GDPR and China PIPL: How They Overlap and Where They Don't

China's Personal Information Protection Law (PIPL), effective November 2021, is China's comprehensive privacy law. It shares some structural similarities with GDPR but with significant Chinese-specific elements including data localization, security assessment requirements, and state-related considerations. For tech companies operating in both the EU and China, the two frameworks require coordinated but separate compliance work.

This page covers what each framework requires, where they overlap, and how to approach combined compliance.

What each framework is

GDPR is EU privacy law applicable from 2018. Enforced by member state supervisory authorities. Maximum fines of 20 million euros or 4 percent of global annual turnover.

PIPL is China's Personal Information Protection Law, effective November 1, 2021. Enforced primarily by the Cyberspace Administration of China (CAC) and other Chinese authorities. Maximum fines of 50 million RMB or 5 percent of revenue.

PIPL operates within the broader Chinese cybersecurity and data law framework including the Cybersecurity Law (CSL), Data Security Law (DSL), and various implementing measures.

Where they overlap

Structural similarities include:

  • Lawful basis for processing. Both require legal basis for processing. PIPL's bases differ in detail but cover similar categories.

  • Data subject rights. Both grant rights including access, correction, deletion, portability, and information.

  • Special category data protections. Both have stricter rules for sensitive personal information.

  • Cross-border transfer restrictions. Both restrict international transfers, though through different mechanisms.

  • Consent requirements. Both require consent for certain processing, with similar quality standards (informed, freely given, etc.).

  • Data Protection Impact Assessments. PIPL requires personal information protection impact assessments for certain processing, similar in concept to GDPR DPIAs.

  • Designated person for data protection. PIPL requires a designated person responsible for personal information protection, similar in concept to GDPR DPO but with different specific requirements.

  • Where they do not overlap

PIPL-specific elements:

  • Data localization for certain operators. Critical Information Infrastructure Operators (CIIO) and certain personal information handlers must store personal information collected in China within China.

  • CAC security assessment. Cross-border transfers above specific thresholds require security assessment by the CAC.

  • Standard contract for cross-border transfers. CAC has published a standard contract for cross-border transfers below the security assessment threshold.

  • PIPL certification mechanism. Certain organizations can rely on PIPL certification for cross-border transfers.

  • State security considerations. PIPL operates within a framework that includes state security considerations not present in GDPR.

  • National security data export rules. Certain categories of data may not be exported regardless of transfer mechanism.

GDPR-specific elements not in PIPL:

  • Specific Article 22 automated decision-making structure with carve-outs.

  • EU Representative requirement.

  • Detailed sectoral coordination (NIS2, DORA, AI Act).

  • ePrivacy regime.

  • Specific 72-hour breach notification.

International data transfers

Cross-border transfers from China are restricted under PIPL Article 38. Permitted mechanisms include:

  • CAC security assessment. Required for transfers by CIIO, transfers of important data, and transfers above specific volume thresholds.

  • PIPL certification. Available through CAC-recognized certification bodies.

  • Standard contract. CAC's standard contract for cross-border transfers below the security assessment threshold.

  • Other transfer mechanisms permitted by laws or administrative regulations.

  • The thresholds and procedures have been refined through implementing measures. Transfers from China are operationally more complex than EU-to-third-country transfers under GDPR.

For EU companies operating in China, EU-China data flows in both directions require attention to both regulatory regimes.

Designated person / Encarregado / DPO

PIPL Article 52 requires personal information handlers processing personal information at a scale exceeding thresholds specified by the CAC to designate a person responsible for personal information protection. The role is similar in concept to a DPO but with specific Chinese requirements.

For multinationals, the same individual rarely serves as both GDPR DPO and PIPL designated person due to language, time zone, and local-presence requirements. Most companies appoint separate functions, with coordination at the global privacy team level.

Sensitive personal information

PIPL has stricter rules for sensitive personal information processing including specific notice requirements and separate consent. PIPL sensitive information categories overlap with GDPR special categories but include some China-specific categories such as financial accounts.

How to integrate the two

Separate compliance programs with global coordination. Most multinational tech companies maintain separate PIPL and GDPR compliance programs with global coordination, given the substantive differences and operational requirements.

Privacy notice with separate jurisdiction sections. A combined privacy notice or separate notices addressing each jurisdiction's specific disclosure requirements.

Coordinated breach response. PIPL incident reporting requirements differ from GDPR. Companies need procedures addressing both.

Localized DPO/designated person arrangements. Local function in China with global coordination.

Transfer mechanism management. SCCs for EU transfers, separate CAC mechanisms for China transfers.

Local language support. Mandarin Chinese for PIPL operations.

How Engage Compliance helps

For clients with both EU and China operations, we provide GDPR fractional DPO services and coordinate with Chinese privacy specialists for PIPL-specific work. We do not provide direct PIPL designated person services.

Coordination includes:

  • Global privacy notice strategy across GDPR and PIPL.

  • Cross-border transfer strategy addressing both EU and China transfer mechanisms.

  • Coordinated breach response across jurisdictions.

  • DPA template alignment.

  • For PIPL-specific work including designated person function, CAC engagement, and Mandarin Chinese operations, we coordinate with Chinese specialist firms with whom we have working relationships.

Get started

If you operate across EU and China and need coordinated privacy compliance, book a consultation.