PIPL (China Personal Information Protection Law)

The Personal Information Protection Law of the People's Republic of China (PIPL, 个人信息保护法), effective November 1, 2021, is China's first comprehensive personal information protection statute. It applies to any organization that processes personal information of natural persons within China (Article 3(1)), and extraterritorially to overseas processors that process Chinese individuals' personal information for the purpose of providing products or services to Chinese individuals, or for analyzing or assessing the behavior of Chinese individuals (Article 3(2)). Organizations subject to PIPL extraterritorially must designate a representative in China and register with the competent cyberspace authority. PIPL defines "personal information" as any information related to an identified or identifiable natural person, and "sensitive personal information" (Article 28) as a special category requiring additional safeguards, including biometrics, medical health data, financial accounts, location tracking, and personal information of minors under 14.

PIPL's engineering requirements are broadly analogous to GDPR but with China-specific nuances. Chapter III (Rules for Personal Information Processing) requires: a lawful basis for processing (consent, contract necessity, legal obligation, vital interest, public interest, or legitimate interest with limitations); separate and explicit consent for sensitive personal information; a privacy notice satisfying Article 17 disclosure requirements before collection; purpose limitation; data minimization; and retention limitation. The automated decision-making rules (Article 24) require that automated decisions be transparent and fair, prohibit unreasonable differential treatment in pricing and service delivery, and require an opt-out mechanism for targeted advertising based on individual characteristics. Article 51 requires "necessary measures" including classification, encryption, de-identification, and access controls — operationally similar to GDPR Article 32's security obligations.

Cross-border data transfer under PIPL (Article 38–43) is significantly more restrictive than under the GDPR. Before transferring personal information outside China, controllers must satisfy one of: passing a security assessment by the Cyberspace Administration of China (CAC) (mandatory for Critical Information Infrastructure operators and organizations transferring data above volume thresholds); obtaining a personal information protection certification from a qualified institution; executing Standard Contracts published by the CAC (effective June 2023); or other conditions specified by law. CAC Measures on Security Assessment for Cross-Border Data Transfers (effective September 2022) specify that CAC assessment is mandatory for: any CII operator; organizations processing personal information of >1 million individuals; cumulative export of personal information of >100,000 individuals since January 1 of the previous year; or cumulative export of sensitive personal information of >10,000 individuals. Standard Contracts require a Personal Information Protection Impact Assessment (PIPIA) and annual compliance reviews.

We architect PIPL compliance programs for organizations with China operations or Chinese user bases, including data classification for sensitive personal information categories, lawful basis documentation aligned to PIPL Chapter III, automated decision-making transparency controls, and cross-border transfer pathway analysis against CAC volume thresholds and security assessment requirements. We implement PIPIA processes for Standard Contract transfers and support CAC security assessment preparation.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.