IDC Names Securiti a Worldwide Leader in Data Privacy


10 major changes in China’s finalized PIPL

By Securiti Research Team
Published October 11, 2021 / Updated July 24, 2023

On August 20, 2021, China's Personal Information Protection Law (the “PIPL”) was officially adopted after its third revision. The PIPL came into effect on November 1st, 2021. The first and second drafts of PIPL were released on 21 October 2020 and 29 April 2021 respectively. This article will talk about the 10 major changes between the second draft and the finalized version of the PIPL.

Key Changes Under the Finalized PIPL

1. Legal basis of processing

Under the finalised version of the PIPL, there are seven legal basis of the data processing:

  1. Consent;
  2. Contractual necessity or necessity arising from the human resources management implemented in accordance with the labour rules and regulations of the employer formulated according to the law or collective contracts signed according to law;
  3. Compliance with legal responsibilities or obligations;
  4. Responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
  5. Processing personal information that is already made public within the reasonable scope and in accordance with the requirements of the PIPL;
  6. For purposes of carrying out news reporting and public opinion monitoring for public interests; and
  7. Other circumstances permitted by laws and regulations.

The only substantial change made from the second draft is the addition of the clause of contractual necessity in the finalized PIPL. This is a specific reference to labour governance rules that are signed in accordance with laws. This new addition will have a huge impact in the employment context.

2. Consent

Consent requirements under the finalized PIPL remain consistent with previous PIPL drafts. Furthermore, similar to the previous drafts, the term “separate consent” is not yet defined under the final form of the PIPL.

Compared with the second draft, article 28 of the finalized PIPL purports data of minors aged under 14 as “sensitive personal information”, and requires need to obtain separate consent from the minor's guardian before processing their data.

3. Cross-border data transfers

The finalized PIPL enhances its cross-border data transfer system, as compared to the second draft, introduces 3 changes:

  • PIPL states that cross-border treaties concluded by China may prevail over other treaties.
  • All personal information processors are required to adopt measures to ensure that processing activities of the destination country have an equivalent level of protection provided in the PIPL.
  • The PIPL requires organizations to obtain approval from government authorities before transferring data to foriegn organs for international judicial assistance or administrative law enforcement.

4. Data subject rights

The finalized version of the PIPL brings the following changes to data subject rights:

  • Deceased data subject rights: Next of the kin of the deceased data subject can request a copy, amendment and erasure of their relatives data.
  • Data portability: A data subject has the right to request a data processor to have his data transferred to another data processor provided that such transfer follows the requirements set by the Cybersecurity Administration of China (“CAC”).
  • Redress: If a data processor refuses to comply with a DSR, the data subject may seek redress in court of law.

5. Personal Information Processing

Organizations tend to collect personal information for different purposes, such as to understand customers’ behavior patterns and interests. However, sometimes, it is specifically collected for the purpose of sending them notification emails, text messages, etc.

In the final revision, under the General Provision section in Article (6), the regulatory authority has specified the restriction on personal information (PI) processing. The PIPL specifies that other than definite and reasonable purpose, the PI processing “be directly related to the purpose of processing.” In addition to that, the collection of personal information should be very limited.

6. Unlawful Personal Information Collection

In the first draft and second draft, the regulatory authorities restricted organizations from processing data which violated the laws and administrative regulations. In the finalized version, the regulatory authority further expanded the unlawful collection and processing of data.

As per the finalized version, organizations are prohibited from collecting and processing data illegally, disclosing it to any third-party, or using it in a way that would result in any damage to national or public interest.

7. Personal Information Processing of Minors

As per Article (15) of the second draft, PI processors were required to obtain the consent of the parent or a guardian before processing. The final version of PIPL merges Article (15) with Article (31), specifying that special processing rules should be created by the PI processor for data subjects under the age of 14.

8. Automated Decision Making

The second draft of the PIPL required automated decision-making systems to be transparent, fair, and reasonable. It also gave individuals the ability to inquire further about the decision made by the automated system or reject it altogether.

The final draft of PIPL merges Article (25) with Article (24), additionally requiring PI processors to “not engage in unreasonable differential treatment of individuals in trading conditions,” and prohibiting price discrimination through automated decision-making.

9. Personal Information Protection Impact Assessment

Article (55) of the second draft stated the requirement of assessing risks of certain personal information processing activities in advance and keeping a record of the processing. However, in the finalized PIPL, Article (55) named this risk assessment as “personal information protection impact assessment” and added a separate new Article (56) detailing the scenarios where this impact assessment will be required.

10. Penalties

Upon violations and non-compliance, PIPL penalizes fines of up to 1 million RMB on the processor and up to 100,000 RMB on the person supervising the processor. Serious fines may be imposed on the processor of up to 50 million RMB or 5% of turnover of the previous year.

The revised version of PIPL imposes serious penalties on the liable persons, including the processor and those in charge of the processor, prohibiting them from serving as managers or directors in any organization.


The finalized PIPL is set to go into effect in less than 2 months and organizations are not yet ready to comply with all the requirements set in place. Organizations need to incorporate automation if they hope to improve their processes in time for the enforcement of the PIPL.

Request a demo now to see how robotic automation and artificial intelligence can help you on your road to compliance with China’s PIPL.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend