China’s Personal Information Protection Law (PIPL) has quickly become one of the most important privacy laws in the world. It sets strict rules on how personal data is collected, stored, and shared, affecting both local and international businesses. 

For individuals, it provides stronger rights and more control over their personal information. With regulators already enforcing the law since it took effect on November 1, 2021, understanding how PIPL works in practice is no longer optional but essential. 

Keep reading to see how “China’s PIPL in Action” is shaping business and privacy in China today.

📚 Also read: China’s Personal Information Protection Law Explained

What is China’s PIPL?

China’s PIPL is a nationwide law that regulates how personal information is collected, used, and stored. It was introduced to give people more control over their data and to hold companies accountable for misuse.

Why it is considered one of the toughest data privacy laws

Many experts compare PIPL to the European Union’s GDPR, but in some areas, PIPL goes even further. 

For example, it places stricter limits on cross-border data transfers and requires companies to store certain data inside China.

📚 Also read: China’s Privacy Law Overview

China’s PIPL in Action: Real-World Applications

When we talk about “China’s PIPL in Action,” we are looking at how the law is being enforced in real situations. The Personal Information Protection Law officially took effect on November 1, 2021, and regulators have been active since day one.

Examples of enforcement and compliance

• ✅ In July 2022, ride-hailing giant Didi Global was fined 8.026 billion RMB (about 1.2 billion USD) for violating data protection rules under PIPL and related cybersecurity laws.
• ✅ Smaller companies have also been penalized for collecting personal data without consent or failing to delete data when requested.
• ✅ Both domestic and foreign companies are under equal scrutiny, showing that PIPL applies broadly to anyone handling Chinese personal information.

Choi & Partners has seen an increase in businesses seeking legal advice to avoid penalties and to set up proper compliance systems.

Key Rules Under PIPL Everyone Should Know

Understanding the main rules of PIPL helps businesses avoid mistakes and individuals protect their rights. The law is broad, but some rules stand out as especially important.

What counts as personal information

Personal information includes names, phone numbers, ID numbers, addresses, and even online browsing history. If the data can identify a person, it falls under PIPL.

Consent and user rights

Companies must get clear permission before collecting personal information. People also have the right to know how their data is used and can request deletion in certain cases.

Data localization requirements (Article 40)

Under Article 40 of PIPL, certain businesses must store personal information within China. This applies to critical information infrastructure operators and companies that handle large volumes of personal data. 

If these businesses need to transfer data overseas, they must undergo a security assessment by the Cyberspace Administration of China.

📚 Also read: China Data Localization Laws for Foreign Companies

Industries Most Affected by China’s PIPL in Action

Not all industries feel the impact of PIPL equally. Some sectors face more scrutiny because of the type and amount of data they handle.

Technology and e-commerce

Tech companies and online marketplaces collect massive amounts of personal data every day. Under PIPL, they must now be more transparent about how they use this information.

Healthcare and financial services

Hospitals, clinics, banks, and insurers handle highly sensitive data. PIPL requires them to adopt extra safeguards and obtain clear, informed consent from users.

Foreign companies in China

International businesses that process Chinese user data must follow the same rules as local firms. This often means adjusting global data practices to meet China’s stricter standards.

Penalties and Consequences of Breaking PIPL

The penalties under PIPL are serious, and ignoring the law can be very costly. Authorities have the power to fine companies, suspend operations, and even blacklist businesses that fail to comply.

How high can the fines go

Fines can reach up to 50 million RMB or 5 percent of a company’s annual revenue. For smaller companies, this can be devastating. For larger companies, it is still a strong incentive to follow the rules.

Real-world consequences

Beyond fines, companies risk losing trust with customers and partners. In some cases, executives may also face personal responsibility for violations.

How PIPL Works for Businesses and Individuals

PIPL affects both companies and everyday users. Businesses must build new systems for compliance, while individuals gain more rights over their personal data.

Compliance for businesses

Companies must create clear privacy policies, appoint data protection officers, and set up systems for handling user requests. Foreign businesses often need local experts to help them navigate these requirements.

