Go Back
Blog

China's New Data Privacy Law: PIPL (Personal Information Protection Law)

China is preparing to implement the Personal Information Protection Law (PIPL), a landmark piece of legislation designed to curb personal data leakage and formalize privacy rights. While inspired by international standards like the GDPR, the PIPL introduces unique requirements that will significantly impact how global organizations handle Chinese citizens' data.

China is preparing to implement the Personal Information Protection Law (PIPL), a landmark piece of legislation designed to curb personal data leakage and formalize privacy rights. While inspired by international standards like the GDPR, the PIPL introduces unique requirements that will significantly impact how global organizations handle Chinese citizens' data.

The Basics of PIPL

The first draft was submitted to the National People's Congress on October 13, 2020. While an official effective date is pending, industry experts anticipate it could be enacted as early as the start of 2022.

The law establishes a comprehensive framework covering:

  • Civil, Administrative, and Criminal Rules: Providing a multi-layered enforcement approach.
  • Extraterritorial Reach: Like the GDPR, the PIPL applies to data processing activities outside of China if the data belongs to individuals within China.

Scope of Application

Under Article 3 of the draft, the PIPL applies to any organization or individual (regardless of location) processing personal information for:

  • Providing products or services to individuals in China.
  • Analyzing or assessing the behavior of individuals in China.
  • Other specific situations defined by Chinese laws and regulations.

Anticipated Impact on Organizations

Organizations should prepare for a more rigorous regulatory environment, including:

  • Strict Data Localization: Mandatory requirements to store certain datasets within China’s borders.
  • Data Transfer Restrictions: More stringent hurdles for moving personal information out of the country.
  • Mandatory Security Controls: Heightened requirements for technical safeguards.
  • Increased Penalties: Significant fines and penalties for organizations found in violation of the law.

[Image showing a global map with data flow lines highlighting China's borders and the concept of data residency]

Are You Ready?

The PIPL marks a shift toward a more "international" style of data protection in China. Organizations must evaluate their current data processing maps and partner networks to ensure they can support these looming changes.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information