What is the difference between PIPL, DSL, and CSL in China?
China’s data regulatory landscape is built on three foundational laws: the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Cybersecurity Law (CSL). For foreign-invested enterprises operating in China, understanding the differences between these three laws is essential for building a comprehensive compliance program. While the laws are interrelated and share certain principles, each has a distinct scope, objectives, and regulatory requirements. This article provides a detailed comparison of the three laws, explaining their respective purposes, key provisions, and how they interact in practice.
Overview of the Three Laws
The CSL was enacted first, effective June 1, 2017, and establishes the foundational framework for cybersecurity in China. It focuses on the security and operation of networks, the protection of network data, and the responsibilities of network operators. The CSL introduced key concepts such as the Multi-Level Protection Scheme (MLPS) for network security grading, the Critical Information Infrastructure (CII) designation, and data localization requirements for CII operators. It set the stage for China’s comprehensive digital regulation.
The DSL followed, effective September 1, 2021, and addresses data security from a broader perspective. While the CSL focuses on network security, the DSL applies to all data processing activities within China and establishes a data classification and grading system. It introduces the concept of important data and core data, imposes data security obligations on data processors, and establishes the data export security assessment regime. The DSL is concerned primarily with data security from a national security and public interest perspective, rather than individual privacy protection.
The PIPL, effective November 1, 2021, is China’s comprehensive personal information protection legislation. Modeled partly on the European Union’s General Data Protection Regulation (GDPR), PIPL focuses specifically on the protection of individual privacy rights in personal information processing. It establishes the legal basis for processing personal information, defines data subject rights, imposes cross-border data transfer restrictions, and sets severe penalties for non-compliance. PIPL is the most directly relevant law for foreign enterprises that handle personal data of individuals in China.
Scope of Application
| Dimension | CSL | DSL | PIPL |
|---|---|---|---|
| Effective Date | June 1, 2017 | September 1, 2021 | November 1, 2021 |
| Primary Focus | Network security and operation | Data security and classification | Personal information protection |
| Protected Interest | National cybersecurity and public interest | National security, economic stability | Individual privacy and dignity |
| Entities Covered | Network operators and CII operators | All data processors in China | All personal information processors |
| Territorial Scope | Networks in China | Data processing in China | Processing within China and of individuals in China |
| Data Subject Rights | Limited (network security context) | Limited (data security context) | Comprehensive (access, correction, deletion, portability) |
| Cross-Border Transfer | Localization for CII operators | Security assessment for important data | Consent, SCCs, certification, or security assessment |
| Penalties | Up to 500,000 RMB (general) | Up to 10 million RMB or 5% revenue | Up to 50 million RMB or 5% revenue |
Key Provisions of Each Law
Cybersecurity Law (CSL)
The CSL establishes the obligation of network operators to implement technical and organizational security measures to protect networks from interference, damage, and unauthorized access. Key requirements include the adoption of a Multi-Level Protection Scheme (MLPS) that grades network systems based on their importance and the sensitivity of the data they process. Network operators are required to register their systems under MLPS, conduct security assessments, and maintain records. For CII operators, the CSL imposes additional obligations, including the appointment of a designated person for cybersecurity, regular security audits, emergency response planning, and mandatory data localization. Under Article 37, CII operators must store personal information and important data collected in China on servers located within China. If a cross-border transfer is necessary, a security assessment is required.
The CSL also establishes incident reporting obligations. Network operators must report cybersecurity incidents to relevant authorities in accordance with prescribed timelines, and they must provide remedial measures to affected users. The CSL created the framework for personal information protection that was later expanded by PIPL.
Data Security Law (DSL)
The DSL establishes a comprehensive data security governance system. Its centerpiece is the data classification and grading system under Article 21, which requires data processors to classify data based on its importance to national security, economic stability, and public interest. The DSL identifies two special categories of data: important data, which if compromised could harm national security, public interests, or the legitimate rights of individuals; and core data, which relates to national security, critical infrastructure, and major public interests. Each industry sector is expected to publish its own catalog of important data, and enterprise data processors must identify and protect important data within their systems.
