Image Source:

This article is written by Gayathri, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).


Privacy of an individual or of the companies is important today as personal data passes through borderless networks due to the use and sharing of personal information to third parties without notice or consent of consumers. As of January 2021, with 130 jurisdictions – 128 out of 194 countries have adopted the legislation to secure the protection of data and privacy in which some countries have adopted sectorial or omnibus coverage having inconsistent regulation (UNCTAD, 2021) and (i-Sight, 2021). Figure 1 depicts the world map which has adopted the data protection and privacy legislation.

On August 20, 2021, The National People’s Congress (NPC), adopted the first Chinese comprehensive data protection law called Personal Information Protection Law (PIPL) both in China and Hongkong. The law will be effective from November 1, 2021, and works together with existing laws – the Cybersecurity Law (“CSL”) and the Data Security Law (“DSL”). Many companies in China are already coordinating with relevant enforcement agencies for complying as the law enhances the scrutiny over the Tech sector by the government. (Hunter Dorwart; Gabriela Zanfir Fortuna; Clarisse Girot, 2021).

Download Now

According to China’s official news agency, scrutiny increases on Tech giants like Alibaba, Tencent, the taxi-hailing company – Didi and Foreign companies in China, etc., by prohibiting the illegal collection, usage, processing, transmission, disclosing and trading of people’s personal data with others. The consent of the individual should be obtained before processing of their sensitive personal information e.g., biometrics, medical and health, financial accounts, their whereabouts etc., “pushing, publication, data transferring or business marketing with the information of individuals through automated decision-making, personal information processing should provide the option of not targeting the personal characteristics or offering ways to reject the same. 

Figure 1: Countries adopting the Data Protection and Privacy Legislation as of January 2021

With the adoption of the new Protection Law in China, why do some companies feel that it has an impact on the global effect? This can be understood from the provisions in PIPL regarding; Scope of -Personal Information- Sensitive Personal Information and Processor, Processing, Special Processing, Territory and cross border transfer provisions, The rights, obligations and Enforcements, and understanding the Pros and Cons of law.  

Scope of personal information : sensitive personal information and processor

For the first time, the PIPL introduces the concept of “personal information processor”, which refers to the organizations and individuals who decide independently on the processing methods and the purpose of the personal information. “Personal information processing” is defined as inclusion, but not limited to, the collection, storing, using, processing, transmitting, provisioning, disclosing, and deleting personal information. In addition to ‘personal information’ that is as defined in the CSL, the PIPL defines “sensitive personal information” – the leakage or illegal use of which could easily lead to the violation of the personal dignity of a natural person or harm to person or property safety. This is the first national law in the PRC that defines sensitive personal information and sets out relevant obligations on processors handling information. 

Now as per the PIPL, (a) “Personal Information” is all information that identifies or is identifiable of persons either electronically or otherwise recorded (such as videos, voice or image data), and excluding anonymised information. The “anonymisation” is different from “de-identification”, as it is still  Personal Information. (b) “Processing” is the collecting, storing, using, processing, transmitting, provisioning, disclosing or leaking and or deleting Personal Information. and (c) the “Personal Information Processor” (PIP) means the organisation or person processing Personal Information or who can determine the purpose and the method of processing. 

Processing legal aspects in PIPL

Prior to the adoption of PIPL, CSL’s – “notification and consent” was only the legal basis for processing personal information. The PIPL widens its ground based on data minimisation principles where,

In addition to the above, the Processor has to understand – where to, 

PIPL also sets the additional requirements for the processor to notify and take the consent of the individual involved regarding where and when the,

PIPL also sets the Obligations and Responsibilities on all the processors that include:

Special processing : legal aspects in PIPL

PIPL defines the responsibilities and the obligations for the special processing activities, which are classified as:

The law does not specify whether joint and several liabilities would arise in the event of violation by either party.

Territory and cross border transfer provisions

The PIPL applies within the territory of the PRC. In addition to this, it is applicable outside the territory of the PRC provided the:

In addition, one of the following conditions is to be satisfied:

The overall Requirements for Cross-Border transfer of information are depicted in Table-1 below

Table 1 – Requirements for Cross-Border Transfer of information

The rights, obligations and enforcements as per Personal Information Protection Law (PIPL)

The rights of individuals

Various individual rights recognised by PIPL in relation to their personal information are listed below. The individuals have the right to:

The obligations of processors

The major obligations of processors are:

The enforcement 

The obligations and penalties enforced when the Personal Information processing is in violation or noncompliance with the PIPL are:

If the breach is particularly egregious, in addition to the penalties listed above, the PIP and DPO or other directly liable individuals may be subject to additional penalties, including:

Understanding the pros and the cons of PPIL

( (EasylLama, 2021)

The pros

The cons


China focuses on Personal Information Protection with the new law PIPL which will be in force from November 2021. This law strengthens the individual’s autonomy and rights by keeping regulators’ eagle’s eyes on PIP’s.  

As of date the social media and internet service providers are holding and using a lot of personal data. The use of it will be affected due to the PIPLs implementation. 

Convergence of international data privacy regulations and adoption of some favoured international principles are seen in PIPL. Hence the processors need to be cautious in the data mining and the distribution process due to the restrictions in the new law. 

On one hand, the act protects the individual’s rights from predatory online behaviours, on the other side, the potential of high exploitation and abuse due to loose and unstreamed clauses in law can be seen along with the requirement of heavy investments for data-mining companies. 

Abbreviations used in this Article
ADMAutomated Decision Making
CACCyberspace Administration of China
CSLCybersecurity Law 
DSLData Security Law 
NPCNational People’s Congress 
PIPPersonal Information Processor
PIPLPersonal Information Protection Law 
PRCPeople’s Republic of China
RMBRen Min Bi – Chinese Currency


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here