Enter ChinaEnter China · Data & privacy (PIPL)

Data & privacy compliance in China (PIPL)

Meet PIPL and China's cross-border data rules when you handle data of people in China.

Market context

The Personal Information Protection Law (PIPL), together with the Data Security Law and Cybersecurity Law, governs how you collect, store, and transfer personal information in China. It can apply extraterritorially to companies handling the data of individuals in China.

Cross-border transfers generally require one of three mechanisms — a CAC security assessment, the China Standard Contract with filing, or certification — depending on data volume and sensitivity. Certain operators and data types may face localization requirements.

Our approach
  • Map data flows and where personal information is processed
  • Determine the required cross-border transfer mechanism
  • Prepare consent, notices, and a PIPL-aligned baseline
  • Advise on data-localization exposure
What you get
  • Data-flow & PIPL gap assessment
  • Cross-border transfer mechanism plan
  • Consent / notice baseline
FAQ
Does PIPL apply if I'm not in China?
It can — PIPL reaches companies outside China that process personal information of people in China, for example to offer them products or services.
How do I transfer data out of China?
Usually via a CAC security assessment, the Standard Contract with filing, or certification — which one depends on volume and sensitivity. We map your route.
Do I have to store data in China?
Some operators and data types face localization requirements; many do not. We assess your specific setup.

Ready to move your expansion forward?

Tell us your target markets, industry, and timeline — we'll give you a clear first step.