Your European subsidiary just achieved GDPR compliance after two years of effort. Now leadership wants to expand into the Chinese market. "We're already GDPR-compliant," they say, "how different can China's PIPL really be?"
The answer: fundamentally different in ways that matter for cross-border operations, data transfers, and government access. While China's Personal Information Protection Law (PIPL) and the EU's General Data Protection Regulation (GDPR) share structural similarities—both have extraterritorial reach, both require consent for certain processing, both impose steep penalties—the details diverge sharply. For companies operating in both jurisdictions, assuming GDPR compliance translates to PIPL compliance is a costly mistake.
In May 2025, Shanghai public security authorities imposed the first publicly disclosed administrative penalty for unlawful cross-border data transfers under PIPL, targeting a multinational company that transferred user data to its French headquarters without completing the required security assessment, standard contract, or certification. The message is clear: PIPL enforcement is active, and the rules are different from GDPR.
Here's what international companies need to know about the key differences between PIPL and GDPR—and how to navigate both frameworks without duplicating compliance efforts unnecessarily.
Territorial Scope: Both Laws Have Extraterritorial Reach
The GDPR and PIPL share one critical feature: both apply to organizations outside their home jurisdictions if they process data of individuals located within them.
GDPR (Article 3) applies to:
- Organizations established in the EU, processing personal data of EU residents
- Organizations outside the EU offering goods or services to EU residents
- Organizations outside the EU monitoring behavior of EU residents
PIPL (Article 3) applies to:
- Organizations established in China processing personal information
- Organizations outside China processing personal information of individuals located in China for the purpose of providing products or services, or analyzing and assessing the behavior of individuals in China
For a U.S.-based SaaS company with customers in both Europe and China, this means compliance with both laws is mandatory. The extraterritorial scope is nearly identical—but that's where the similarities end.
Consent Requirements: PIPL Is Stricter
Both GDPR and PIPL establish consent as a legal basis for processing personal data, but PIPL's consent requirements are more rigid and granular.
Under GDPR Article 6, consent is one of six legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). Controllers can often rely on "legitimate interests" for business-critical processing, meaning consent is not always required.
Under PIPL Article 13, consent is required for:
- Sensitive personal information (biometrics, health data, financial data, minors' data, etc.) – separate, explicit consent required
- Cross-border data transfers – separate consent required unless an alternative mechanism applies
- Sharing personal information with third parties – consent required for each third party
- Publicly disclosing personal information – separate consent required
PIPL does not have a "legitimate interests" legal basis. Instead, organizations must rely on:
- Consent
- Performance of a contract
- Human resources management (employment data)
- Emergency situations
- News reporting and public supervision
- Processing already publicly disclosed information within a reasonable scope
The practical impact: PIPL requires consent more frequently than GDPR. For example:
| Scenario | GDPR Legal Basis | PIPL Legal Basis |
|---|---|---|
| Marketing emails to existing customers | Legitimate interests (with opt-out) | Consent required |
| Sharing customer data with a payment processor | Legitimate interests or contract | Consent required for third-party sharing |
| Analytics using pseudonymized data | Legitimate interests | Consent or public disclosure basis |
| Employee HR data transferred to global HQ | Legitimate interests or contract | Contract or HR management basis |
For companies managing both frameworks, this means:
- You cannot assume GDPR-compliant processing is automatically PIPL-compliant
- PIPL requires separate, explicit consent for sensitive data, cross-border transfers, and third-party sharing—even if GDPR allows these under legitimate interests
- Consent records must specify what data is being processed, for what purpose, and with which third parties
Cross-Border Data Transfers: PIPL Is Far More Restrictive
This is the area where PIPL and GDPR diverge most sharply. Both regulate international data transfers, but PIPL's mechanisms are significantly more restrictive.
GDPR Transfer Mechanisms (Chapter V)
The GDPR allows cross-border transfers under:
- Adequacy decisions – EU Commission has approved the destination country as having adequate protections (e.g., UK, Switzerland, Japan, South Korea)
- Standard Contractual Clauses (SCCs) – Controllers and processors execute EU-approved SCCs
- Binding Corporate Rules (BCRs) – For intra-group transfers within multinationals
- Consent – Data subject explicitly consents to the transfer
- Derogations – Specific situations (contract performance, legal claims, public interest)
PIPL Transfer Mechanisms (Articles 38-39)
PIPL establishes three legally prescribed pathways for cross-border transfers:
- CAC Security Assessment – Organized by the Cyberspace Administration of China (CAC), required for:
- Organizations processing personal data of at least 1 million individuals in any given year
- Organizations transferring sensitive personal data of at least 10,000 individuals
- Personal Information Protection Certification – Certification by a CAC-approved professional institution
- Standard Contract – Execute a CAC-approved standard contract and file it with CAC, required for:
- Transfers of personal data of at least 100,000 individuals but fewer than 1 million
- Transfers of any sensitive personal data (but fewer than 10,000 individuals)
Unlike GDPR, which allows controllers to self-assess adequacy using SCCs, PIPL requires government approval or certification for most significant transfers. The CAC security assessment is a multi-month process involving detailed documentation of:
- The necessity and legitimacy of the transfer
- The volume and sensitivity of data being transferred
- Overseas recipient's data protection measures
- Risks to national security and public interest
For companies accustomed to GDPR's SCC mechanism—where you can execute contracts and proceed without regulatory approval—PIPL's process is a significant operational burden.
