DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · PIPL

Personal Information Protection Law of the People's Republic of China.

中华人民共和国个人信息保护法

FILED UNDER · Personal Information Cross-Border Data

Promulgated by: Standing Committee of the National People’s Congress.
Document No.: Presidential Decree No. 91.
Adopted at the 30th Session of the Standing Committee of the 13th National People’s Congress on August 20, 2021.
Effective November 1, 2021.

Chapter 1 General Provisions

Article 1. This Law is enacted in accordance with the Constitution to protect the rights and interests of personal information, regulate the handling of personal information and promote the reasonable use of personal information.

Article 2. The personal information of a natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of natural persons.

Article 3. This Law shall apply to the handling of the personal information of natural persons within the territory of the People’s Republic of China. This Law shall also apply to the handling of the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:

(I) where the purpose is to provide domestic natural persons with products or services;

(II) where the activities of domestic natural persons are analyzed and evaluated; and

(III) other circumstances as prescribed by laws and administrative regulations.

Article 4. Personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information handled anonymously. The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information.

Article 5. The handling of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to handle personal information by misleading, fraud, coercion or otherwise.

Article 6. The handling of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of handling and shall be conducted in a way that minimizes the impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope for achieving the purpose of handling and it is not allowed to excessively collect personal information.

Article 7. The handling of personal information shall follow the principles of openness and transparency, make public the rules for handling personal information and expressly indicate the purpose, method and scope of such handling.

Article 8. The quality of personal information shall be ensured in the handling of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information.

Article 9. A personal information handler shall be responsible for its handling of personal information and take necessary measures to ensure the security of the personal information handled.

Article 10. No organization or individual may illegally collect, use, process or transmit the personal information of others, illegally buy or sell, provide or make public the personal information of others, or engage in the handling of personal information that endangers the national security or public interests.

Article 11. The State establishes a sound personal information protection system, prevents and punishes the infringement upon personal information rights and interests, strengthens the publicity and education on personal information protection, and promotes the formation of a good environment in which the government, enterprises, relevant social organizations and the public jointly participate in personal information protection.

Article 12. The State actively participates in the development of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and promotes the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations.

Chapter 2 Rules for Handling Personal Information

Section 1 General Provisions

Article 13. Only under any of the following circumstances may a personal information handler handle personal information: (I) where the consent of the individual concerned is obtained;

(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law;

(III) where it is necessary for the performance of statutory duties or statutory obligations;

(IV) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency;

(V) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the handling of personal information is within a reasonable scope;

(VI) where it is necessary to handle the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and

(VII) other circumstances prescribed by laws and administrative regulations. The handling of personal information shall be subject to the consent of the individual concerned in accordance with other relevant provisions of this Law, however, the consent of the individual concerned is not required under the circumstances set forth in Items (II) to (VII) of the preceding paragraph.

Article 14. Where the handling of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. Where laws and administrative regulations provide that the handling of personal information shall be subject to the separate consent or written consent of the individual concerned, such provisions shall prevail. Where the purpose or method of handling personal information or the type of personal information to be handled changes, the consent of the individual concerned shall be obtained again.

Article 15. Where the handling of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information handler shall provide a convenient method for the individual to withdraw his/her consent. Withdrawal of consent by the individual concerned does not affect the validity of any personal information handling activity conducted based on the consent of the individual before such withdrawal.

Article 16. A personal information handler shall not refuse to provide products or services for an individual on the grounds that the individual does not agree to handle his/her personal information or withdraws his/her consent, unless the handling of personal information is necessary for providing products or services.

Article 17. Prior to the handling of an individual’s personal information, the personal information handler shall truthfully, accurately and completely inform the individual of the following matters in a conspicuous manner and in clear and understandable language: (I) the title or name and contact information of the personal information handler;

(II) the purpose and method of handling personal information, and the type and retention period of the handled personal information;

(III) the method and procedure for the individual to exercise the rights provided for in this Law; and

(IV) other matters that shall be informed in accordance with the provisions of laws and administrative regulations. Where any of the matters specified in the preceding paragraph is changed, the individual shall be notified of such change. Where a personal information handler informs individuals of the matters specified in the first Paragraph by formulating rules on handling personal information, such rules shall be open to the public for easy access and storage.