Impact on individuals

People in China now have more power to say no to data collection. They can also ask companies to correct or delete their information if it is misused.

Choi & Partners of China Legal often helps businesses draft privacy notices and train staff to ensure they meet these obligations.

Step-by-Step Compliance Checklist for PIPL

Meeting PIPL requirements can feel overwhelming, but breaking it down into steps makes it easier. Here is a simple checklist for businesses to follow.

• ✅ Map your data: Identify what personal data you collect and where it is stored.
• ✅ Review consent practices: Make sure users give clear, informed permission.
• ✅ Update privacy policies: Write policies in plain language that explain data use.
• ✅ Strengthen security: Put safeguards in place to protect sensitive data.
• ✅ Prepare for user requests: Create systems for handling access, correction, or deletion requests.
• ✅ Check cross-border transfers: Ensure compliance with rules before sending data overseas.
• ✅ Train your team: Educate staff about privacy responsibilities under PIPL.

‍Choi & Partners Team often recommends businesses run regular audits to confirm they remain compliant as regulations evolve.

China’s PIPL vs Other Global Data Privacy Laws

Data privacy is a global issue, and comparing PIPL with other laws helps highlight its unique features.

PIPL vs GDPR

Both laws give individuals rights over their personal data, but PIPL places stronger emphasis on data localization. GDPR allows more flexibility with cross-border transfers, while PIPL requires stricter approvals.

Why the US does not have a GDPR-style law

The United States has sector-based privacy rules, but no single nationwide law like PIPL or GDPR. This makes compliance in the US more fragmented and less strict compared to China.

📚 Also read: Advertisement Law Compliance in China

Challenges and Criticisms of PIPL in Action

Although PIPL strengthens data protection, it also creates challenges. Businesses, especially foreign ones, often find it difficult to balance compliance with operational needs.

Concerns for international companies

Foreign businesses worry about the cost of compliance and the risk of penalties. Some also raise concerns about how data localization may affect global operations.

Debate over government access

Critics question how much access the government has to personal data under PIPL. While the law is designed to protect individuals, the balance between privacy and state oversight continues to spark debate.

Future of Data Privacy in China

PIPL is still evolving, and experts expect more regulations and stricter enforcement in the years ahead. Companies that prepare early will be in a better position to adapt.

What to expect next

• ✅ More detailed guidelines for cross-border data transfers.
• ✅ Stronger enforcement actions against non-compliant businesses.
• ✅ Possible updates to align with new technologies.

Choi & Partners recommends that companies treat compliance not just as a legal requirement but as a way to build trust with customers in China.

Conclusion

China’s PIPL is reshaping how personal data is managed and protected. For businesses, it means stricter compliance, and for individuals, it offers stronger rights. 

Staying informed is key to avoiding risks and building trust in the Chinese market.

If you need advice, assistance, or support regarding any legal issue in China, contact Choi & Partners for professional guidance.

Frequently Asked Questions on China’s PIPL in Action

What country has no data protection law?

There are still a few countries without comprehensive data protection laws. In these places, personal information may not be safeguarded to the same level as in China or Europe. This makes international cooperation on privacy more complicated.

What is the biggest data breach in the world?

The largest data breaches have exposed billions of records, including personal details like emails and passwords. The Yahoo data breach in 2013 and 2014 affected about 3 billion accounts, showing why strong laws like PIPL are necessary.

What is illegal in China for foreigners?

Foreigners in China must follow local laws, which can be stricter than in other countries. Activities such as working without the right visa, engaging in political protests, or using restricted services can lead to penalties.

What is the punishment for using a VPN in China?

Using unauthorized VPNs in China can result in fines or other penalties. The government regulates internet access closely, and only approved VPN services are allowed.

What is the US-China Cyber Agreement?

The US-China Cyber Agreement was an understanding announced in 2015 to reduce cyber theft of intellectual property. While it showed cooperation, enforcement and trust remain ongoing issues.