Data & Privacy - China

The PIPL, effective 1 November 2021, is China's dedicated, omnibus personal-data law establishing legal bases for processing, consent (including 'separate consent' for sensitive data and transfers), and individual rights such as access, correction, deletion, and portability.

The Cyberspace Administration of China (CAC) leads overall planning, coordination, and enforcement of personal-information protection, issuing implementing rules, conducting investigations, levying fines, and ordering suspension of non-compliant services; relevant ministries and county-level-and-above departments share sectoral supervision.

The PIPL (personal data) operates alongside the Data Security Law (data classification and 'important data' protection) and the Cybersecurity Law (network security and critical information infrastructure operators), forming China's integrated data-governance architecture.

Transfers of personal data abroad require one of three routes — a CAC security assessment, certification by an accredited body, or CAC standard contractual clauses — plus separate notice and consent; new Measures on Certification for Cross-Border Transfer of Personal Information took effect 1 January 2026.

Handlers must adopt internal management systems and technical security measures, conduct personal-information protection impact assessments for high-risk processing, and notify the supervisory authority and affected individuals of data breaches with remedial action.

Amendments to the Cybersecurity Law, effective 1 January 2026, raise the general administrative fine cap from RMB 1 million to RMB 10 million, broaden extraterritorial reach, and remove the prior-warning requirement, allowing immediate fines; the CAC's January 2026 PIPL Q&A signals a shift toward documentation and accountability enforcement.