January 27, 2023

Volume XIII, Number 27


January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

January 24, 2023

Subscribe to Latest Legal News and Analysis

China's New Data Privacy Law is Sweeping and Serious: Avoid the High Cost of Noncompliance

Last Friday, China passed the world’s harshest data privacy law, threatening violators with fines of up to 50 million Yuan (or about $7.7 million at the time of publication) or 5% of annual revenue. The Personal Information Protection Law (“PIPL”) builds on China’s security-focused data protection regime, but it is the country’s first law that purports to provide individuals with  rights and protections related to their personal information. 

PIPL, which goes into force November 1, 2021, applies to entities, including entities that do business entirely outside of China, that collect, store, use, transmit, provide, or otherwise handle personal information belonging to natural persons within China’s borders. Entities governed by PIPL are called “personal information handlers,” and personal information handlers based outside of China must “establish a dedicated entity or appoint a representative” within China to be responsible for PIPL compliance.

GDPR-compliant companies have a leg up on PIPL compliance. But GDPR compliance will not pass muster under PIPL, which is why IAPP VP and Chief Knowledge Officer Omer Tene recommends that “[i]f you’re doing business in China, get legal advice. They’re not playing around.”

Some PIPL provisions, such as those related to overarching data protection principles and individuals’ access and erasure rights, look similar to GDPR, but PIPL is different in a number of important ways. For example, companies that rely on GDPR’s “legitimate interest” provision as a lawful basis for processing employee data will note that PIPL does not have a similar provision.

The circumstances under which individuals must be notified under the two regulations differ, as PIPL requires explicit notice to be provided before data collection occurs, except where laws or regulations provide that confidentiality may be preserved or notification is not necessary. PIPL also addresses a few  unique, hot-button areas of privacy law, such as facial recognition.  Additionally, unlike GDPR, PIPL does not regulate or limit access by the PRC central government to personal information.   

Perhaps the most important differences between PIPL and GDPR, however, come from PIPL’s data transfer restrictions. These provisions build on China’s Cybersecurity Law and the new Data Security Law (“DSL”), both of which establish a protectionist, security-focused framework through mechanisms like data-localization requirements, which require certain types of data to be stored on servers within China. 

When DSL becomes effective September 1, Chinese organizations and individuals will be prohibited from transferring data stored in China “to the justice or law enforcement institutions of foreign countries without the approval of” Chinese authorities. The PIPL will expand this prohibition to Chinese residents’ personal information, requiring all personal information handlers to receive permission from Chinese authorities before transferring that information to foreign courts or law enforcement.

PIPL also requires all cross-border data transfers of personal information to meet a “necessity test,” and individuals must receive notice and give specific consent prior to the transfer. And, even if the transfer passes the necessity test and is consented to, the transfer must meet one of the following conditions:

  • Receive approval from government authorities following a security assessment;

  • Obtain certification from government authorities;

  • Conclude a contract with the foreign entity receiving the data that comports with a standard contract drafted by government authorities; or

  • Comply with “other conditions” in law or regulations (a catch-all provision).

In addition to entity fines, individual fines  between 100,000 and 1 million Yuan are included and violators of PIPL can be publically called-out on China’s social credit system or be prohibited from doing business in China. And, like GDPR, PIPL provides individuals with a private right of action to be compensated for any losses suffered due to a handler’s improper processing of personal information.

The consequences of non-compliance with PIPL are harsh, and PIPL’s passage is just one of many recent indications that Chinese authorities are eager to ramp up cyber enforcement. Companies that do business in China should seek legal advice as soon as possible to ensure compliance. Bracewell’s Data Security & Privacy team team is well-versed in compliance program reviews and ready to help clients navigate China’s sweeping new data privacy and security regime.

© 2023 Bracewell LLPNational Law Review, Volume XI, Number 236

About this Author

Philip Bezanson, white collar criminal defense, securities, attorney, Bracewell
Managing Partner, Seattle

Philip J. Bezanson's practice focuses on white collar criminal defense, internal investigations, securities enforcement and regulatory matters.

Mr. Bezanson is a member of the Bracewell & Giuliani LLP team that has represented corporate and individual clients in recent high-profile and complex cases, including the Deepwater Horizon explosion, the George Washington Bridge lane closure and General Motors ignition switch investigations, "Pay to Play" cases in New York, New Mexico and Illinois, the stock options backdating cases, and a variety...

Seth DuCharme Insurance Lawyer Bracewell LLP

Seth DuCharme draws on his 14 years of experience as a senior-level law enforcement officer to advise companies and individuals on cases involving cybersecurity and breach response, Foreign Corrupt Practices Act (FCPA) diligence and litigation, export controls, sanctions compliance and anti-money laundering.

Seth served in the United States Attorney’s Office for the Eastern District of New York from 2008 through 2021. He held various positions at the Eastern District, including Chief of the Criminal Division, Chief of the National Security & Cybercrime Section, and Acting United...

Lucy Tyson Privacy and technology lawyer Bracewell

Lucy Tyson’s practice focuses on advising clients in a variety of matters related to the structuring and negotiating of services agreements for business process and information technology outsourcing and managed services. Lucy works with clients to develop and implement data privacy solutions that are compliant with global regulations. She has experience working across organizations, including compliance, HR, security, IT, and legal, to ensure that data privacy solutions are tailored to the client’s needs. Lucy also has experience in advising clients with the protection, maintenance,...

Claire Cahoon Litigation Attorney Bracewell Law Firm

Claire Cahoon focuses her practice on complex commercial litigation and appeals. Prior to joining Bracewell, Claire served as a legal extern in the United States Attorney’s Office for the Northern District of Texas.


Southern Methodist University Dedman School of Law, J.D.

2020 - magna cum laude

University of Southern California, B.A.

2016 - magna cum laude

Bar Admissions



Spanish — proficient