The Personal Information Protection law  : China’s very own GDPR ?  

Partager sur facebook
Partager sur twitter
Partager sur linkedin
Partager sur email

Last Friday, China’s National People’s Congress passed a new law, the Personal Information Protection law (PIPL), that aims to protect user data privacy. The latter will be implemented as early as 1 November. As highlighted in a recent article published by Reuters, this law comes as another pillar to the data regulation ecosystem that is currently being elaborated and reinforced  in China[1].

Back in June, we discussed the upcoming implementation of the Data Security Law (September 1st). However, it is interesting to note that, while the DSL is more focused on assigning an economic value and relevance to data in order to define a degree of vigilance to be respected by companies, the PIPL is very much centered around the user who’s right is to be informed and protected.

A strong focus on user privacy

The law’s first article[2] sets the tone by clearly stating its objectives, namely :  “To protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.”[3]. Note that the personal information processing activities include the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.

Here are, broadly, the key new elements introduced by this law[4] :

  • The handling of personal information must have a clear and relevant purpose that shall be limited to the “minimum scope necessary to achieve the goals of handling” data[5]. It must respect principles that are explicitly stated such as lawfulness, fairness, necessity, good faith, openness and transparency.
  • Individuals in charge of data and personal information protection (the equivalent of Data Protection Officers in Europe) must be designated and given the responsibility to ensure companies’ compliance with the law.
  • Companies must comply with conditions specifying how they can collect personal data and obtain an individual’s consent.
  • Finally, companies must follow guidelines for ensuring data protection when data is transferred outside the country[6].


A packed legislative agenda

Recently, the Chinese legislative agenda has been, to say the least, packed with cybersecurity laws and regulations.Whether it be the Data Security Law (effective on 1 September), the Personal Information Protection Law (effective on 1 November), the Regulations on Protection of Security of Critical Information Infrastructures (effective on 1 September), the Measures for Security Administration of Vehicle Data (effective on 1 October) or the Supreme Court’s judicial interpretations on the use of facial recognition technology (effective on 1 August), businesses are now facing a huge compliance work highlights Barbara Li on a Linkedin post[7]. “It is crucial for companies to understand what significant implications these new laws and regulations would have for their business operations in China and the region and more importantly, to take proper compliance and risk mitigation actions as soon as possible.”[8] she says.

A promising data protection ecosystem

These recent changes are good news for online users and data protection in China. In addition to the implementation of new regulations, associations and qualified institutions stress and denounce practices that they deem to be in contradiction with user’s right to privacy and personal information protection. For example, on the same day of the announcement of the data privacy law’s passage, the National People’s Congress published an op-ed by which it called for entities that use algorithms for “personalized decision making” to first obtain user consent.“Personalization is the result of a user’s choice, and true personalized recommendations must ensure the user’s freedom to choose, without compulsion”the op-ed read[9].

Thus, many changes are going to take place from September. The next few months will be a chance for us to observe the effects and effectiveness of these newly introduced laws.


[1] Horwitz, Josh. “China Passes New Personal Data Privacy Law, to Take Effect Nov. 1.” Reuters, Thomson Reuters, 20 Aug. 2021,

[2] Xinhuanet. “Personal Information Protection Law of the People’s Republic of China.” л񹲺͹ϣ–ᡤ–, 20 Aug. 2021,

[3] Same as 2.

[4] Coëffé , Thomas. “La Chine ADOPTE La Loi PIPL, L’ÉQUIVALENT Du RGPD Pour Protéger LES Données Personnelles.” BDM, BDM, 20 Aug. 2021,

[5] Same as 1

[6] Same as 1

[7] Li, Barbara. “China’s Much Anticipated Personal Information Protection Law (PIPL) .” LinkedIn, 20 Aug. 2021,

[8] Same as 7

[9] Horwitz, Josh. “China Passes New Personal Data Privacy Law, to Take Effect Nov. 1.” Reuters, Thomson Reuters, 20 Aug. 2021,


Sources :

Évaluez votre niveau
de conformité

En quelques clics,
lancez sans engagement
et en toute conformité un
audit flash !

Pour recevoir votre audit flash gratuit et sans engagement, merci de bien vouloir remplir ce formulaire :