Article 18. A personal information handler is allowed not to inform the individual concerned of the matters prescribed in Paragraph 1 of the preceding article if there are circumstances in which the personal information should be kept confidential as required by laws or administrative regulations or does not need to be informed. Where it is unable to timely inform the individual concerned in an emergency for the purpose of protecting the life, health and property safety of natural persons, the personal information handler shall timely inform the individual after the elimination of the emergency.

Article 19. Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the minimum period necessary for achieving the purpose of handling.

Article 20. Where two or more personal information handlers jointly determine the purpose and method of handling personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s request to any of the personal information handlers to exercise the rights stipulated in this law. Where personal information handlers who jointly handle personal information, thus infringing upon personal information rights and interests and causing damage shall bear joint and several liability in accordance with the law.

Article 21. Where a personal information handler entrusts others with the handling of personal information, it shall agree with the agent on the purpose, time limit and method of entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties, and supervise the personal information handling activities of the agent. The agent shall handle personal information as agreed and shall not handle personal information beyond the agreed purpose and method of handling ; where the entrustment contract is not effective, invalid, revoked or terminated, the agent shall return personal information to the personal information handler or delete it, and shall not retain it. Without the consent of the personal information handler, the agent shall not re-entrust others with the handling of personal information.

Article 22. Where a personal information handler needs to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, etc., it shall inform the individual concerned of the name and contact information of the recipient. The recipient shall continue to fulfill its obligations as a personal information handler. Where the recipient changes the original purpose and method of handling, it shall obtain the consent of the individual concerned anew in accordance with this Law.

Article 23. Where a personal information handler provides other personal information handlers with the personal information of an individual it handles, it shall inform the individual of the name and contact information of the recipient, purpose and method of handling and type of personal information, and shall obtain the individual’s separate consent. The recipient shall handle personal information within the scope of the above purpose and method of handling and type of personal information. It shall obtain the consent of the individual anew in accordance with this Law in case of changes in the original purpose and method of handling.

Article 24. Where a personal information handler makes use of personal information to make automatic decision, it shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions. Information pushing and commercial marketing to an individual through automated decision- making shall be accompanied by options that do not target the individual’s personal characteristics, or convenient rejection ways shall be provided to the individual. Where a decision is made through automatic decision-making that has a significant impact on an individual’s rights and interests, the individual shall have the right to require the personal information handler to make an explanation and reject the decision made by the personal information handler only through automatic decision- making.

Article 25. A personal information handler shall not make public the personal information of an individual it handles, except with the individual’s separate consent.

Article 26. The image capturing, and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with the relevant provisions of the State, and conspicuous prompting signs shall be set up. An individual’s personal image and personal identification information collected may only be used for the purpose of maintaining public security and shall not be used for any other purpose, except with the individual’s separate consent.

Article 27. A personal information handler may, within a reasonable scope, handle the personal information that is disclosed by the individual concerned himself/herself or other personal information that has been legally publicized, unless the individual expressly refuses such handling. A personal information handler shall obtain the consent of an individual in accordance with the provisions of this Law if the handling of the individual’s disclosed personal information has a major impact on the rights and interests of the individual.

Section 2 Rules for Handling Sensitive Personal Information

Article 28. Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. Only for a specific purpose and sufficient necessity, and strict protection measures have been taken, may a personal information handler handle sensitive personal information.

Article 29. The handling of sensitive personal information of an individual shall be subject to the individual’s separate consent; where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the written consent, such provisions shall prevail.

Article 30. For the sensitive personal information of an individual, the personal information handler shall, in addition to the matters specified in Paragraph 1 of Article 17 hereof, inform the individual of the necessity of handling his/her sensitive personal information and the impact on his/her personal rights and interests, except for the circumstances that may be exempted from informing the individual of such information in accordance with this Law.

