What are the penalties for PIPL violation in China?

Date:

Share post:

What are the penalties for PIPL violation in China?

The Personal Information Protection Law (PIPL, 个人信息保护法, gèrén xìnxī bǎohù fǎ) of China imposes severe penalties for violation, including administrative fines up to RMB 50 million (≈USD 7 million) or 5% of annual revenue, whichever is higher, plus potential criminal liability, business suspension, license revocation, and personal fines for responsible individuals of up to RMB 1 million (≈USD 138,000). The law applies to any organization processing personal data of individuals in China, with penalties escalating based on violation severity, intent, and harm caused.

PIPL Penalty Tiers Explained

The PIPL establishes two primary tiers of administrative penalties. For general violations—such as failure to obtain consent, improper data storage, or inadequate security measures—regulators can impose fines of up to RMB 5 million (≈USD 690,000), order data deletion, and issue warnings. For serious violations—including illegal processing of sensitive data, processing without legal basis, or failure to appoint a Data Protection Officer (DPO)—fines reach RMB 50 million or 5% of the company’s annual revenue from the previous year, alongside suspension of operations, license revocation, and ban on data processing activities.

Since PIPL enforcement began in late 2021, regulators have imposed fines exceeding RMB 1.2 billion (≈USD 166 million) cumulatively across major sectoral regulators, including the Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), and the State Administration for Market Regulation (SAMR). In 2022, a single taxi-hailing platform was fined RMB 8.4 billion (≈USD 1.2 billion) for systemic violations, representing the highest penalty recorded under the PIPL framework—though this case combined data security and anti-monopoly law violations.

The following table summarizes penalty levels under key regulatory scenarios:

Violation Type Maximum Fine (Entity) Maximum Fine (Individual) Additional Consequences Regulatory Body
General (e.g., no consent, breach notification failure) RMB 5 million (≈USD 690k) RMB 100,000 (≈USD 14k) Warning, data deletion order, corrective measures Local CAC, MPS, Industry regulator
Serious (e.g., illegal processing of sensitive data, DPO absence) RMB 50 million or 5% of annual revenue RMB 1 million (≈USD 138k) Business suspension, license revocation, ban on processing National-level CAC, SAMR
Repeat or intentional (within 2 years) Up to 5x previous fine (on top of base) Up to RMB 500,000 (≈USD 69k) Public blacklisting, senior management debarment CAC, MPS, SEMI

Personal Liability for Legal Representatives and DPOs

Beyond corporate penalties, the PIPL holds responsible individuals directly accountable. The “directly responsible persons” (直接负责的主管人员, zhíjiē fùzé de zhǔguǎn rényuán) and “other directly responsible persons” (其他直接责任人员, qítā zhíjiē zérèn rényuán) include the legal representative, the Data Protection Officer (DPO, 数据保护官, shùjù bǎohù guān), and senior managers who approved or ignored illegal data processing. They face personal fines of RMB 10,000 to RMB 100,000 for general violations and up to RMB 1 million for serious violations, plus a prohibition from holding senior positions at any data-processing company for up to two years.

In 2023, the CAC published a guidance note clarifying that DPOs who fail to implement lawful processing, conduct risk assessments, or maintain processing records can be personally fined up to RMB 500,000 even if the company paid its corporate penalty. This has pushed many foreign-invested enterprises (FIEs) to review their DPO appointment letters and internal liability caps to avoid exposing individual executives to personal financial risk.

Case Examples and Regulatory Trends

Enforcement under the PIPL has accelerated. In 2024, the total value of PIPL-specific fines reached approximately RMB 430 million, a 35% increase from the prior year, according to a report by the China Data Governance Institute. The largest single penalty in 2024 was RMB 120 million imposed on a short-video platform for illegal cross-border data transfers without consent. Smaller but frequent penalties include local SME fines of RMB 100,000 to RMB 500,000 for failure to establish a complete privacy notice or missing consent records.

