China's New Data Privacy Law: PIPL (Personal Information Protection Law)
The Personal Information Protection Law (PIPL) is no longer just a draft—it has been the law of the land in China since November 1, 2021.
As of April 2026, the PIPL, alongside the Data Security Law (DSL) and the newly amended Cybersecurity Law (CSL) (effective January 1, 2026), forms the "three pillars" of China's data governance regime. For organizations operating globally, staying compliant requires an understanding of how these laws have matured and how new 2026 regulations specifically impact cross-border data transfers.
PIPL Overview: The "Chinese GDPR"
The PIPL is broadly comparable to the EU's GDPR but contains unique requirements regarding national security and data localization.
- Extraterritorial Reach: Like the GDPR, the PIPL applies to entities outside of China if they process the data of natural persons within China to provide products/services or analyze their behavior.
- Separate Consent: One of the most stringent aspects of the PIPL is the requirement for "separate consent" for specific activities, such as transferring data abroad, processing sensitive information, or disclosing data to other processors.
- Sensitive Personal Information: This is defined strictly and includes biometrics, religious beliefs, specific identities, medical health, financial accounts, and the personal information of minors under 14.
New for 2026: Cross-Border Transfer Certification
A major update for companies in 2026 is the formal implementation of the Measures on Certification for Cross-Border Transfer of Personal Information, which took effect on January 1, 2026.
- The Certification Pathway: Organizations can now use third-party certification as a legal "green light" to transfer data out of China. This is an alternative to the standard contract clauses (SCCs) or the mandatory security assessment by the Cyberspace Administration of China (CAC).
- Validity: Once obtained, the certification is valid for three years.
- Impact Assessment (PIA): Before applying for certification or using SCCs, a Personal Information Protection Impact Assessment is mandatory. It must evaluate the necessity of the transfer and the risks to national security or public interest.
Enforcement and Penalties in 2026
With the 2026 amendments to the Cybersecurity Law, the "warning first" grace period has largely been eliminated. Regulators now have the authority to issue immediate fines for violations.
Penalty TypeLimit / DetailCorporate FinesUp to RMB 50 million or 5% of annual turnover from the previous year.Individual FinesDirectly responsible personnel can face personal fines up to RMB 1 million.Operational SanctionsSuspension of business activities, revocation of licenses, or blacklisting of overseas entities.
[Image showing a comparison of GDPR vs PIPL penalty structures]
Next Steps for Your Business
If you handle the personal information of China-based individuals, you must ensure your data inventory and consent mechanisms are fully aligned with the 2026 updated standards:
- Audit Data Localization: Determine if your data volume triggers "mandatory localization" (typically for Critical Information Infrastructure Operators or those processing large-scale data).
- Update Consent Flow: Ensure you are obtaining "separate consent" for cross-border transfers rather than relying on a general privacy policy.
- Evaluate 2026 Certification: If your organization regularly transfers data, evaluate whether the new PIP Certification is a more efficient long-term strategy than filing individual SCCs.
Has your organization already conducted a Personal Information Protection Impact Assessment (PIA) for its current data flows in and out of China?
