China — Data Subject Rights

China's Personal Information Protection Law (PIPL, 个人信息保护法) establishes a comprehensive catalog of individual data-subject rights in Chapter 5, Articles 44–50. The law came into force on November 1, 2021, following adoption by the Standing Committee of the Thirteenth National People's Congress on August 20, 2021. PIPL grants these rights to "individuals" (个人) against "personal information processors" (个人信息处理者) — entities that determine the purposes and means of processing personal information.

Foundational Rights Framework (Article 44)

Article 44 establishes three core rights: individuals hold (1) the right to be informed about processing; (2) the right to make decisions on the processing of their personal information; and (3) the right to restrict or refuse the processing of their personal information by others. These rights apply broadly, "except as otherwise provided by laws or administrative regulations."

Access, Portability, and Duplication (Article 45)

Article 45 grants individuals the right to consult and duplicate their personal information from personal information processors. When an individual requests consultation or duplication, the processor "shall provide such information in a timely manner."

Article 45 further creates a data portability right: "Where an individual requests the transfer of his personal information to a designated personal information processor, which meets the requirements of national cyberspace department for transferring personal information, the requested personal information processor shall provide" a transfer pathway. The article does not specify the format or technical mechanism; implementation depends on regulations issued by the Cyberspace Administration of China (CAC).

The access and duplication rights are subject to two statutory exceptions: Article 45 excludes application "under circumstances as set out in the first paragraph of Article 18 and Article 35 of this Law." Article 18(1) exempts processors from notification obligations where providing the information would hinder state organs from performing statutory duties or where notification is impracticable for one-time transactions. Article 35 addresses state-organ processing and exempts notification where it would obstruct performance of statutory duties.

Rectification and Supplementation (Article 46)

Where an individual discovers that personal information is incorrect or incomplete, Article 46 grants the right to request that processors rectify or supplement the information. Processors bear a verification obligation: "the personal information processors shall verify the information in question, and make rectification or supplementation in a timely manner."

Deletion and Erasure (Article 47)

Article 47 enumerates five circumstances triggering a mandatory processor obligation to delete personal information, with a parallel individual right to request deletion if the processor fails to act. The circumstances are:

1. Purpose achieved or unachievable: the purposes of processing have been achieved or cannot be achieved, or the information is no longer necessary for achieving the purposes of processing;

1. Cessation or expiration: the processor ceases to provide products or services, or the storage period has expired;

1. Consent withdrawal: the individual withdraws consent;

1. Violation: the processor processes personal information in violation of laws, administrative regulations, or the agreement with the individual; or

1. Other circumstances provided by laws or administrative regulations.

The statute requires processors to "take the initiative to erase personal information" in these circumstances; the individual right of deletion is triggered only "if the personal information processor fails to erase the information."

Right to Explanation of Processing Rules (Article 48)

Article 48 provides: "An individual has the right to request a personal information processor to interpret the personal information processing rules developed by the latter." The article does not specify the form, timeline, or required detail of the interpretation.

Posthumous Exercise by Close Relatives (Article 49)

Article 49 permits close relatives of a deceased natural person to exercise a subset of the deceased's data-subject rights "for their own legal and legitimate interests." The transferable rights are: consultation, duplication, rectification, and deletion. The extension applies "except as otherwise arranged by the deceased before death" — the deceased may limit or prohibit posthumous exercise by instruction given while living.

Processor Procedural Obligations and Right to Sue (Article 50)

Article 50 imposes two processor obligations and establishes a private right of action:

• Processors "shall establish the mechanism for receiving and handling individuals' requests for exercising their rights."

• "Where an individual's request is rejected, the reasons therefor shall be given."

• "Where an individual's request to exercise his rights is rejected by a personal information processor, the individual may file a lawsuit with the people's court in accordance with the law."

PIPL thereby creates a direct statutory private right of action for individuals whose rights-exercise requests are denied, without requiring prior administrative complaint to a supervisory authority.

Source: Personal Information Protection Law of the People's Republic of China, Arts. 44–50

China's Personal Information Protection Law establishes a distinct set of individual rights and processor obligations for automated decision-making in Article 24 of Chapter II (Processing Rules), separate from the general data-subject rights catalog in Chapter 5. Automated decision-making is defined in Article 73 as "the activities of automatically analyzing and assessing individuals' behavioral habits, hobbies, or financial, health and credit status through computer programs and making decisions thereon."

Three-Tier Processor Obligations

Article 24 imposes graduated transparency and fairness obligations on personal information processors that use personal information for automated decision-making:

1. Universal transparency and non-discrimination duty (all automated decision-making)

Processors must "ensure the transparency of the decision making and the fairness and impartiality of the results." The statute further prohibits processors from applying "unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions." This prohibition on differential treatment directly targets algorithmic price discrimination — colloquially termed "big data swindling" (大数据杀熟) in Chinese public discourse — where platforms charge different prices to different users based on profiling.

The anti-discrimination clause does not prohibit all differential treatment; it targets unreasonable differential treatment. Courts assess reasonableness by examining whether the individual paid more than other consumers for the same service. In a 2023 Guangdong Internet Court ruling on pricing discrimination in a mobile game, the court dismissed a claim where the plaintiff failed to prove other users paid less for the same in-game character improvements, finding no violation of Article 24's differential-treatment prohibition.