Article 31. To handle the personal information of a minor under the age of 14, a personal information handler shall obtain the consent of the minor’s parents or other guardians. To handle the personal information of minors under the age of 14, a personal information handler shall formulate specialized rules for handling personal information.

Article 32. Where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the relevant administrative license or other restrictions, such provisions shall prevail.

Section 3 Special Provisions on Handling Personal Information by State Organs

Article 33. This Law shall apply to the activities of a State organ to handle personal information; where there are special provisions in this Section, such provisions shall apply.

Article 34. A State organ shall handle personal information for the purpose of performing its statutory duties in accordance with the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for the performance of its statutory duties.

Article 35. A State organ handling personal information for the purpose of performing its statutory duties shall perform its obligation of informing in accordance with this Law, except for the circumstances stipulated in Paragraph 1 of Article 18 hereof, or the informing will hinder the State organ from performing its statutory duties.

Article 36. The personal information handled by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a security evaluation shall be conducted. Relevant authorities may be required to provide support and assistance for the security evaluation.

Article 37. Where organizations with functions of administering public affairs as authorized by laws and regulations handle personal information for the purpose of performing their statutory duties, the provisions of this Law on handling personal information by State organs shall apply.

Chapter 3 Rules for Cross-border Provision of Personal Information

Article 38. Where a personal information handler really needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions: (I) it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof;

(II) it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China;

(III) it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; and

(IV) it shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China. Where the international treaties or agreements concluded or acceded to by the People’s Republic of China contain provisions on the conditions for provision of personal information outside the territory of the People’s Republic of China, such provisions may prevail. The personal information handler shall take necessary measures to ensure that the activities of handling personal information by the overseas recipient meet the standards for protection of personal information as prescribed herein.

Article 39. To provide the personal information of an individual to an overseas recipient outside the territory of the People’s Republic of China, the personal information handler shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of handling, type of personal information and the method and procedure for the individual to exercise the rights stipulated herein against the overseas recipient, and shall obtain the individual’s separate consent.

Article 40. Critical information infrastructure operators and personal information handlers whose quantity of handling of personal information reaches that as prescribed by the Cyberspace Administration of China (“CAC”) shall store personal information collected and generated within the territory of the People’s Republic of China within the territory of the People’s Republic of China. Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail.

Article 41. The competent authorities of the People’s Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China or under the principles of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for providing the personal information stored within the territory of China. Without the approval of the competent authorities of the People’s Republic of China, no personal information handler may provide the personal information stored within the territory of the People’s Republic of China to foreign judicial or law enforcement authorities.

Article 42. Where an overseas organization or individual engages in the personal information handling activities infringing upon the personal information rights and interests of citizens of the People’s Republic of China or endangering the national security and public interests of the People’s Republic of China, the CAC may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual.

Article 43. Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in terms of protection of personal information, the People’s Republic of China may take reciprocal measures against such country or region as the case may be.

Chapter 4 Rights of Individuals in Activities of Handling Personal Information

Article 44. An individual has the right to know and make decisions on the handling of his/her personal information, and the right to restrict or refuse others to handle his/her personal information, unless otherwise provided for by laws and administrative regulations.

Article 45. An individual is entitled to consult or copy his/her personal information from a personal information handler, except for the circumstances stipulated in Paragraph 1 of Article 18 and Article 35 hereof. Where an individual requests to consult or copy his/her personal information, the personal information handler shall provide such information in a timely manner. Where an individual requests to transfer his/her personal information to a personal information handler designated by him/her, which meets the conditions stipulated by the CAC, the personal information handler shall provide a way for the transfer.

Article 46. Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information handler to make corrections or supplements. Where an individual requests for corrections or supplements to his/her personal information, the personal information handler shall make verification and make corrections or supplements to such information in a timely manner.

