How China’s Personal Information Protection Law (PIPL) could affect your business

chinese data protection

Data privacy is making its way to the top of the world’s agenda. Countries previously static in their approach are now implementing thorough data protection laws with apt consequences for compliance failures.

Personal Information Protection Law (PIPL)

The People’s Republic of China (PRC) has undergone major changes over the past five years, starting in 2017 with the release of the Cyber Security Law (CSL), followed by the release of the Data Security Law (DSL) in 2021, and finally, Personal Information Protection Law (PIPL) that was finalized on 20th August 2021 and came into force on 1st November that same year.

The enforcement of regimented data protection laws has major implications for global organizations with headquarters all over the world, not just those residing in China. The PIPL applies both to data processing activities within mainland China, as well as activities involving mainland China residents’ data in outside territories:

  • for the purposes of providing products or services to China residents;
  • for analytics or evaluation of the behavior of China residents; or
  • for any other reasons as required by law or regulations.

This has introduced greater control over personal data, giving data subjects the rights to edit, remove, restrict use, and withdraw previously given consent, as well as enforcing more stringent requirements for data sharing across the board. Close relatives of a deceased are also given the rights to access, copy, correct or delete personal information on their behalf.

Data controllers must process Chinese personal information within mainland China. Exceptions for transferring or accessing personal information in outside territories are made if the organization has adopted the necessary measures to ensure the recipient’s data processing activities comply with standards comparable to those set out in the PIPL.

Where mandatory security controls are applied for storing and processing Personally Identifiable Information (PII), training must be provided for all those who handle PII. PIPL also enforces compulsory data localization when the amount of PII exceeds the threshold set by the Cybersecurity Administration of China.

In cases where companies fail to comply with PIPL, Chinese administrative fines are issued, equaling either 5% of the business’s annual revenue from the previous year or up to RMB50 million ($7.7 million) – as well as the confiscation of unlawful income.

Additional sanctions include:

  • Termination of operations
  • Suspension of applications and services
  • Wider business interruptions and delays
  • Criminal charges

These additional measures will undoubtedly spark concerns, and it’s understandable for business teams to feel alarmed by the severity of looming sanctions if all laws are not met. However, PIPL presents an opportunity for organizations to achieve greater control over their data management and security. And identifying a partner to help lighten the workloads and guarantee PIPL compliance throughout the journey will only make the process easier.

How can Lemongrass help?

To help customers navigate the intricacies of PIPL, Lemongrass partners with IT service provider and consultancy firm, Exxeta, and a specialized law firm with specific expertise in PIPL. Exxeta carries out the business assessment of cross-border data flows in relation to business processes and the IT landscape. The law firm is on hand to support customers with any legal queries.

Lemongrass is responsible for executing the technical design of the target landscape; building the landing zone within the hyperscaler’s China region (Azure, AWS); executing the technical migration into China’s region; and taking over operation of those systems once migrated.

In China, many of the typical services from AWS or Azure are not available as the regions within the country are usually built and managed by local Chinese partners. Lemongrass has extensive knowledge of the local situation and services available in the hyperscaler Chinese regions and how to best operate SAP systems securely within China.

cbt assessment - Chinese personal information protection law

Automotive use-case

Lemongrass has worked closely with a global automotive organization operating out of China to assist with keeping ongoing data migration initiatives aligned with the latest PIPL requirements.

After an extensive analysis of the customer’s business processes and IT landscape, as well as the available service in China for the hyperscaler of choice, Lemongrass built a China-specific Landing Zone in the Beijing Region.

Additionally, Lemongrass continues to manage the business services in the ‘operate’ phase and has helped migrate a total of six SAP core systems and 25 non-SAP systems from on-premises into the customer’s Landing Zone in China.

As businesses continue to navigate the relatively new rules and requirements laid down by the Chinese Personal Information Protection Law, Lemongrass is on hand to support companies operating out of China to avoid penalties when moving customer data within SAP to the Public Cloud in a Chinese region.

For more information about how Lemongrass can work with your business to best respond to the PIPL, contact us via

Related Content