PIPL - Personal Information Protection Law (China)

China's primary data protection law, effective November 1, 2021, governing the collection, storage, use, processing, transfer, and disclosure of personal information of individuals within China, with extraterritorial reach and penalties up to 5% of annual revenue.

What Is PIPL (Personal Information Protection Law)?

Key Takeaways

  • PIPL is China's first national data protection law dedicated to personal information. It took effect on November 1, 2021, and applies to any organization or individual processing the personal information of natural persons within China, regardless of where the processor is located.
  • For HR teams, PIPL governs virtually every employee data activity: collecting resumes, processing payroll, running background checks, conducting performance reviews, transferring data to overseas headquarters, and using HR analytics platforms.
  • PIPL requires a lawful basis for processing personal information. Unlike GDPR, which offers six legal bases, PIPL's consent requirements are stricter and consent must be "informed, voluntary, and explicit" for sensitive personal information.
  • Cross-border data transfers face strict requirements. Employers sending Chinese employee data outside the country must complete either a CAC (Cyberspace Administration of China) security assessment, obtain a personal information protection certification, or execute Standard Contractual Clauses (SCCs) with the overseas recipient.
  • Individual rights under PIPL include the right to know, decide, restrict, refuse, access, copy, correct, delete, and request explanation of automated decision-making. Employees can exercise these rights against their employer as a data processor.

PIPL sits alongside China's Cybersecurity Law (2017) and Data Security Law (2021) as part of a three-pillar regulatory framework for data governance. Together, these laws give China one of the world's most prescriptive data protection regimes. For multinational employers, PIPL creates immediate compliance obligations. If you have employees in China, you're processing their personal information under Chinese law. Every HR function touches PIPL: recruitment, onboarding, payroll, benefits administration, performance management, internal investigations, and offboarding. The law doesn't just apply to Chinese companies. It has extraterritorial reach. If you process the personal information of individuals in China from outside the country (for example, a US headquarters accessing Chinese employee records through a global HRIS), PIPL applies to that processing. You'll need to appoint a representative in China or establish a dedicated entity for data protection compliance. The penalties are real. The Cyberspace Administration of China and local data protection authorities have been actively enforcing PIPL since 2022, with fines, app removals, and public enforcement actions increasing year over year.

5%Maximum fine as a percentage of the previous year's annual revenue for serious violations (PIPL Article 66)
Nov 2021Effective date of PIPL, making China the third major jurisdiction (after EU and Brazil) with a national data protection law
1.4BPeople protected under PIPL, the largest population covered by any single data privacy law
CNY 50MMaximum fixed fine for serious violations when revenue-based calculation doesn't apply (approximately USD 7M)

What Does PIPL Cover?

Understanding PIPL's scope is the first step toward compliance. The law defines personal information broadly and creates a special "sensitive" category with heightened requirements.

Personal information defined

Article 4 defines personal information as "any kind of information related to an identified or identifiable natural person recorded by electronic or other means, excluding anonymized information." For HR purposes, this includes: names, contact details, employee IDs, photos, dates of birth, home addresses, phone numbers, email addresses, salary and benefits data, bank account details, performance evaluations, attendance records, training records, and any other data linked to an identifiable employee. Anonymized data (where re-identification isn't possible) is outside PIPL's scope, but pseudonymized data is still personal information.

Sensitive personal information

Article 28 defines sensitive personal information as data that, if leaked or illegally used, could easily cause damage to personal dignity or harm to personal or property safety. Categories include: biometric data (fingerprints, facial recognition), religious beliefs, specific identities (ethnicity, political opinions), health information, financial account data, location tracking data, and any personal information of minors under 14. For HR, this means: biometric time-clock data, medical leave records, drug test results, disability disclosures, and salary/bank details all qualify as sensitive personal information requiring separate consent and a documented necessity assessment.

Extraterritorial application

PIPL applies outside China when processing the personal information of individuals located in China for the purpose of: providing products or services to individuals in China, or analyzing and evaluating the behavior of individuals in China. A US-based company with a China subsidiary that processes Chinese employee data at its US headquarters must comply with PIPL for that data processing. Overseas processors must appoint a representative or designated entity in China and register with the relevant data protection authority.

Lawful Bases for Processing Employee Data

Article 13 provides seven lawful bases for processing personal information. For HR teams, the interplay between consent and the employment necessity basis is the most critical compliance question.