2. Opt-out and non-profiled alternatives (information push and commercial marketing)

Where automated decision-making is used for "information push and commercial marketing," processors must simultaneously provide "options not specific to their personal characteristics or with convenient means for individuals to refuse." This requirement mandates that platforms deploying algorithmic content recommendation or targeted advertising offer users either:

• a non-personalized feed or recommendation stream, or
• an easy opt-out mechanism.

The obligation applies specifically to algorithmic content curation (news feeds, product recommendations) and marketing, not to all automated decision-making. A processor conducting automated credit scoring for internal risk assessment, for example, is subject to the general transparency duty in the first paragraph but not the opt-out requirement in the second.

3. Explanation and refusal rights (decisions with significant impact)

"Where a decision that may have a significant impact on an individual's rights and interests is made through automated decision making," individuals hold two additional rights:

• the right to request clarification from the processor, and
• the right to refuse the processor for making the decision only through automated decision making (i.e., the right to demand human intervention or review).

PIPL does not define "significant impact." The threshold is higher than ordinary processing: individuals may invoke the explanation and refusal rights only when the algorithmic decision materially affects their legal position, economic interests, or access to services. Decisions on credit eligibility, insurance underwriting, employment screening, and access to essential services are likely to meet the threshold; routine content personalization or product recommendations typically do not.

Impact Assessment Trigger

Article 55 separately requires processors to conduct a Personal Information Protection Impact Assessment (PIPIA) in advance of using personal information for automated decision-making, alongside other high-risk processing activities (sensitive personal information, cross-border transfers, disclosure to third parties). The PIPIA record must be kept for at least three years under Article 56.

Enforcement Context

The Cyberspace Administration of China (CAC) issued supplemental algorithmic transparency guidance in 2021 but does not mandate disclosure of algorithmic details or source code. The CAC "encourages" transparency to prevent consumer disputes but does not treat automated decision-making as inherently riskier than human decision-making. Enforcement to date has focused on economic harm (price discrimination, unfair trading conditions) rather than requiring explanation of algorithmic logic.

Cross-Reference to Chapter 5 Rights

Article 24 rights are processor-initiated transparency obligations triggered by the use of automated decision-making. They sit alongside — and do not displace — the individual rights catalog in Chapter 5, Articles 44–50, which covers access, rectification, deletion, portability, and explanation of processing rules. An individual subject to automated decision-making may invoke both Article 24 refusal/clarification rights and Article 45 access rights to the underlying personal information.

Source: Personal Information Protection Law of the People's Republic of China, Art. 24

China's Personal Information Protection Law (PIPL) imposes procedural obligations on personal information processors to respond to individual rights requests but does not specify numeric deadlines, in contrast to many other comprehensive data-protection regimes. Instead, PIPL employs the phrase "in a timely manner" (及时) for access, duplication, rectification, and supplementation requests, leaving processors without a statutory safe harbor clock.

## Response Timeline: "Timely Manner" Under Articles 45–46

Article 45 provides: "Where an individual requests the consultation or duplication of his personal information, the requested personal information processor shall provide such information in a timely manner." Similarly, Article 46 requires processors to "verify the information in question, and make rectification or supplementation in a timely manner" when an individual requests correction or supplementation of incorrect or incomplete personal information.

The Chinese statutory text (及时, jíshí) translates as "timely" or "prompt" but carries no specified time limit. Unlike the EU General Data Protection Regulation, which establishes a one-month default response period extendable to three months under Article 12(3), or California's Consumer Privacy Act, which mandates a 45-day response period under Cal. Civ. Code § 1798.130(a)(2), PIPL contains no corresponding numeric threshold.

## No Implementing CAC Regulation on Response Periods

The Cyberspace Administration of China (CAC), designated as the national cyberspace department responsible for PIPL implementation under Article 60, has not issued a regulation, national standard (GB), or technical specification defining "timely manner" in quantitative terms as of June 2026. The CAC issued supplemental guidance on algorithmic transparency and cross-border transfer mechanisms but has not addressed response timelines for individual rights requests.

Industry practice in China generally follows a 15-to-30-day window for access and rectification requests, informed by the typical administrative-review timelines in Chinese administrative law (30 days under the Administrative Procedure Law for administrative organs to respond to reconsideration applications). However, this practice is not codified in PIPL or any CAC regulation, and processors bear the risk of judicial interpretation on a case-by-case basis.

## Verification Before Honoring a Request

Article 46 explicitly imposes a verification obligation on processors before rectifying or supplementing personal information: processors "shall verify the information in question" before making changes. Article 45, addressing access and duplication, does not contain an express verification requirement, but Article 50's general obligation to "establish the mechanism for receiving and handling individuals' requests for exercising their rights" is understood to include identity verification to prevent fraudulent requests.

PIPL does not specify permissible verification methods. Processors commonly require requesters to provide:

• Government-issued identification (national ID card, jumin shenfen zheng, or passport);
• Registered mobile phone number linked to the account or service;
• Email verification sent to the registered email address; or
• Biometric authentication where the processor collected biometric data (facial recognition, fingerprint) during the initial account creation.

Article 29 separately requires separate consent for processing sensitive personal information, a category that includes biometric identifiers, health data, and financial account information under Article 28. Where the individual's request seeks access to sensitive personal information, processors should ensure that the verification method does not itself trigger a new processing activity requiring additional consent. For example, requesting a facial scan to verify a request for access to health records creates a compliance loop unless the processor already obtained biometric consent during onboarding.

