What is PIPL?
The Personal Information Protection Law (PIPL) is China’s comprehensive data protection statute, effective 1 November 2021. PIPL is modelled in significant part on GDPR but adds China-specific elements — particularly stringent cross-border data transfer requirements, data localisation duties for critical information infrastructure operators (CIIO) and large processors, and broad extraterritorial reach. PIPL operates alongside the Cybersecurity Law (CSL 2017) and Data Security Law (DSL 2021) as the third pillar of China’s data governance regime.
Key PIPL obligations
- Lawful basis: consent, contractual necessity, legal obligation, public interest, employment management; consent is dominant in practice.
- Sensitive personal information: stricter consent + necessity test for biometric, religious, medical, financial, location, minor-related data.
- Cross-border transfer mechanisms: (a) CAC security assessment (mandatory for CIIO and large processors); (b) standard contractual clauses (China SCCs effective 2023); (c) certification.
- Data localisation: CIIO operators and processors above thresholds must store personal info locally; transfer outside China requires triggered mechanism.
- Extraterritorial scope: applies to processing outside China that targets China residents (offering goods/services to PRC, analysing PRC behaviour).
Penalties
- Up to RMB 50M or 5% of prior-year turnover (whichever higher) — comparable to GDPR but with Chinese enforcement vigour.
- Personal liability for directly responsible personnel: RMB 100k-1M.
- Suspension of operations, licence revocation, social credit registration.
Türk şirketleri için
Çin pazarına yönelen Türk şirketleri (e-ticaret, oyun, fintech, content) PIPL kapsamında ekstratoryal yükümlülüklere tabidir. Çin’de yerleşik olmayan Türk şirketler PIPL’e uyum için “yerel temsilci” (kanuni mukim) atamak zorundadır — bu yapısal yük GDPR Madde 27 muadilidir. Türk-Çin veri transferi için Çin SCC veya CAC security assessment gerekir; KVKK’nın yurt dışı transfer rejimi (Madde 9) Türk veri sorumlusu tarafından ek katman ekler. Çin pazarına girişte PIPL ile KVKK çapraz-uyum maliyetlerini bütçeye eklemek kritik.
Do: conduct PIPL gap assessment for any China-targeting service; appoint local PIPL representative if no PRC entity; document cross-border transfer mechanism choice.
Don’t: assume GDPR compliance equals PIPL compliance — PIPL adds CAC assessment, localisation, and broader sensitive-info categories that GDPR does not.