🇨🇳 Live Privacy & Data Protection

China Personal Information Protection Law (PIPL)

Governs the collection, processing, and cross-border transfer of personal information in China.

View official source document

15

Rules extracted

203

Obligations decomposed

13.5x

Avg obligations per rule

🇨🇳 China

Jurisdiction

About this regulation

China's comprehensive personal information protection law. Adopted August 20, 2021, effective November 1, 2021. The PIPL establishes lawful bases for personal information handling, rules for sensitive personal information, cross-border data transfer mechanisms, data processor obligations, automated decision-making requirements, individual rights, large internet platform duties, and penalties up to 5% of annual revenue or RMB 50 million. 74 articles in 8 chapters.

What AuditDSS covers

Source

1

Regulation

Extracted

15

Rules

Decomposed

203

Obligations

13.5x

Decomposition ratio

Each rule is decomposed into an average of 13.5 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 203 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in PIPL is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
China Personal Information Protection Law (PIPL)
Regulatory body
Cyberspace Administration of China
Jurisdiction
🇨🇳 China
Document type
law
Effective date
November 1, 2021
Issuing authority
Standing Committee of the National People's Congress
Industry
Privacy & Data Protection
Official source
View source document ↗

Who this applies to

personal information handlerscritical information infrastructure operatorslarge internet platformsstate organscross-border data transferors

Key requirements

  • lawful bases for processing
  • consent and notification
  • sensitive personal information rules
  • cross-border transfer mechanisms
  • data protection impact assessments
  • individual rights
  • automated decision-making transparency
  • breach notification
  • compliance audits

Frequently asked questions about PIPL

What is PIPL?
China's comprehensive personal information protection law. Adopted August 20, 2021, effective November 1, 2021. The PIPL establishes lawful bases for personal information handling, rules for sensitive personal information, cross-border data transfer mechanisms, data processor obligations, automated decision-making requirements, individual rights, large internet platform duties, and penalties up to 5% of annual revenue or RMB 50 million. 74 articles in 8 chapters.

Who does PIPL apply to?
PIPL applies to personal information handlers, critical information infrastructure operators, large internet platforms, state organs, cross-border data transferors.

How many obligations does PIPL contain?
AuditDSS has decomposed PIPL into 203 atomic obligations from 15 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of PIPL?
The key requirements include: lawful bases for processing, consent and notification, sensitive personal information rules, cross-border transfer mechanisms, data protection impact assessments, individual rights, automated decision-making transparency, breach notification, compliance audits.

How can I assess my PIPL compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 203 PIPL obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces PIPL?
PIPL is enforced in China by Cyberspace Administration of China.

When did PIPL come into effect?
PIPL became effective on November 1, 2021.

What industry does PIPL apply to?
PIPL is primarily relevant to the Privacy & Data Protection industry. AuditDSS covers 71 regulations in this industry sector.

Build a PIPL compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for PIPL — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering PIPL requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine PIPL with other regulations into a single unified compliance pack for your business.

Build PIPL compliance pack

Already have a policy? Assess it against PIPL

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 203 obligations

Your document is scored against every obligation in PIPL. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Privacy & Data Protection

🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

Model WHS Act

10 rules, 41 obligations
🇧🇷 Live

LGPD

19 rules, 200 obligations
🇺🇸 Live

CCPA/CPRA

46 rules, 572 obligations
🇨🇳 Live

CSL

8 rules, 201 obligations

Assess your PIPL compliance

Upload your document and get a risk-scored gap analysis against 203 PIPL obligations in under 5 minutes.

Start assessment Browse all regulations