標準簡介
PIPL 是由 國家互聯網信息辦公室 (CAC) 發布的現行有效標準,常用於科技、金融銀行、零售、醫療健康、服務業等產業,並適用於中國等市場。
本頁整理了 PIPL 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Extraterritorial Application
Applies to processing of personal information of individuals within China, even when the data processor is located outside China — covering foreign companies offering products or services to Chinese residents.
Severe Penalties
Grave violations can incur fines up to RMB 50 million or 5% of the previous year's annual revenue, plus personal liability for responsible individuals up to RMB 1 million and bans from senior positions.
Strict Cross-Border Rules
Cross-border data transfers require security assessments, standard contracts, or certification — with mandatory CAC security assessment for critical information infrastructure operators and large-scale processors.
list_alt Core Principles
- Lawfulness, legitimacy, necessity, and good faith
- Purpose limitation and data minimization
- Transparency and openness
- Data quality and accuracy
- Accountability and security
- Separate consent for sensitive personal information
- Restrictions on automated decision-making
- Special protections for minors under 14
Who Needs to Comply?
Any organization that processes personal information of individuals within China — including Chinese companies, foreign companies with operations in China, and foreign companies that offer products or services to or analyze behavior of individuals in China.
Key Requirements
Legal Basis for Processing
Establish a lawful basis before processing personal information — individual consent, contract necessity, legal obligation, public health emergency, public interest, or information already made public by the individual.
Separate Consent for Sensitive Data
Obtain specific, informed separate consent before processing sensitive personal information including biometrics, religious beliefs, medical health data, financial accounts, location tracking, and data of minors under 14.
Cross-Border Data Transfer Compliance
For transferring personal information outside of China, complete a CAC security assessment (for CII operators or large-scale data), enter into standard contracts, or obtain personal information protection certification.
Personal Information Protection Impact Assessment
Conduct impact assessments before processing sensitive data, using personal information for automated decision-making, transferring data cross-border, or any processing that may significantly affect individuals' rights.
Incident Notification
Immediately take remedial measures upon discovering a personal information security incident. Notify the relevant regulatory authority and affected individuals, including the types of information involved, causes, and remediation measures.
Penalties & Enforcement
For serious violations: fines up to RMB 50 million (approximately USD 7 million) or 5% of the prior year's annual revenue, suspension or termination of business, and revocation of business licenses. Responsible individuals face fines of RMB 100,000 to RMB 1 million and may be banned from holding senior management or DPO positions.