What is PIPL?
The Personal Information Protection Law (PIPL) is China’s comprehensive data protection statute, effective 1 November 2021. PIPL is modelled in significant part on GDPR but adds China-specific elements — particularly stringent cross-border data transfer requirements, data localisation duties for critical information infrastructure operators (CIIO) and large processors, and broad extraterritorial reach. PIPL operates alongside the Cybersecurity Law (CSL 2017) and Data Security Law (DSL 2021) as the third pillar of China’s data governance regime.
Key PIPL obligations
- Lawful basis: consent, contractual necessity, legal obligation, public interest, employment management; consent is dominant in practice.
- Sensitive personal information: stricter consent + necessity test for biometric, religious, medical, financial, location, minor-related data.
- Cross-border transfer mechanisms: (a) CAC security assessment (mandatory for CIIO and large processors); (b) standard contractual clauses (China SCCs effective 2023); (c) certification.
- Data localisation: CIIO operators and processors above thresholds must store personal info locally; transfer outside China requires triggered mechanism.
- Extraterritorial scope: applies to processing outside China that targets China residents (offering goods/services to PRC, analysing PRC behaviour).
Penalties
- Up to RMB 50M or 5% of prior-year turnover (whichever higher) — comparable to GDPR but with Chinese enforcement vigour.
- Personal liability for directly responsible personnel: RMB 100k-1M.
- Suspension of operations, licence revocation, social credit registration.
PIPL exposure for Turkish companies
PIPL reaches Turkish businesses that serve users in China or process Chinese personal information for clients: extraterritorial scope mirrors GDPR logic, but the compliance centre of gravity differs — separate consent for sensitive data and cross-border transfers, a local representative requirement, and transfer mechanisms that run through CAC security assessments, certification or standard contracts depending on volume thresholds. Data-localisation pressure is real for operators of critical infrastructure and large-volume processors. For a KVKK/GDPR-mature company the delta analysis focuses on consent granularity, the China-specific transfer paperwork and incident-reporting timelines; the practical advice for most Turkish SaaS sellers is to decide deliberately whether to serve China-resident users at all, because incidental exposure is the worst-priced kind.