Article 47. Under any of the following circumstances, a personal information handler shall take the initiative to delete personal information; if the personal information handler fails to delete such information, the individual concerned is entitled to request the deletion of such information: (I) where the purpose of handling has been achieved, it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose;

(II) where the personal information handler ceases to provide products or services, or the storage period has expired;

(III) where the individual withdraws his/her consent;

(IV) where the personal information handler handles personal information in violation of laws, administrative regulations or the agreement; or

(V) other circumstances stipulated by laws and administrative regulations. Where the storage period as stipulated by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information handler shall stop the handling other than storage and necessary security protection measures.

Article 48. Individuals are entitled to request a personal information handler to explain its handling rules for personal information.

Article 49. Where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless otherwise arranged by the deceased prior to his/her death.

Article 50. A personal information handler shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual’s request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information handler refuses an individual’s request for exercising his/her rights, the individual may file a lawsuit with a people’s court in accordance with the law.

Chapter 5 Obligations of Personal Information Handlers

Article 51. A personal information handler shall, according to the purpose and method of handling personal information, types of personal information, impacts on personal rights and interests and possible security risks, take the following measures to ensure the compliance of personal information handling activities with provisions of laws and administrative regulations and prevent unauthorized access and divulgence, falsification and loss of personal information: (I) formulating internal management systems and operating procedures;

(II) implementing category-based management of personal information;

(III) taking corresponding technical security measures such as encryption and de-identification;

(IV) reasonably determining the authority to handle personal information and conducting security education and training for relevant employees on a regular basis;

(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and

(VI) other measures stipulated by laws and administrative regulations.

Article 52. Where the quantity of personal information handled reaches that specified by the CAC, the personal information handler shall designate a person in charge of personal information protection to be responsible for supervising the activities of handling of personal information and the adopted protection measures. The personal information handler shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the authorities performing duties of personal information protection.

Article 53. Any personal information handler outside the territory of the People’s Republic of China as prescribed in Paragraph 2 of Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for handling matters relating to personal information protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection.

Article 54. A personal information handler shall regularly conduct compliance audits on its handling of personal information in accordance with laws and administrative regulations.

Article 55. Under any of the following circumstances, a personal information handler shall conduct an impact assessment on personal information protection beforehand and keep a record of the handling: (I) handling sensitive personal information;

(II) making use of personal information to make automatic decision-making;

(III) entrusting others to handle personal information, providing other personal information handlers with personal information and publicizing personal information;

(IV) providing personal information to overseas parties; or

(V) other personal information handling activities that have significant impact on personal rights and interests.

Article 56. An impact assessment on personal information protection shall include the following contents: (I) whether the purpose and method of handling personal information are lawful, legitimate, and necessary;

(II) impact on personal rights and interests and security risks; and

(III) whether the protection measures taken are lawful, effective and commensurate with the degree of risks. The report on personal information protection impact assessment and records of handling shall be kept for at least three years.

Article 57. Where personal information has been or may be divulged, tampered with or lost, the personal information handler shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (I) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information;

(II) the remedial measures taken by the personal information handler and the measures that can be taken by the individuals to mitigate harm; and

(III) the contact information of the personal information handler. Where the personal information handler has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information handler may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information handler to notify the individuals concerned.

Article 58. Any personal information handler that provides important Internet platform services with a large number of users and complicated business type shall perform the following obligations: (I) establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection;

(II) following the principles of openness, fairness and impartiality, formulating platform rules specifying the standards for the handling of personal information by product or service providers on the platform and their obligations to protect personal information;

(III) ceasing to provide services to product or service providers on the platform that handle personal information in serious violation of laws and administrative regulations; and

(IV) regularly releasing social responsibility reports on personal information protection for social supervision.

Article 59. The agent that accepts the entrustment of a personal information handler to handle personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information handled and assist the personal information handler to perform the obligations stipulated in this Law.

Chapter 6 Authorities Performing Duties of Personal Information Protection

Article 60. The CAC is responsible for coordinating the protection of personal information and relevant supervision and administration work. Relevant departments of the State Council are responsible for protecting, supervising and administering the protection of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations. The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering the protection of personal information shall be determined in accordance with relevant provisions of the State. The departments mentioned in the preceding two paragraphs are collectively referred to as the authorities performing duties of personal information protection.

