China: Comprehensive personal information protection regime established

In brief

On 20 August 2021, the Standing Committee of the National People’s Congress passed the Personal Information Protection Law of the PRC (PIPL), after deliberating two draft versions and seeking public comment in a ten-month span. The passage of the PIPL signifies that China is stepping into a more robust and comprehensive personal information protection regime by establishing a unified, cross-sector legislation, as the EU does with the aid of the General Data Protection Regulation (GDPR).


The PIPL, in general, establishes a regime similar to the GDPR, although the requirements may not be entirely the same, with the PIPL imposing stricter requirements in some areas. For instance, the PIPL imposes heightened requirements in terms of details to be disclosed to individuals for processing of sensitive personal information and cross-border provision of personal information (pursuant to the PIPL, the name and contact details of each and every foreign recipient must be disclosed), and requires separate consent from individuals to the same. Also, the PIPL mandates controllers to conduct security impact assessments under a number of processing scenarios. Further, the PIPL imposes a data localization requirement on operators of critical information infrastructure and controllers that process an over-the-threshold volume of personal information (the threshold will likely be set at one million personal information subjects). In addition, the PIPL exerts more rigid control over cross-border data transfers.

Being GDPR-compliant does not warrant being PIPL-compliant. Companies are advised to take actions as soon as practically feasible to ensure that their China-related privacy practices are compliant with the requirements prescribed under the PIPL, as the PIPL will soon take effect from 1 November 2021. We recommend that companies:

  • Develop a data governance framework and an in-house data compliance program.
  • Conduct data mapping and data inventory check, system profiling as well as security risk identification and profiling.
  • Review and update existing privacy notices that apply to Chinese residents by measuring against the requirements (especially taking into account the heightened notification and separate consent requirements) under the PIPL.
  • Develop and update internal policies, protocols, standard operating procedures, and response mechanisms in regard to protection of personal information, including, among others, conducting security impact assessments and establishing a channel of responding to requests of personal information subjects.
  • Review and prepare for data localization to the extent applicable.
  • Review and prepare for cross-border data transfers, restrictions and formalities.
  • Maintain and document appropriate contractual, technical, organizational and physical privacy and security measures for China, including the performance of due diligence of vendors, the management of vendor agreements, the monitoring of vendor compliance, and the administration of regular data privacy and security training for personnel.

With the enactment of the PIPL, the Chinese legislature has promulgated all of the "Three Horse Carriages" for data protection and cybersecurity regimes of the new age, namely: (i) the Cybersecurity Law of the PRC, governing the construction, operation, maintenance, use and security of (cyber) network in the PRC territory; (ii) the Data Security Law of the PRC, principally dealing with data security, governance and trading, with a focus on data other than personal information; and (iii) the PIPL, which regulates personal information and related matters. Going forward, cybersecurity, non-personally-identifiable data and personal information will be regulated under these three principal laws separately.

Click here to access full alert.

* * * * *


Baker & McKenzie FenXun (FTZ) Joint Operation Office is a joint operation between Baker & McKenzie LLP, an Illinois limited liability partnership, and FenXun Partners, a Chinese law firm. The Joint Operation has been approved by the Shanghai Justice Bureau. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

This client alert has been prepared for clients and professional associates of Baker & McKenzie FenXun (FTZ) Joint Operation Office. Whilst every effort has been made to ensure accuracy, this client alert is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by Baker & McKenzie FenXun (FTZ) Joint Operation Office.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.