China’s PIPL resembles the EU General Data Protection Regulation (GDPR) in many ways. For example, the PIPL tracks GDPR's extraterritorial application in cases where data processing activities outside China are (i) for the purpose of providing services or products to individuals in China, or (ii) analyzing or evaluating the activities of individuals in China. But the PIPL also endorses a unique Chinese perspective on such issues as separate consent requirements, data localization, and cross-border transfer of personal data. Our previous summary of PIPL is available here: The journey has just begun: China passes its Personal Information Protection Law.

Many institutions outside China have been working to evaluate PIPL's impact on their operations related to China. For organizations that have a subsidiary or representative office in China, the compliance efforts often include (but are not limited to) conducting a data mapping exercise and gap analysis, and developing privacy notices and consent forms directed at employees, visiting scholars, students, and website users. For organizations that have no presence in China, the PIPL’s extraterritorial effect may still mandate action, such as appropriate consent mechanisms embedded in websites and mobile applications (including WeChat mini programs) targeting China, and appropriate data protection and cybersecurity clauses in agreements with Chinese parties. All organizations are closely monitoring prospective regulatory developments in China which are expected to shed more light on the specific requirements for data localization and cross-border transfer of personal data.

Over the past six months, Chinese authorities have stepped up their enforcement actions. Thus far, the enforcement has centered on unlawful data collection and data leakage. Neither PIPL’s data exportation restrictions nor its extraterritorial reach has been publicly enforced at this time.

• Emerging civil cases with regards to illegal data collection. Beginning in 2021, several individual users sued prominent Internet platforms in China for mishandling their personal information. In one case, the Hangzhou Internet Court ruled that a vague statement in an organization’s privacy policy did not meet the requirement of separate consent for processing of sensitive personal information.¹ In January 2022, the Shenzhen Intermediate Court ruled that Tencent’s short video app, Weishi App, illegally obtained personal information from the WeChat App without effective consent of the plaintiff data subject in order to provide the “Add WeChat friends to Weishi App” function, although the plaintiff ultimately failed to prove damages.²
• Strengthened governance over data protection in mobile applications. Since 2020, the Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Public Security Bureau (PSB) have exercised strong supervision over data protection within mobile apps, focusing on over-collection of personal information; the unlawful usage of targeted push function; and ineffective channels for data subjects to exercise rights. In 2021, Chinese authorities required numerous mobile apps to rectify their procedures – several English training apps and pre-education apps have been issued violations, including Offcn, a famous Chinese vocational education and training company.³

These enforcement actions demonstrate that authorities are focused on Chinese websites and apps, including consent and separate consent mechanisms, over-collection of personal information, and protection of data subject rights. In the education industry, especially online education, the Ministry of Education has recently emphasized data protection via several circulars issued in 2021.⁴ As online education programs surge with both Chinese and non-Chinese providers entering the market, the education industry is poised for data protection enforcement in China.

The PIPL features many vague provisions. Accordingly, organizations continue to await China’s issuance of rules and regulations that clarify PIPL’s scope and practical effect on operations that touch China. Meanwhile, preparation is key. The recent enforcement actions suggest that organizations should give priority to developing tailored consent mechanisms and mitigating risk through effective data protection and cybersecurity clauses in agreements with Chinese parties.