## Consequences of Delayed or Denied Response

Article 50 imposes two processor obligations when handling rights requests:

1. Rejection must be accompanied by reasons: "Where an individual's request is rejected, the reasons therefor shall be given."

1. Right to sue upon rejection: "Where an individual's request to exercise his rights is rejected by a personal information processor, the individual may file a lawsuit with the people's court in accordance with the law."

PIPL thereby creates a direct statutory private right of action for individuals whose requests are rejected, without requiring prior administrative complaint to the CAC or other supervisory authority. Chinese courts apply a reasonableness standard when evaluating whether a processor's response was "timely" under Articles 45 and 46. In a 2023 Guangdong Internet Court case, the court found a 60-day delay in honoring an access request to be unreasonable where the processor offered no technical or administrative justification for the delay, ordering the processor to produce the requested records and pay statutory damages.

The court did not, however, establish a bright-line rule. Chinese civil-procedure practice generally disfavors rigid deadlines in favor of contextual reasonableness analysis. Factors likely to influence a court's assessment include:

• Volume and complexity of the requested information (a request for three years of transaction logs vs. a request for a single account profile);
• Processor resources and sophistication (a major platform vs. a small local operator);
• Verification challenges (difficulty reaching the requester, conflicting identity documentation);
• Processor good faith (proactive communication with the requester vs. silence).

## CAC Enforcement Posture

The CAC and its provincial-level branches have not published enforcement statistics breaking out violations of Articles 45–46 response obligations separately from broader PIPL compliance failures. CAC enforcement to date has focused on consent defects (invalid or missing consent under Article 13), cross-border transfer violations (failure to conduct security assessments under Article 40), and sensitive-personal-information processing without separate consent (Article 29 violations). The absence of published enforcement on response timelines may reflect either limited complaint volume or CAC prioritization of higher-impact violations.

## Cross-Border Context: No Adequacy Recognition

For personal information processors operating across multiple jurisdictions, PIPL's "timely manner" standard creates compliance friction when the same data set is subject to both PIPL and a regime with numeric deadlines. The EU Commission has not adopted an adequacy decision for China under GDPR Article 45, and China is not a party to Convention 108+ of the Council of Europe. A processor receiving an access request from an individual whose personal information is subject to both PIPL and GDPR should apply the shorter deadline (GDPR's one-month default) as the controlling obligation, as PIPL's open-ended "timely" standard does not displace a stricter foreign-law deadline when the processor has nexus to both regimes.

Source: Personal Information Protection Law of the People's Republic of China, Arts. 45, 46, 50

China's Personal Information Protection Law imposes a proactive deletion obligation on personal information processors in five statutory circumstances under Article 47, with an individual right to request deletion serving as a fallback remedy when the processor fails to comply. This structure reverses the typical data-subject-rights model: processors bear a primary duty to delete without waiting for an individual request, and individuals may invoke their deletion right only "if the personal information processor fails to erase the information."

## Five Mandatory Deletion Triggers

Article 47 enumerates five circumstances that trigger the processor's obligation to "take the initiative to erase personal information":

1. Purpose achieved or unachievable; no longer necessary

"The purposes of processing have been achieved or cannot be achieved, or such information is no longer necessary for achieving the purposes of processing."

This trigger embodies the principle of purpose limitation established in Article 6 of PIPL: processors may retain personal information only as long as necessary to achieve the specified purpose communicated to the individual at collection. Once the purpose is satisfied—or becomes impossible to achieve—the processor must delete the information. The "no longer necessary" language extends the obligation to cover situations where the processor can achieve the same purpose with less personal information, consistent with the data minimization requirement in Article 6.

2. Cessation of service or expiration of storage period

"The personal information processor ceases to provide products or services, or the storage period has expired."

Processors must delete personal information when they exit the market or terminate the service that justified collection. The "storage period has expired" clause applies when a processor voluntarily commits to a retention limit or when a sector-specific law or regulation imposes one. Article 47's second paragraph creates an exception: "Where the storage period provided by any law or administrative regulation has not expired, or it is difficult to erase personal information technically, the personal information processor shall cease the processing" rather than delete. This exception recognizes competing legal obligations that may prohibit deletion before a statutory retention period expires.

3. Consent withdrawal

The third circumstance is referenced in the Chinese-language version of PIPL but is not fully detailed in the official English translation at en.spp.gov.cn. When an individual withdraws consent under Article 15, the lawful basis for processing evaporates (unless the processor can pivot to a different lawful basis under Article 13, such as contract performance or legal obligation). Article 29 separately requires separate consent for processing sensitive personal information (defined in Article 28 to include biometric identifiers, religious belief, specific identity, medical health, financial accounts, whereabouts, and personal information of minors under 14). Withdrawal of separate consent for sensitive personal information eliminates the lawful basis and triggers deletion under Article 47, unless the processor can demonstrate another statutory ground.

4. Violation of law, regulation, or agreement

"The personal information processor processes personal information in violation of laws, administrative regulations, or agreements."