Legal BasisPIPL ArticleHR ApplicationKey Limitation
Individual consentArt. 13(1)General HR data collection, pre-employment screeningMust be informed, voluntary; can be withdrawn anytime
Necessary for contract performanceArt. 13(2)Payroll processing, benefits administration, employment contract fulfillmentLimited to data strictly necessary for the contract
Necessary for HR management per law or collective contractArt. 13(3)Statutory payroll deductions, social insurance contributions, tax reportingMust be tied to a specific legal or regulatory obligation
Public health emergency responseArt. 13(4)Health screening during pandemicsLimited to genuine emergencies
News reporting or public interestArt. 13(5)Rarely applicable to HRProportionality test applies
Processing publicly available informationArt. 13(6)Reviewing candidate's public professional profilesMust be within reasonable scope
Other circumstances prescribed by lawArt. 13(7)Government reporting, labor inspectionsCatch-all provision

Cross-Border Data Transfers of Employee Data

For multinational employers, cross-border data transfer is the highest-risk area of PIPL compliance. Sending Chinese employee data to overseas headquarters, shared service centers, or global HRIS platforms triggers strict transfer requirements.

Three transfer mechanisms

Article 38 provides three mechanisms for lawful cross-border transfers. First, a CAC security assessment, which is mandatory if the processor handles personal information of more than 1 million individuals, has transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals abroad since January 1 of the previous year, or is a Critical Information Infrastructure Operator. Second, obtaining a personal information protection certification from a recognized institution. Third, executing Standard Contractual Clauses (SCCs) with the overseas recipient and filing them with the provincial CAC office. Most multinational employers with operations in China will use the SCC route for employee data transfers unless they hit the volume thresholds requiring a CAC security assessment.

Practical compliance steps

Before transferring any employee data outside China, employers must: conduct a Personal Information Impact Assessment (PIIA) covering the transfer, obtain the employee's separate, informed consent for the cross-border transfer, execute the CAC-published Standard Contractual Clauses with the overseas recipient (no modifications allowed to the core terms), and file the SCCs with the provincial CAC within 10 working days of the contract taking effect. The overseas recipient must agree to be bound by Chinese data protection standards, accept supervision by Chinese authorities, and submit to the jurisdiction of Chinese courts or arbitration institutions for data protection disputes.

Common cross-border HR data scenarios

Global HRIS systems (Workday, SAP SuccessFactors, Oracle HCM) that store data on servers outside China require transfer compliance. So does sharing employee performance data with regional or global managers. Payroll processing through an overseas shared service center, sending employee data to a global benefits administrator, and providing employee information for group-wide internal investigations all trigger PIPL's cross-border transfer rules. Even read-only access from outside China to Chinese employee records in a global system constitutes a data export.

Employee Data Rights Under PIPL

PIPL gives individuals (including employees) a set of rights that employers must be prepared to fulfill. These aren't theoretical. Employees can and do exercise them.

Core individual rights

Employees have the right to know and decide about the processing of their personal information, the right to restrict or refuse processing (with certain exceptions for legal obligations), the right to access and obtain copies of their personal information, the right to correct inaccurate data and supplement incomplete data, the right to request deletion when the processing purpose has been achieved or consent has been withdrawn, the right to request an explanation of the rules applied in automated decision-making, and the right to file complaints with data protection authorities.

Right to deletion and its limits

Article 47 requires processors to proactively delete personal information when the processing purpose has been achieved, the retention period has expired, consent is withdrawn, or the processor violated the law. In the employment context, this creates tension with record retention requirements under other Chinese laws. Labour law, tax law, and social insurance regulations require employers to retain certain records for specified periods. Employers must balance PIPL's deletion requirements against these retention obligations and document the legal basis for retaining data beyond the original processing purpose.

Responding to employee data requests

PIPL doesn't specify an exact response deadline, but the expectation (based on CAC guidance) is "timely" processing. Best practice is to respond within 15 to 30 days. Establish a clear internal process: designate a point of contact (the Data Protection Officer or HR privacy lead), create request forms, define escalation procedures, and document every request and response. Denying a request requires a written explanation with legal justification. Ignoring requests or creating procedural barriers to discourage them will attract regulatory attention.

Employer Compliance Requirements

PIPL imposes specific organizational and technical obligations on employers processing personal information in China. These aren't optional recommendations.

  • Appoint a Data Protection Officer (DPO) or personal information protection officer if your processing volumes meet thresholds set by the CAC. Even if not required, appointing one is best practice for companies with more than 100 employees in China.
  • Conduct Personal Information Impact Assessments (PIIAs) before processing sensitive personal information, transferring data cross-border, using automated decision-making, or sharing data with third parties. Retain PIIA records for at least three years.
  • Develop and publish a privacy notice compliant with Article 17: clearly state the processor's name and contact details, processing purposes, categories of personal information, retention periods, methods for individuals to exercise their rights, and any cross-border transfers. The notice must be in Chinese.
  • Implement technical security measures proportional to the sensitivity of data processed: encryption, access controls, audit logging, data classification systems, and incident response procedures.
  • Establish a data breach notification process. Under Article 57, processors must immediately take remedial measures and notify the authorities and affected individuals if a breach occurs. Include the type of information compromised, cause, potential harm, remedial measures taken, and how individuals can protect themselves.
  • Conduct annual compliance audits of HR data processing activities. The CAC has indicated that regular self-audits are expected, and third-party audits may be required for high-volume processors.
  • Train HR staff on PIPL requirements. Employees who collect, process, and manage personal information need to understand consent requirements, data minimization principles, and breach reporting procedures.