March 2024 Relaxation of Cross-Border Rules
On March 22, 2024, the CAC published the Provisions on Promoting and Regulating the Cross-border Flow of Data, which relaxed some requirements. Key exemptions include:
- Non-sensitive personal data of fewer than 100,000 individuals per year is exempt from CAC security assessments and standard contract filing (provided the organization is not a Critical Information Infrastructure Operator)
- Employee personal data necessary for HR administration
- Personal data necessary for contract performance with individuals
- Emergency data transfers to protect life and property
These exemptions create a "safe harbor" for smaller transfers, but the thresholds are still strict: most international companies with Chinese operations will exceed 100,000 individuals and require CAC compliance.
Shanghai Enforcement Action (May 2025)
The first public penalty for unlawful cross-border transfers targeted a multinational company that transferred user data to its French headquarters without:
- Passing a CAC data export security assessment
- Executing a standard contract, or
- Obtaining personal information protection certification
This enforcement action confirms that CAC mechanisms are mandatory, not optional. Companies cannot rely on internal corporate policies or GDPR-style SCCs executed without CAC approval.
For detailed cross-border transfer requirements, see the China PIPL law page and compare with the EU GDPR law page.
Government and State Access: A Major Divergence
This is the most politically sensitive difference between PIPL and GDPR, and it has profound implications for companies managing data in both jurisdictions.
GDPR (Recital 73, Article 23) allows EU member states to restrict data protection rights for reasons of:
- National security
- Defense
- Public security
- Prevention, investigation, and prosecution of criminal offenses
However, such restrictions must be necessary and proportionate, and the European Court of Justice has repeatedly struck down government surveillance programs that fail proportionality tests (Schrems I, Schrems II).
PIPL (Articles 13, 41, 44) requires personal information handlers to:
- Provide data to government authorities when required by law
- Cooperate with national security and public security investigations
Critically, PIPL does not include proportionality safeguards or independent judicial review mechanisms comparable to GDPR. China's National Intelligence Law (2017) and Cybersecurity Law (2017) grant broad authority to state security agencies to access data for national security purposes.
For international companies, this creates tension:
- GDPR Schrems II requires that any country receiving EU personal data must have legal protections against disproportionate government access. China does not meet this standard under current EU law.
- PIPL Article 41 restricts Chinese organizations from providing personal information to foreign judicial or law enforcement agencies without prior approval from Chinese authorities.
The practical consequence: storing EU personal data in China, or Chinese personal data in the EU, creates legal conflicts between GDPR and PIPL requirements on government access.
Many multinational companies resolve this through data localization:
- Store EU personal data in EU-region cloud infrastructure (AWS Frankfurt, Azure Ireland)
- Store Chinese personal data in China-region cloud infrastructure (AWS Beijing, Alibaba Cloud)
- Minimize cross-border data flows to only what is operationally necessary
Terminology: Controllers, Processors, Handlers
Both laws assign responsibilities to organizations based on their role in data processing, but the terminology differs.
| GDPR Term | PIPL Term | Definition |
|---|---|---|
| Controller | Personal Information Handler | Entity that determines purposes and means of processing |
| Processor | Personal Information Handler Entrusted | Entity that processes data on behalf of another |
| Data Subject | Individual | Person whose data is being processed |
Under GDPR, the controller-processor distinction is critical because processors have narrower obligations (primarily security and data processing agreements). PIPL's "handler" and "entrusted handler" distinction serves a similar function, but both have broader obligations.
For example:
- GDPR processors do not need to conduct Data Protection Impact Assessments (DPIAs)—only controllers do.
- PIPL entrusted handlers must still comply with consent requirements, security measures, and cross-border transfer rules.
This means that a cloud service provider acting as a "processor" under GDPR may have more extensive compliance obligations as an "entrusted handler" under PIPL.
Data Localization: PIPL's Additional Requirement
PIPL imposes data localization requirements that do not exist under GDPR.
Article 40 requires Critical Information Infrastructure Operators (CIIOs) to store personal information collected and generated in China within China. CIIOs include:
- Telecom, energy, transportation, finance, and public service sectors
- Organizations whose disruption would seriously harm national security, the economy, or public interest
If a CIIO needs to transfer data overseas, it must undergo a CAC security assessment (see cross-border transfers above).
GDPR has no equivalent data localization mandate. EU organizations are free to store personal data anywhere in the world, provided appropriate transfer mechanisms (SCCs, adequacy, BCRs) are in place.