Article 61. Authorities performing duties of personal information protection shall perform the following duties of personal information protection: (I) carrying out publicity and education on personal information protection, and guiding and supervising personal information handlers to protect personal information;

(II) accepting and handling complaints and reports related to personal information protection;

(III) organizing the evaluation of applications and other organizations on the protection of personal information, and disclosing the evaluation results;

(IV) investigating and handling illegal personal information handling activities; and

(V) other duties stipulated by laws and administrative regulations.

Article 62. The CAC shall make overall planning and coordinate relevant authorities to promote the following work of personal information protection in accordance with this Law: (I) formulating specific rules and standards for personal information protection;

(II) formulating specialized rules and standards for personal information protection for small personal information handlers, handling sensitive personal information and new technologies and applications such as face recognition and artificial intelligence;

(III) supporting the research, development and popularization of secure and convenient electronic identity authentication technologies, and promoting the development of public services for network identity authentication;

(IV) promoting the development of a socialized service system for personal information protection, and supporting relevant organizations in carrying out evaluation and authentication services on personal information protection; and

(V) improving the mechanism for complaints and whistleblowing reports on personal information protection.

Article 63. Authorities performing duties of personal information protection may take the following measures when performing such duties: (I) inquiring the parties concerned and investigating the circumstances relating to personal information handling activities;

(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information handling ; activities of the parties concerned;

(III) carrying out on-site inspection and investigation of personal information handling activities suspected of violating laws; and

(IV) checking the equipment and articles relating to personal information handling activities; and the equipment and articles that are proved to be used for illegal personal information handling activities may be seized or detained upon written reports to and approval by the person chiefly in charge of the authority concerned. The parties concerned shall provide assistance and cooperation in ; the performance of duties of personal information protection by the authorities concerned in accordance with the law and shall not refuse or obstruct such performance.

Article 64. Where authorities performing duties of personal information protection find in their performance of such duties that there are high risks in personal information handling activities or personal information security incidents have occurred, they may, according to prescribed authority and procedures, have an interview with the legal representative or person chiefly in charge of the personal information handler concerned, or require such handler to entrust a specialized agency to conduct a compliance audit on its personal information handling activities. The personal information handler shall take measures to make rectification and eliminate hidden dangers as required. Where authorities performing duties of personal information protection find in their performance of such duties that illegal handling of personal information is suspected of constituting crimes, they shall timely refer the case to the public security authorities for handling in accordance with the law.

Article 65. Any organization or individual shall have the right to complain or report illegal personal information handling activities to the authorities performing duties of personal information protection. The said authorities receiving such complaints or reports shall timely handle them in accordance with the law and notify the complainants or reporters of the handling results. Authorities performing duties of personal information protection shall make public the contact information for accepting complaints or reports.

Article 66. In the event that personal information is handled in violation of the provisions of this Law, or that personal information is handled without performing the obligation of protecting personal information as stipulated in this Law, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally handles personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed on it concurrently; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the preceding paragraph with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time.

Article 67. Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations and shall be disclosed to the public.

Article 68. Where a State organ fails to perform its obligation of protecting personal information as stipulated in this Law, its superior organ or the authorities performing duties of personal information protection shall order it to make corrections; and impose sanctions on the person directly in charge and other directly liable persons in accordance with the law. Where any staff member of the authorities performing duties of personal information protection neglects his/her duty, abuses his/her power, plays favoritism and commits irregularities, which does not constitute a crime, sanctions shall be imposed on him/her in accordance with the law.

Article 69. Where the handling of personal information infringes upon personal information rights and interests and causes damage, the personal information handler concerned shall bear liability for damages and other tort liabilities if it cannot prove that it is not at fault. The liability for damages specified in the preceding paragraph shall be determined based on the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler; if the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler are difficult to be determined, the amount of damages shall be determined in accordance with the actual circumstances.

