Skip to content
Longterm Wiki
Back

PIPL (Personal Information Protection Law)

web
pro.bloomberglaw.com·pro.bloomberglaw.com/insights/privacy/china-personal-info...

Relevant to AI governance discussions around data privacy regulations that AI systems must comply with when processing personal data of Chinese residents; provides context for international regulatory landscape AI developers must navigate.

Metadata

Importance: 28/100guidance documentreference

Summary

A comprehensive FAQ overview of China's Personal Information Protection Law (PIPL), which took effect November 1, 2021, covering its scope, definitions, compliance requirements, and how it compares to GDPR. The law establishes national-level personal data protection rules with extraterritorial reach, sensitive data categories, and individual rights.

Key Points

  • PIPL is China's first comprehensive national personal information protection law, effective Nov. 1, 2021, with extraterritorial reach similar to GDPR.
  • Defines sensitive personal information (SPI) broadly, including biometrics, health, financial, location data, and all data on minors under 14.
  • Processing SPI requires specific purpose, necessity, stricter protections, and separate (sometimes written) consent.
  • Applies to foreign entities processing data of PRC residents for product/service provision or behavioral analysis.
  • Grants data subjects rights of access, correction, deletion, and portability, with special provisions for deceased individuals' next of kin.

Cited by 1 page

PageTypeQuality
China AI Regulatory FrameworkPolicy57.0

Cached Content Preview

HTTP 200Fetched Mar 20, 202620 KB
- [Privacy](https://pro.bloomberglaw.com/insights/privacy/)

# China’s Personal Information Protection Law (PIPL)

April 12, 2022

_Contributed by [Ken (Jianmin) Dai](https://www.dentons.com/en/jianmin-dai) and [Jet (Zhisong) Deng, Dentons](https://www.dentons.com/en/zhisong-deng)_

As governments around the world continue to enact various [consumer data privacy laws](https://pro.bloomberglaw.com/consumer-data-privacy-laws/), privacy and data security practitioners need to understand key legal and regulatory differences among the laws and stay on top of international compliance requirements. Below is an overview of the most frequently asked questions about China’s Personal Information Protection Law (PIPL), including how to comply and how the law differs from other major privacy and data security laws.

## What is the PIPL?

China’s PIPL, adopted on Aug. 20, 2021, at the 30th Session of the Standing Committee of the 13th National People’s Congress, is the first national-level law comprehensively regulating issues in relation to personal information protection.

## When did the PIPL take effect?

The PIPL entered into force as of Nov. 1, 2021.

## What is personal information (PI)?

Personal information is defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within the People’s Republic of China (PRC). PI excludes anonymized information that cannot be used to identify a specific natural person and is not reversible after anonymization. PIPL Art. 4.

### What does the processing (or handling) of PI mean?

Processing (sometimes translated as “handling”) includes the collection, storage, use, alteration, transmission, provision, disclosure, deletion, etc. of PI. PIPL Art. 4.

## What is sensitive personal information (SPI)?

The PIPL defines SPI as PI that, if disclosed or illegally used, may cause harm to the security or dignity of natural persons. SPI includes information on biometric characteristics, religious beliefs, specific identity, medical health, financial accounts, individual location tracking, etc. Moreover, any PI of a minor under the age of 14 is regarded as SPI. PIPL Art. 28.

### Is SPI treated differently from PI?

Yes. Processing SPI requires a specific purpose, sufficient necessity, and stricter protective measures. Separate consent is also required, and written consent may be needed if provided by other laws and regulations. PIPL Art. 29.

In addition, PI handlers must inform individuals of the necessity of processing SPI and the impact of processing SPI on their rights and interests. PIPL Art. 30.

In the case of a minor, the parent or other guardian’s separate consent must be obtained before processing. PIPL Art. 31.

## What is the territorial scope of the PIPL?

The PIPL applies to PI processing activities within the PRC. Similar to the General Data Protection Regulation (GDPR), the PIPL has extraterritorial reach. Any processing of PI outside China w

... (truncated, 20 KB total)
Resource ID: 6d4a8e0fdd292de2 | Stable ID: NTM4NzcyYj