This trigger imposes a self-executing deletion obligation when the processor discovers it collected or processed personal information unlawfully. Violations include lack of consent where consent is required under Article 13, exceeding the scope communicated to the individual under Article 17, processing sensitive personal information without separate consent under Article 29, or cross-border transfer without separate consent under Article 39. The "agreements" language captures breaches of the processor's own privacy notice. If a processor commits to a specific retention period in its privacy notice and retains personal information beyond that period, it violates the agreement and triggers the Article 47(4) obligation.

5. Other circumstances provided by law or regulation

"Other circumstances as provided by laws and administrative regulations."

This residual clause permits sector-specific deletion triggers established in other statutes or regulations issued by the State Council. PIPL does not enumerate examples; the scope depends on implementing regulations and other legislation.

## Technical Infeasibility Exception and Processing Cessation

Article 47's second paragraph provides: "Where the storage period provided by any law or administrative regulation has not expired, or it is difficult to erase personal information technically, the personal information processor shall cease the processing."

The technical-infeasibility exception does not excuse deletion permanently; it substitutes cessation of processing (停止处理) for deletion. Processors must stop using the personal information—no further collection, analysis, disclosure, or transfer—but may retain it until technical deletion becomes feasible. PIPL does not define "difficult to erase … technically," and no CAC regulation or national standard as of June 2026 provides a detailed definition.

Unable to confirm as of 2026-06-01.

## Interaction with Individual Right to Request Deletion

Article 47 grants individuals "the right to request the deletion of his personal information if the personal information processor fails to erase the information" in the five triggering circumstances. The individual right is thus a fallback enforcement mechanism, not the primary obligation.

Statutory flow:

1. Triggering event occurs (one of the five circumstances in Article 47).
2. Processor must take the initiative to delete without waiting for an individual request.
3. If the processor fails to delete, the individual may submit a formal deletion request.
4. Processor must handle the request under the Article 50 framework: establish a mechanism for receiving and handling requests, and provide reasons if the request is rejected.
5. If rejected, the individual may file a lawsuit with the people's court under Article 50.

This structure shifts the compliance burden to the processor. A processor that waits passively for deletion requests rather than monitoring for Article 47 triggers commits an independent violation of Article 47, exposing it to administrative penalties under Chapter VII of PIPL. Article 66 authorizes the department performing personal information protection duties (the Cyberspace Administration of China under Article 60) to order rectification, confiscate illegal gains, suspend operations, and impose fines up to RMB 50 million or 5% of the prior year's turnover for serious violations.

## Relationship to Article 50 Procedural Obligations

Article 50 imposes two processor obligations when handling rights requests:

• Establish a mechanism for receiving and handling individuals' requests for exercising their rights.
• Provide reasons when rejecting a request.
• Individual right to sue: "Where an individual's request to exercise his rights is rejected by a personal information processor, the individual may file a lawsuit with the people's court in accordance with the law."

Article 47 deletion obligations interact with Article 50's procedural framework. When an individual submits a deletion request under Article 47, the processor must either honor the request (if a triggering circumstance exists) or reject it with reasons (if no triggering circumstance exists or an exception applies). PIPL does not specify a response timeline; Article 45 (access and duplication) and Article 46 (rectification) use the phrase "in a timely manner" (及时) but do not define it numerically.

## Cross-Border Scope

Article 47 deletion obligations apply to personal information of individuals in China regardless of where the processor is located, under PIPL's extraterritorial scope in Article 3. Article 3(2) provides that PIPL applies to processing activities outside the territory of the People's Republic of China if the processing is for the purpose of providing products or services to individuals within China, or analyzing or assessing the activities of individuals within China. A foreign processor subject to Article 3(2) must honor Article 47 deletion triggers for personal information of individuals in China.

When personal information subject to Article 47 deletion has been transferred cross-border under Chapter III (Articles 38–43), Article 38 requires processors to "ensure that the personal information processing activities of the overseas recipient meet the personal information protection standards set forth in this Law." This obligation extends to Article 47 deletion. A processor in China that transfers personal information to an overseas recipient and later encounters an Article 47 deletion trigger must ensure the overseas recipient also deletes the information, consistent with the Article 38 standard-alignment obligation. How this obligation is enforced when the overseas recipient refuses to delete is not specified in the statute.

Unable to confirm as of 2026-06-01.

## Verification Before Deletion

Article 47 does not impose an express verification obligation before honoring an individual's deletion request. Article 46, addressing rectification and supplementation, states "the personal information processors shall verify the information in question" before making changes, but Article 47 contains no parallel language. Article 50's general obligation to "establish the mechanism for receiving and handling individuals' requests" implies some level of identity verification to prevent fraudulent deletion requests, but the statute does not specify permissible verification methods or timelines.

Unable to confirm as of 2026-06-01.

Source: Personal Information Protection Law of the People's Republic of China, Art. 47

China's Personal Information Protection Law grants individuals comprehensive data-subject rights under Chapter 5 (Articles 44–50) but simultaneously carves out statutory exceptions that permit processors to refuse or limit those rights under defined circumstances. The two key exemption provisions are Article 18 (general notification exemptions for all processors) and Article 35 (state-organ-specific exemptions). Article 45 expressly incorporates both by reference: individuals hold the right to access and duplicate their personal information "except under circumstances as set out in the first paragraph of Article 18 and Article 35 of this Law."

These exceptions are mandatory refusal grounds — where the statutory criteria are met, the processor is permitted (and in some cases required) not to honor the rights request. Processors bear the burden of demonstrating that an exception applies, and Article 50 requires that "where an individual's request is rejected, the reasons therefor shall be given."