Penalties and Enforcement

PIPL's penalty structure is designed to make non-compliance financially painful. The revenue-based maximum fine ensures that large companies can't treat penalties as a cost of doing business.

Violation LevelOrganizational PenaltyIndividual Penalty (DPO/Management)Additional Consequences
General violationsUp to CNY 1M (approx. USD 140K)CNY 10K to 100K fine for responsible individualsOrder to correct, warning
Serious violationsUp to CNY 50M or 5% of previous year's annual revenueCNY 100K to 1M fine; ban from serving as director/officerSuspension of business, revocation of license
Failure to conduct PIIASubject to general violation penaltiesPersonal liability for DPO/officerOrder to conduct assessment
Illegal cross-border transferSubject to serious violation penaltiesPersonal liabilityPossible suspension of cross-border data flows

PIPL and Data Protection Statistics [2026]

Enforcement data showing that PIPL compliance isn't just a legal formality. Chinese authorities are actively investigating, fining, and publicizing violations.

1.4B
People whose personal information is protected under PIPLNational Bureau of Statistics, 2024
5%
Maximum fine as percentage of annual revenue for serious violationsPIPL Article 66
3,000+
Apps removed from Chinese app stores for PIPL violations in 2022-2023CAC enforcement reports
CNY 8B+
Total fines imposed under China's data protection framework in 2023CAC Annual Report, 2024

Frequently Asked Questions

Does PIPL apply to foreign companies with employees in China?

Yes. PIPL applies to any entity processing the personal information of individuals located in China, regardless of where the entity is incorporated or headquartered. A US company with a China subsidiary processing employee data must comply. A US company without a subsidiary that processes data about individuals in China (for example, through remote employment or a PEO arrangement) must also comply and must appoint a representative or designated entity in China for data protection matters.

Can I use employee consent as the legal basis for all HR data processing?

You can, but you shouldn't. Consent under PIPL must be voluntary, and the employer-employee power imbalance makes voluntary consent questionable for many employment data processing activities. If an employee can't realistically refuse (because refusing would mean they don't get paid), consent isn't truly voluntary. Better practice is to use "necessary for contract performance" for core employment activities (payroll, benefits, tax), "legal obligation" for statutory requirements (social insurance, tax reporting), and consent for activities that aren't strictly necessary (employee surveys, optional wellness programs, non-mandatory training tracking).

What's the difference between PIPL and GDPR?

Both laws protect personal information, but they differ in key ways. PIPL's consent requirements are stricter: consent for sensitive data must be "separate" (not bundled). PIPL's cross-border transfer requirements are more prescriptive, requiring government-approved mechanisms (SCCs, certification, or security assessment) rather than GDPR's broader range of transfer tools. PIPL includes criminal liability for individuals, while GDPR focuses on organizational fines. PIPL's data localization requirements (for CIIOs and high-volume processors) have no GDPR equivalent. And PIPL operates within China's broader national security framework, meaning government access to data is more expansive than under European law.

Do I need to store employee data locally in China?

It depends. Critical Information Infrastructure Operators (CIIOs) and processors handling personal information of more than 1 million individuals must store data locally in China and undergo a CAC security assessment before any cross-border transfer. For most employers that don't hit these thresholds, local storage isn't mandatory, but cross-border transfers must still comply with one of the three transfer mechanisms (SCCs, certification, or security assessment). Many multinational employers choose to localize their China HR data regardless, because the cross-border transfer compliance requirements are burdensome and ongoing.

What counts as a cross-border data transfer under PIPL?

Any scenario where personal information collected or generated in China is transmitted, stored, or accessed outside of China constitutes a cross-border transfer. This includes uploading data to a global HRIS hosted on servers outside China, sharing employee files with managers or HR teams located outside China (even via email), providing employee data to overseas payroll processors or benefits administrators, and allowing overseas IT support staff to access systems containing Chinese employee data. Read-only access from outside China still counts. The location of the server matters, the location of the person accessing the data matters, and the destination of any data transmission matters.

What is a Personal Information Impact Assessment (PIIA) and when is it required?

A PIIA is a documented risk assessment that must be completed before undertaking certain processing activities. Article 55 requires a PIIA before: processing sensitive personal information, using personal information for automated decision-making, sharing personal information with third parties, transferring personal information outside China, and any other activity that significantly impacts individuals' rights. For HR teams, this means conducting a PIIA before implementing biometric time tracking, deploying AI-powered recruitment screening, sharing employee data with overseas entities, and outsourcing payroll or benefits to third-party providers. The PIIA must document the legality, necessity, and proportionality of the processing, the risks to individuals, and the security measures in place. Retain the assessment and its supporting records for at least three years.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next