The DSL also establishes the data export security assessment regime. Article 31 requires that the cross-border transfer of important data collected by CII operators and other data processors be subject to a security assessment administered by the CAC. The DSL imposes data security obligations on all data processors, including the requirement to establish data security management systems, conduct data security training, implement data security risk monitoring and assessment, and respond to data security incidents. Data processors that handle large volumes of data must designate a data security officer and establish a dedicated department for data security management.
Personal Information Protection Law (PIPL)
PIPL establishes the rights of data subjects and the obligations of personal information processors. Data subject rights include the right to know and consent to the processing of their personal information, the right to access and copy their personal data, the right to correct inaccurate information, the right to delete personal information (the right to be forgotten), the right to withdraw consent, the right to restrict processing, and the right to data portability. PIPL also provides specific protections against automated decision-making, including the right to be informed of the logic and consequences of automated decisions and the right to request human review of such decisions.
Key obligations of personal information processors include the following. Processing must be based on a valid legal basis under Article 13, including consent, contract performance, legal obligation, vital interests, public interest, or legitimate interests. A PIPIA must be conducted before processing sensitive personal information, using automated decision-making, engaging in data disclosure, transferring data outside China, or processing data of minors. Cross-border data transfers require one of the three mechanisms: a CAC security assessment, China SCCs, or personal information protection certification, plus notification and separate consent. PIPL enforcement includes penalties of up to 50 million RMB or 5 percent of annual revenue, suspension of business activities, and revocation of business licenses.
How the Three Laws Interact in Practice
For a foreign enterprise operating in China, the three laws apply concurrently. A single data processing activity may be subject to requirements under all three laws. For example, when a foreign-invested WFOE transfers employee HR data to global headquarters, it must comply with the CSL’s MLPS requirements for the IT systems through which the data passes, the DSL’s important data classification obligations if the HR data includes any data that could be classified as important data in a regulated sector, and PIPL’s full set of requirements for personal information processing, cross-border transfer, and data subject rights.
The following scenario illustrates the interaction. A financial services WFOE collects customer data through its mobile app. Under the CSL, the app’s network system must be registered under the appropriate MLPS level, and if the WFOE is designated as a CII operator, the customer data must be stored locally. Under the DSL, the financial data may be classified as important data under the sectoral catalog published by the People’s Bank of China, requiring enhanced security measures and a security assessment before any cross-border transfer. Under PIPL, the customer’s name, financial account details, and transaction history constitute personal information and sensitive personal information respectively, requiring explicit consent, a PIPIA, and a cross-border transfer mechanism if the data is transferred to the global headquarters for centralized analysis.
Regulatory Authorities
Each law is enforced by different regulatory bodies, though there is significant overlap. The CSL is primarily enforced by the Ministry of Public Security (MPS) for network security matters and the CAC for content management and CII designation. The DSL is jointly enforced by the CAC and relevant industry-specific regulators, with the CAC taking the lead on cross-border data transfer assessments. The PIPL is enforced by the CAC and provincial-level cyberspace administrations for general matters, with industry-specific regulators playing a role in regulated sectors such as finance, healthcare, and telecommunications. Enterprises should identify their primary regulatory contact based on their industry and data processing activities.
Summary of Key Differences
To summarize the practical differences: the CSL is about network security and applies to anyone operating a network or IT system in China. It requires MLPS registration, CII compliance, and incident response capabilities. The DSL is about data security from a national security perspective and applies to all data processors. It requires data classification, important data protection, and security assessments for important data exports. The PIPL is about individual privacy protection and applies to any entity processing personal information of individuals in China. It requires consent, impact assessments, data subject rights mechanisms, and cross-border transfer controls for personal information.
Together, these three laws form a comprehensive regulatory framework that foreign enterprises must navigate carefully. Compliance with one law does not imply compliance with the others, and regulatory authorities increasingly coordinate enforcement actions across all three legal frameworks. A holistic approach that addresses network security, data security, and personal information protection as an integrated compliance program is the most effective strategy for managing regulatory risk in China.