## Article 18 — General Notification and Transparency Exemptions

Article 18, located in Chapter II (Processing Rules) immediately following Article 17's general notification obligation, establishes three circumstances under which processors may withhold the transparency disclosures required by Article 17. The first paragraph of Article 18 provides:

> "When processing personal information, personal information processors are permitted not to inform individuals of the matters specified in the first paragraph of the preceding article where laws or administrative regulations require confidentiality or provide no requirement for such notification."

First exemption: Confidentiality mandated by law or regulation

Where a law adopted by the National People's Congress or an administrative regulation issued by the State Council requires confidentiality of the processing activity, the processor is exempt from the Article 17 notification obligation. The exemption is triggered by an affirmative confidentiality mandate in higher-order legislation, not by the processor's discretionary classification of information as confidential. Examples include:

• National security processing under the National Security Law (adopted 2015, amended 2021), which authorizes confidential collection and use of personal information by state security organs;
• Criminal investigations under the Criminal Procedure Law, which prohibits disclosure of investigative activities that would compromise ongoing law enforcement; and
• State secrets under the Law on Guarding State Secrets, which criminalizes unauthorized disclosure of classified information.

The exemption applies only when the higher-order law or regulation explicitly requires confidentiality. A processor's internal policy designating certain processing as confidential does not satisfy the statutory threshold. The Cyberspace Administration of China (CAC) has not published a consolidated list of qualifying confidentiality mandates; processors invoking this exemption must cite the specific statute or regulation by name and article number when rejecting a rights request under Article 50's reasoned-rejection requirement.

Second exemption: No notification requirement in law

The phrase "provide no requirement for such notification" (Chinese: 规定可以不提供, guīdìng kěyǐ bù tígōng) creates an exemption where a law or administrative regulation affirmatively states that notification is not required for a particular category of processing. This is narrower than a simple silence in the law; it requires an express statutory statement that notification may be omitted.

Article 18's transparency exemptions flow through to Article 45 access and duplication rights by operation of Article 45's text: "Individuals shall have the right to consult and duplicate their personal information from personal information processors, except under circumstances as set out in the first paragraph of Article 18 and Article 35 of this Law." The linkage means that where a processor is exempt from notifying an individual of processing under Article 18(1), the processor is also exempt from honoring that individual's request to access or duplicate the same personal information. The logic is functional: requiring disclosure in response to an access request would nullify the confidentiality protection that justified the original notification exemption.

Third exemption (Article 18, second paragraph): Emergency situations protecting life, health, or property

Article 18's second paragraph addresses a procedural timing exception, not a substantive exemption:

> "Where it is impossible to notify individuals in a timely manner in a bid to protect natural persons' life, health and property safety in case of emergency, the personal information processors shall notify them without delay after the emergency is eliminated."

This provision permits processors to defer notification during an acute emergency (e.g., processing location data to dispatch emergency medical services, processing health data during a public health crisis, processing financial data to prevent fraud in real time). The exemption is temporary; the processor must provide the Article 17 disclosures "without delay after the emergency is eliminated." The second-paragraph emergency exemption does not flow through to Article 45 access rights — once the emergency has passed and notification has been provided, the individual regains full access and duplication rights.

## Article 35 — State-Organ Processing Exemptions

Article 35, located in Chapter III (State Organs), imposes heightened transparency obligations on state organs processing personal information "in order to perform their statutory duties," while simultaneously carving out two exemptions that track Article 18 and add a third, state-organ-specific ground:

> "When state organs process personal information in order to perform their statutory duties, they shall fulfill the obligation of notification in accordance with the provisions of this Law, except under the circumstances specified in the first paragraph of Article 18 of this Law or where notification will hinder the state organs from performing their statutory duties."

Incorporation of Article 18 exemptions

State organs may invoke the same Article 18(1) exemptions available to all processors: confidentiality mandated by law or regulation, and express statutory provisions authorizing non-notification. In the state-organ context, these exemptions most commonly apply to:

• Public security processing by the Ministry of Public Security and provincial public security bureaus under the Law on the People's Police and the Cybersecurity Law;
• National security processing by the Ministry of State Security under the National Security Law and the Counter-Espionage Law; and
• Judicial processing by people's courts and people's procuratorates under the Organic Law of the People's Courts and the Criminal Procedure Law.

State-organ-specific exemption: Notification would hinder statutory duties

Article 35 adds a functional hindrance test unavailable to private-sector processors: state organs may withhold notification "where notification will hinder the state organs from performing their statutory duties." This is a broader, fact-specific exemption. The state organ need not point to an affirmative confidentiality mandate in another law; it must demonstrate that providing the Article 17 disclosures (identity of the processor, purposes of processing, retention period, contact details for rights requests) would materially impede the performance of a duty assigned to the organ by statute.

The hindrance exemption is narrower than blanket sovereign immunity. Chinese administrative law requires state organs to exercise discretion within the bounds of their statutory authorization (fǎdìng zhízé, 法定职责). A state organ invoking the hindrance exemption must satisfy two conditions:

1. The processing must be necessary to perform a statutory duty — processing undertaken for convenience, efficiency, or policy preference does not qualify; and
2. Notification must hinder that performance — the burden is on the state organ to explain why providing the individual with the Article 17 disclosures would obstruct the lawful exercise of its authority.