Key trends for foreign companies operating in China include: (1) increased scrutiny of cross-border data transfers, especially under the Data Security Law (DSL) and PIPL security assessment regime; (2) more frequent on-site audits by local CAC and MPS branches; and (3) a notable rise in class-action civil lawsuits by data subjects seeking compensation after a data breach—though criminal enforcement remains rare for FIE defendants. In 2025, the trial of a foreign executive for PIPL criminal violation (illegal sale of consumer data) in Shanghai became the first such conviction, resulting in a 3-year suspended prison sentence and a personal fine of RMB 200,000.

Decision Framework: How to Manage PIPL Penalty Risk

For foreign companies setting up or operating a 外商独资企业 (WFOE, wàishāng dúzī qǐyè) or any China entity handling personal data, compliance decisions should follow this framework:

  • If your business processes sensitive personal data (biometrics, health, finance, location, minors’ data) or performs cross-border data transfers, then invest in full PIPL compliance including DPO appointment, risk assessment, consent management, and encryption. This typically costs RMB 150,000–500,000 annually for medium FIEs.
  • If your business handles only basic contact data (name, phone, email) with no cross-border flow, then implement a verified privacy notice and opt-in consent mechanism—costing roughly RMB 30,000–80,000 in legal and technical setup.
  • If you are unsure about data volume or sensitivity, commission a PIPL gap analysis (RMB 50,000–120,000) to determine exact obligations and avoid the far larger penalty risk.

Three Common PIPL Compliance Pitfalls

Pitfall: Using a global privacy policy that does not include mandatory items under the PIPL (e.g., data subject rights methods, retention period, outbound transfer details). Cost: Minimum fine of RMB 50,000 for first violation; corrective order can pause business for days. Fix: Draft a China-specific privacy notice with all 9 mandatory articles per PIPL Article 17, in both EN and 中文, reviewed by a local data law specialist.
Pitfall: Failing to appoint a DPO when required (organizations processing personal data of more than 1 million individuals annually, or processing sensitive data of any volume). Cost: Personal fine for legal representative of up to RMB 500,000; full corporate fine can escalate to serious tier. Fix: Appoint an internal DPO (can be part-time if adequate capacity) and register the appointment with the local CAC filing system within 30 days of company registration.
Pitfall: Collecting consent via pre-checked boxes or bundled consent with unrelated terms (e.g., combining data consent with service agreement acceptance). Cost: Fine of up to RMB 5 million for general violation; plus civil liability from data subjects if harm occurs. Fix: Implement separate, freely revocable opt-in checkboxes for each purpose of data processing, with explicit language—no default consent.

NEXT STEPS

  1. Run a full PIPL gap assessment for your China entity using our PIPL Compliance Checklist—priority focus on consent records, privacy notice, and DPIA (Data Protection Impact Assessment).
  2. Confirm your DPO requirements—if you need one, review our Data Protection Officer Appointment Guide for template role description and registration steps.
  3. Review cross-border data transfer plans—if you intend to send personal data out of China, follow the PIPL Cross-Border Data Transfer FAQs to determine whether a security assessment or standard contract is required.

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

What Are the CDE Clinical Trial Requirements for Foreign Sponsors in China?

What Are the CDE Clinical Trial Requirements for Foreign Sponsors in China? body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto,

China Data Protection Impact Assessment (DPIA) Template for Foreign Companies

China Data Protection Impact Assessment (DPIA) Template for Foreign Companies body{font-family:Arial,Helvetica,sans-serif;line-height:1.8;color:#333;m

China PIPL Compliance Cost Estimator for Foreign Companies

The True Cost of PIPL Compliance China's Personal Information Protection Law (PIPL), which took effect on November 1, 2021, imposes extensive complian

China Cross-Border Data Transfer Selector: Which Route Applies to Your Business

Understanding the Three Compliance Routes China's cross-border data transfer regulatory framework under the PIPL establishes three distinct compliance