PIPL

PIPL grants individuals rights over their personal information including consent requirements, access, deletion, and portability. Cross-border transfers require consent plus a government assessment or standard contracts. However, PIPL coexists with laws requiring cooperation with state intelligence and security activities.

China’s Personal Information Protection Law of 2021 is often compared to GDPR but operates in a fundamentally different legal context. PIPL provides individual rights: informed consent for processing, access to personal information, correction of errors, deletion rights, and data portability. Processing requires a lawful basis (consent, contract, legal obligation, public interest, etc.). Cross-border transfers need individual consent plus one of: government security assessment, standard contractual clauses, or certification. However, PIPL explicitly exempts state security and emergency response activities. The coexistence of PIPL’s individual protections with the National Intelligence Law’s access requirements creates an unusual framework: organizations must protect personal data while simultaneously being prepared to disclose it to state security when requested. For international data transfers involving China, this dual nature complicates compliance.