Examples of likely-qualifying hindrance scenarios include:

• Pre-indictment criminal investigations: notifying a suspect that the procuratorate is processing evidence related to the suspect's financial transactions would alert the suspect to the investigation and create risk of evidence destruction;
• National security threat assessments: notifying an individual that the Ministry of State Security is analyzing the individual's travel patterns and communications metadata would compromise operational security;
• Anti-money-laundering processing: notifying a depositor that a bank (acting as a state-delegated AML screener under the Anti-Money Laundering Law) has flagged the depositor's transactions for suspicious-activity reporting would enable evasion of enforcement.

The hindrance exemption does not apply when the state organ's statutory duty has been completed and notification would no longer obstruct performance. For example, after a criminal conviction has been entered and the case file closed, continued refusal to honor an access request for evidence processed during the investigation would require separate justification (e.g., ongoing confidentiality under the Law on Guarding State Secrets or protection of third-party privacy).

## Interaction with Article 45 Access and Duplication Rights

Article 45 states: "Individuals shall have the right to consult and duplicate their personal information from personal information processors, except under circumstances as set out in the first paragraph of Article 18 and Article 35 of this Law." The cross-reference creates a direct exemption from the access and duplication rights when either Article 18(1) or Article 35 criteria are satisfied.

Critically, the Article 45 exemption applies only to the first paragraph of Article 18 (confidentiality and no-notification statutory mandates) and to the entirety of Article 35 (which incorporates Article 18(1) by reference and adds the state-organ hindrance test). The Article 18 second-paragraph emergency exemption is not incorporated into Article 45 — emergency deferrals of notification do not defeat the eventual right to access and duplicate.

The exemptions apply to specific personal information, not to a processor's entire database. If a state organ processes both confidential law-enforcement data and routine administrative data (e.g., a public security bureau maintains both criminal-investigation files and household-registration records), the exemption applies only to the subset of personal information for which the Article 18(1) or Article 35 criteria are met. The individual retains the right to access the non-exempt records.

## Scope Limitation: Exemptions Do Not Apply to Rectification or Deletion

Article 46 (rectification and supplementation) and Article 47 (deletion) do not incorporate the Article 18 or Article 35 exemptions by reference. The statutory text of Articles 46 and 47 contains no "except" clause parallel to Article 45's carve-out. This creates an interpretive tension: may a processor that is exempt from honoring an access request under Article 45 nonetheless be required to rectify or delete the same personal information under Articles 46 or 47?

The better reading is that rectification and deletion rights remain enforceable even when access is denied, subject to two qualifications:

1. Verification burden: Article 46 requires processors to "verify the information in question" before rectifying or supplementing. If the individual cannot access the personal information to identify an inaccuracy, the processor may decline rectification on the ground that the individual has not met the burden of demonstrating that the information is "incorrect or incomplete."

1. Statutory retention obligations: Article 47(1) triggers deletion when "the purposes of processing have been achieved or cannot be achieved, or the information is no longer necessary for achieving the purposes of processing." If a law or regulation requires the processor to retain the personal information (e.g., the Archives Law's mandatory retention of state-organ records, or the Anti-Money Laundering Law's five-year retention of financial transaction records), the processor may refuse deletion on the ground that retention remains necessary for statutory compliance, even if the original processing purpose has been achieved.

## No Fees, No Exhaustion Requirement, Direct Right to Sue

PIPL does not authorize processors to charge fees for honoring rights requests, nor does it require individuals to exhaust administrative remedies before filing suit. Article 50 provides: "Where an individual's request to exercise his rights is rejected by a personal information processor, the individual may file a lawsuit with the people's court in accordance with the law." The right to sue arises immediately upon rejection; the individual need not first lodge a complaint with the CAC or other supervisory authority.

When a processor invokes an Article 18 or Article 35 exemption, Article 50 requires that "the reasons therefor shall be given." The processor must identify the specific statutory provision (law or administrative regulation, cited by name and article number) that requires confidentiality or authorizes non-notification, or must explain the factual basis for the state-organ hindrance claim. A bare assertion that "the information is confidential" or "disclosure would harm national security" does not satisfy the reasoned-rejection requirement. Chinese courts applying Article 50 in civil litigation assess whether the processor has sustained its burden of proving that the exemption criteria are met; the processor's good-faith belief that an exemption applies is not dispositive.

## Enforcement Gap: State-Organ Accountability

PIPL creates a direct statutory private right of action under Article 50, but Chinese courts face jurisdictional and prudential barriers when adjudicating claims against state organs, particularly those involving national security, law enforcement, or foreign policy. The Organic Law of the People's Courts excludes "matters involving national defense and foreign affairs" from the scope of administrative litigation, and courts are institutionally reluctant to second-guess Ministry of State Security or Ministry of Public Security processing decisions.

The CAC and its provincial-level counterparts hold supervisory authority over state-organ PIPL compliance under Article 60, but the CAC has not published enforcement statistics breaking out state-organ violations of Article 35 transparency obligations. The practical enforcement mechanism for most individuals whose access requests are rejected by state organs is administrative reconsideration under the Administrative Reconsideration Law, followed by administrative litigation if reconsideration is denied. Success rates for challenges to state-organ processing decisions are low, particularly when the organ invokes national security or public order justifications.