Article 70. Where any personal information handler handles personal information in violation of this Law, which infringes upon the rights and interests of a large number of individuals, the People’s Procuratorate, the consumer organizations specified by law and the organizations determined by the CAC may bring a lawsuit to a people’s court in accordance with the law.

Article 71. Where any violation of the provisions hereof constitutes a violation of public security administration, a public security administrative punishment shall be imposed in accordance with the law; and if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Chapter 8 Supplementary Provisions

Article 72. This Law shall not apply to the handling of personal information by a natural person for his or her personal or family affairs. Where there are legal provisions on the handling of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.

Article 73. For the purposes of this Law, the following terms shall have the following meanings: (I) “Personal information handler ” refers to an organization or individual that independently determines the handling purpose and method in the handling of personal information.

(II) “Automatic decision-making” refers to the activities of automatically analyzing and evaluating an individual’s behavior habits, hobbies or economic, health or credit status through computer programs and making decisions.

(III) “De-identification” refers to the process in which personal information is handled so that it is impossible to identify certain natural persons without the aid of additional information.

(IV) “Anonymization” refers to the process in which personal information is handled so that it is impossible to identify certain natural persons and that it cannot be recovered.

Article 74. This Law shall come into force as of November 1, 2021 2021.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

23 briefs reference this law.

  • § 01 · ANONYMIZATION

    Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime

    Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.

    anonymization · personal-information · data-economy
  • § 02 · DATA-PROPERTY-RIGHTS

    The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework

    Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.

    data-property-rights · data-rights-theory · data-twenty
  • § 03 · DATA-ASSET

    When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets

    Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet.

    data-asset · data-property-rights · data-on-balance-sheet
  • § 04 · ANONYMIZATION

    From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative

    The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.

    anonymization · personal-information · de-identification
  • § 05 · AI-GOVERNANCE

    Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy

    Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.

    ai-governance · genai · personal-information
  • § 06 · PERSONAL-INFORMATION

    Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It

    Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.

    personal-information · platform-economy · gig-economy
  • § 07 · DATA-ECONOMY

    Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'

    Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.

    data-economy · data-broker · data-exchange
  • § 08 · DATA-PROPERTY-RIGHTS

    Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights

    Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.

    data-property-rights · data-twenty · data-source-rights
  • § 09 · ENFORCEMENT

    Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine

    In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.

    enforcement · samr · platform-liability
  • § 10 · AI-GOVERNANCE

    Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI

    Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.

    ai-governance · open-source · training-data
  • § 11 · ENFORCEMENT

    MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

    MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

    enforcement · miit · app-compliance
  • § 12 · DATA-PROPERTY-RIGHTS

    Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical

    NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.

    data-property-rights · data-twenty · data-processor
  • § 13 · DATA-PROPERTY-RIGHTS

    Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights

    NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.

    data-property-rights · data-twenty · entrusted-processing
  • § 14 · IMPORTANT-DATA

    'Important Data' Is a Category, Not a Tier

    Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.

    important-data · dsl · commentary
  • § 15 · FOREIGN-INVESTMENT-SECURITY-REVIEW

    Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export

    Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.

    foreign-investment-security-review · manus · ai-agent
  • § 16 · CRIMINAL-LIABILITY

    When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold

    Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.

    criminal-liability · pipl · judicial-interpretation
  • § 17 · FACIAL-RECOGNITION

    When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework

    Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.

    facial-recognition · public-surveillance · pipl-article-26
  • § 18 · CSL

    China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed

    On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.

    csl · csl-2025-amendment · ai-governance
  • § 19 · CROSS-BORDER

    Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

    When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

    cross-border · data-sovereignty · mlat
  • § 20 · PERSONAL-INFORMATION

    PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer

    The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.

    personal-information · pipl · gdpr-comparison
  • § 21 · CROSS-BORDER

    Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet

    Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.

    cross-border · trusted-data-space · confidential-computing
  • § 22 · FACIAL-RECOGNITION

    Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers

    The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.

    facial-recognition · frt-measures · sensitive-personal-information
  • § 23 · PUBLIC-DATA

    Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.

    A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.

    public-data · credit-reference · authorized-operation
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.