For companies operating in China:
- Assess whether you qualify as a CIIO (most large tech platforms, financial institutions, and infrastructure providers do)
- If yes, store Chinese personal data within China and obtain CAC approval for any overseas transfers
- If no, you still need CAC compliance for cross-border transfers exceeding the thresholds
Penalties: PIPL Has Higher Maximum Fines
Both GDPR and PIPL impose steep financial penalties, but PIPL's maximum is higher.
| Law | Maximum Fine |
|---|---|
| GDPR | 4% of annual global turnover or €20 million (whichever is higher) |
| PIPL | 5% of annual revenue or ¥50 million (~$7 million) (whichever is higher) |
PIPL's 5% cap applies to annual revenue, not specifically revenue in China, making it potentially more punitive for global companies. However, enforcement data is still limited—PIPL took effect in November 2021, and public enforcement actions remain relatively rare compared to GDPR (which has issued thousands of fines since 2018).
Non-monetary penalties under PIPL include:
- Suspension of business operations
- Revocation of licenses
- Public disclosure of violations
- Criminal liability for severe violations
The Shanghai 2025 enforcement action did not disclose the fine amount, but it signaled that operational suspensions and public disclosure are active enforcement tools.
Practical Compliance Strategies for Dual GDPR-PIPL Operations
For companies operating in both the EU and China, here's how to structure compliance efficiently:
1. Segregate Data by Jurisdiction
Store EU personal data in EU-region infrastructure and Chinese personal data in China-region infrastructure. This avoids cross-border transfer complexities and aligns with both laws' territorial principles.
Use geolocation-based routing to ensure:
- EU users → EU data centers → GDPR applies
- China users → China data centers → PIPL applies
2. Build Separate Consent Flows
PIPL's consent requirements are stricter. Build two consent workflows:
- GDPR flow: Consent for marketing, legitimate interests for analytics, opt-out mechanisms
- PIPL flow: Separate consent for sensitive data, cross-border transfers, third-party sharing
Do not assume a single consent form satisfies both laws.
3. Document Legal Bases Separately
In your Data Inventory, document:
- GDPR legal basis for each processing activity (consent, contract, legitimate interests, etc.)
- PIPL legal basis for each processing activity (consent, contract, HR management, etc.)
Many activities that rely on "legitimate interests" under GDPR will require consent under PIPL.
4. Execute Jurisdiction-Specific Transfer Mechanisms
For cross-border transfers:
- EU to non-EU: Execute EU SCCs
- China to non-China: Obtain CAC security assessment, certification, or file standard contract
- Do not assume EU SCCs satisfy PIPL requirements—they are separate regulatory processes
5. Minimize Cross-Border Data Sharing
Reduce the volume of data transferred internationally:
- Use pseudonymization and aggregation for analytics
- Limit employee access to data in the same jurisdiction
- Conduct DPIAs (GDPR) and security assessments (PIPL) before any cross-border transfer
6. Monitor Regulatory Changes
Both GDPR and PIPL are evolving. The CAC's March 2024 relaxation of cross-border rules shows PIPL is still being refined. Track:
- CAC guidance on certification and standard contracts
- EU adequacy decisions (China is unlikely to receive one)
- Enforcement actions in both jurisdictions
For region-specific updates, see the Asia-Pacific region hub and the PIPL DSAR calculator for deadline tracking.
Key Takeaways
GDPR compliance is not a shortcut to PIPL compliance. While the laws share structural similarities, the differences are fundamental:
- PIPL requires consent more frequently than GDPR. The absence of a "legitimate interests" legal basis means activities permissible under GDPR may require consent under PIPL.
- Cross-border data transfers are far more restrictive under PIPL. CAC security assessments, certifications, and standard contract filings are government-approval processes, not self-certification like GDPR SCCs.
- Government access rules diverge sharply. PIPL lacks the proportionality safeguards and judicial review mechanisms that GDPR requires, creating legal conflicts for data stored in both jurisdictions.
- Data localization is mandatory for CIIOs under PIPL. GDPR has no equivalent requirement.
- Penalties under PIPL can reach 5% of annual revenue—higher than GDPR's 4% cap.
- Enforcement is active. The May 2025 Shanghai penalty for unlawful cross-border transfers confirms PIPL is no longer a theoretical risk.
For international companies, the path forward is clear: treat GDPR and PIPL as separate compliance programs with overlapping components but distinct requirements. Data segregation by jurisdiction, separate consent flows, and jurisdiction-specific transfer mechanisms are essential to avoid running afoul of either framework.
PIPL is not GDPR-lite. It's a fundamentally different regulatory regime that requires dedicated compliance infrastructure. Build it now, before the next enforcement action targets your cross-border data transfers.
For detailed comparisons and jurisdiction-specific guidance, explore the China PIPL law page, the EU GDPR law page, and the Asia-Pacific region hub.