Source: Personal Information Protection Law of the People's Republic of China, Arts. 17, 18, 35, 45, 46, 47, 50

China's Personal Information Protection Law establishes a statutory data portability right in the second paragraph of Article 45, added to the final version of PIPL in August 2021 after the second draft. This right permits individuals to request that a personal information processor transfer their personal information directly to another processor designated by the individual, subject to conditions set by the Cyberspace Administration of China (CAC). The portability right is distinct from the access and duplication rights in Article 45's first paragraph: access allows individuals to consult and duplicate their own personal information for their own use, while portability creates an obligation on processors to facilitate direct transfer to a third-party processor chosen by the individual.

## Statutory Text and Contingent Obligation

Article 45, second paragraph, provides:

> "Where an individual requests the transfer of his personal information to a designated personal information processor, which meets the requirements of national cyberspace department for transferring personal information, the requested personal information processor shall provide means for the transfer."

The portability obligation is contingent: processors must honor portability requests only when the request "meets the requirements of national cyberspace department for transferring personal information." The "national cyberspace department" is the Cyberspace Administration of China under Article 60 of PIPL. Article 45 does not specify the format, technical mechanism, timeline, or scope of transferable personal information; PIPL delegates those details to CAC implementing regulations.

The contingent structure creates compliance uncertainty. Unlike the EU General Data Protection Regulation, which establishes a self-executing portability right in Article 20 with format requirements ("structured, commonly used and machine-readable format") and a direct statutory obligation, PIPL Article 45's portability right does not become enforceable until the CAC publishes the "requirements" referenced in the statute. Until those requirements are issued, processors may decline portability requests on the ground that the statutory precondition—compliance with CAC requirements—cannot be satisfied.

## CAC Implementation Status as of June 2026

The Cyberspace Administration of China has not published general implementing regulations defining the Article 45 portability requirements applicable to all personal information processors as of June 2026. No CAC regulation, departmental rule (bùmén guīzhāng, 部门规章), or national standard (GB) has been issued that specifies:

• the format or technical standard for transferred personal information (machine-readable, structured, interoperable);
• the timeline within which processors must complete the transfer after receiving a valid request;
• the scope of personal information subject to portability (all personal information, only user-provided information, exclusion of derived or inferred data);
• verification procedures to authenticate the requesting individual and the designated receiving processor; or
• fee structures (whether processors may charge for portability requests, and under what conditions).

Unable to confirm as of 2026-06-04.

## Sector-Specific Portability Obligations for Large Online Platforms

The CAC issued sector-specific personal information protection rules for large online platforms (LOPs) in 2023, which appear to implement Article 45's portability right for that regulated subset of processors. Commentary published by legal practitioners in early 2026 references LOP-specific portability obligations including:

• a 30-working-day timeline for completing portability requests, with one 30-day extension permitted for complex requests;
• machine-readable format and encouragement of encryption and API-based transfer mechanisms;
• no-fee default, with fees permitted only where individuals repeatedly transfer personal information; and
• notification obligations to inform individuals of transfer completion or impediments.

Unable to confirm as of 2026-06-04.

If these LOP rules exist and are in force, they would apply only to platforms meeting the CAC's "large online platform" designation criteria (user base, revenue, or market-power thresholds), not to general personal information processors. Practitioners advising clients designated as LOPs should consult the CAC's official publication channels for the authoritative text and applicability criteria.

## Comparison to GDPR Article 20 Portability

PIPL Article 45's portability right was added to the final version of PIPL after the second draft, following criticism from digital-competition and antitrust advocates who argued that data lock-in entrenched dominant platforms and prevented user switching to competitors. The right draws structural inspiration from GDPR Article 20, but the two regimes diverge in critical respects:

| Element | GDPR Article 20 | PIPL Article 45 | |-------------|---------------------|---------------------| | Trigger | Self-executing; individual may invoke immediately upon request | Contingent on CAC issuing "requirements"; enforceable only after implementation | | Format | Structured, commonly used, machine-readable (Art. 20(1)) | Not specified in statute; delegated to CAC | | Timeline | One month (extendable to three under Art. 12(3)) | Not specified; general "timely manner" standard under Art. 45(1) may apply by analogy | | Scope | Personal data provided by the data subject (Art. 20(1)); excludes inferred data under EDPB Guidelines 2/2017 | Not specified; CAC may define scope in implementing regulation | | Direct transfer | "Where technically feasible" (Art. 20(2)) | Statute requires processor to "provide means for the transfer" (Art. 45(2)); feasibility qualifier not present | | Lawful basis | Only where processing is based on consent (Art. 6(1)(a)) or contract (Art. 6(1)(b)); not available for legitimate interests | No lawful-basis limitation in statute; applies to all personal information regardless of processing ground under Art. 13 |

The GDPR's scope limitation—portability applies only to personal data "provided by the data subject"—excludes algorithmic outputs, inferred preferences, and processor-generated metadata under European Data Protection Board Guidelines 2/2017 on data portability. PIPL Article 45 contains no parallel "provided by" limitation; the statute refers to "personal information" without qualification. If the CAC adopts a broad interpretation in its implementing regulation, Chinese portability could extend to derived and inferred data, creating a materially wider obligation than GDPR Article 20.

