project, Stanford University, https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/(Date of Access: 23.02.2022). For English translation of the PIPL, please refer.
- Creemers/Webster. For English translation of the PIPL, please refer.
- Creemers/Webster. For English translation of the PIPL, please refer.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
