PIPL China: How to Prepare for China’s New Data Protection Law


China’s new data protection law regulates how companies must handle personal data. Failure to comply can lead to penalties. Companies must act now and implement the new rules.

The Personal Information Protection Law (PIPL) came into effect on 1 November 2021. Together with the PIPL, three laws now form the framework for data protection in China:

  • Cyber Security Law (2017)
  • Data Security Law (September 2021)
  • Personal Information Protection Law (1 November 2021)

What are the Possible Penalties?

The PIPL regulates the protection of personal data, for example how consent is to be obtained and how transparent data processing must be. Those who break the law can be fined up to RMB 50 million (approx. USD 8 million). In serious cases, there is even a risk of a business ban and criminal prosecution, explains the Ecovis expert. Individuals responsible for data protection can be fined up to RMB 1 million (approx. USD 160,000).

The Chinese data protection law has its drawbacks. We can support you in the correct implementation.

Richard Hoffmann, Lawyer, Ecovis Heidelberg, Germany

Foreign Companies are also Affected

It gets tricky for foreign companies if they transfer personal data from China to other countries. Companies must ensure that the handling of data abroad complies with the PIPL regulations and the foreign data protection law. They must also designate those responsible for data protection. It is particularly important that personal data must be stored in China if it exceeds a certain (and as yet undefined) amount.

The law affects the data of all Chinese people. Therefore, it also affects companies outside of China that process this data. It is still unclear which data the law defines as “important”. Companies must submit such data to a further security check before it can be transmitted.

What Companies Should Do Now

  1. Determine a person responsible for the handling of personal data. It is imperative that companies abroad find good representation in China.
  2. Revise measures for the protection of personal data, adapt them to the PIPL and keep them up to date.
  3. Depending on the size of the company, the use of the data and the available resources, consider what is more suitable: transferring the data or saving it locally.

For further information please contact:

Richard Hoffmann, Lawyer, Ecovis Heidelberg, Germany
Email: richard.hoffmann@ecovis.com