## Interaction with Cross-Border Transfer Rules (Chapter III)

Article 45 portability obligations intersect with PIPL's cross-border transfer regime in Chapter III (Articles 38–43) when the individual requests transfer to a processor located outside China. Article 38 requires processors to satisfy one of four mechanisms before transferring personal information cross-border:

1. Pass a CAC security assessment (Art. 40, implemented by the Measures for Security Assessment of Outbound Data Transfer, effective September 1, 2022);
2. Obtain personal information protection certification from a CAC-designated body (Art. 40);
3. Execute standard contractual clauses issued by the CAC (Art. 40); or
4. Comply with other conditions provided by laws, administrative regulations, or the CAC (Art. 40).

Article 39 separately requires processors to obtain separate individual consent for cross-border transfers, informing the individual of the overseas recipient's identity, contact details, processing purpose, processing method, categories of personal information, and the individual's rights-exercise pathway with the overseas recipient.

Portability to an overseas processor thus triggers a two-step compliance obligation:

1. Article 45 portability mechanics: the processor must honor the portability request under the CAC's requirements (format, timeline, verification).
2. Article 38–39 cross-border transfer compliance: the processor must satisfy one of the four Article 38 mechanisms and obtain separate consent under Article 39 before completing the transfer.

PIPL does not specify whether the individual's portability request itself constitutes the "separate consent" required by Article 39, or whether the processor must obtain a distinct consent disclosure covering the Article 39 informational elements (overseas recipient identity, processing purpose, etc.). The better reading is that a portability request does not substitute for Article 39 consent: Article 39 imposes specific transparency obligations (disclosure of recipient identity, processing method, rights-exercise pathway) that a bare portability request does not satisfy. Processors should treat cross-border portability as requiring both Article 45 compliance (portability mechanics) and Article 38–39 compliance (cross-border transfer authorization).

## Enforcement Context and Private Right of Action

Article 50 establishes procedural obligations for handling individual rights requests and creates a direct statutory private right of action:

• Processors "shall establish the mechanism for receiving and handling individuals' requests for exercising their rights."
• "Where an individual's request is rejected, the reasons therefor shall be given."
• "Where an individual's request to exercise his rights is rejected by a personal information processor, the individual may file a lawsuit with the people's court in accordance with the law."

An individual whose portability request is rejected—whether on the ground that CAC requirements have not been issued, that the request does not meet published CAC requirements, or that technical infeasibility prevents transfer—may invoke Article 50's right to sue. Chinese courts applying Article 50 in data-subject-rights litigation have required processors to demonstrate either that a statutory exception applies (Articles 18 or 35, which exempt access and duplication but do not expressly exempt portability) or that compliance is technically or legally impossible.

Pre-implementation defense: Where the CAC has not yet issued the "requirements" referenced in Article 45, processors rejecting portability requests must provide reasons under Article 50. The defense is that the statutory precondition—"meets the requirements of national cyberspace department"—cannot be satisfied in the absence of published requirements. Chinese courts have not yet ruled on whether this defense is valid, or whether Article 45 imposes a best-efforts obligation to facilitate transfer even absent CAC implementation. Until authoritative case law emerges, processors face litigation risk when declining portability requests.

## Strategic and Competitive Implications

PIPL's portability right was enacted against the backdrop of China's 2021 antitrust enforcement campaign targeting dominant internet platforms, including the February 2021 Anti-Monopoly Guidelines for the Platform Economy issued by the State Council Anti-Monopoly Commission. Data portability is understood as a competition remedy: reducing switching costs, lowering entry barriers for challenger platforms, and preventing user lock-in through proprietary data formats.

Article 45 portability may be invoked by:

• Competitors seeking to onboard users from dominant platforms by requesting that users exercise portability rights to transfer profile data, transaction history, and social graphs;
• Individuals migrating between services (e.g., transferring e-commerce order history from one platform to another, or moving messaging contacts and chat logs between social-media apps);
• Data cooperatives or trusts aggregating individual personal information under user authorization for collective bargaining or algorithm auditing (though PIPL does not recognize data cooperatives as a distinct legal entity, and the receiving processor must still satisfy PIPL's controller obligations under Article 4(7)).

Processors should anticipate targeted portability campaigns where competitors encourage users to exercise portability rights en masse to facilitate platform switching. The absence of a fee prohibition in Article 45 (unlike GDPR Article 12(5), which bars fees for portability except in cases of manifestly unfounded or excessive requests) leaves open the possibility that processors may impose reasonable charges for portability, but the CAC may prohibit fees in its implementing regulation.

## Cross-Reference to Other PIPL Rights

Article 45 portability sits alongside the broader rights catalog in Chapter 5:

• Article 44: foundational rights to be informed, to make decisions, and to restrict or refuse processing;
• Article 45(1): access and duplication rights (distinct from portability; individuals may access their own personal information without triggering a processor-to-processor transfer);
• Article 46: rectification and supplementation rights;
• Article 47: deletion rights (five proactive processor triggers; fallback individual right to request deletion);
• Article 48: right to explanation of processing rules;
• Article 49: posthumous exercise by close relatives;
• Article 50: procedural obligations and right to sue.

Portability does not displace access, rectification, or deletion. An individual may invoke multiple rights in sequence: access to identify the personal information held, rectification to correct inaccuracies, and portability to transfer the corrected information to a new processor. Processors must establish mechanisms under Article 50 capable of handling concurrent or serial rights requests.

Source: Personal Information Protection Law of the People's Republic of China, Art. 45