Administrative penalty tiers under PIPL Article 66 — two-tier fine structure and jurisdictional thresholds
PIPL Article 66 establishes a two-tier administrative penalty framework that distinguishes between ordinary violations and violations where "the circumstances are serious" (情节严重). The statute assigns enforcement jurisdiction and maximum penalty authority based on severity, with provincial-level and higher authorities holding exclusive power to impose Tier 2 sanctions.
Tier 1: Ordinary violations under Article 66, paragraph 1
Where a personal information processor violates PIPL or fails to fulfill personal information protection obligations, the supervising authority shall order correction, issue a warning, confiscate illegal gains, and may order suspension or termination of the offending application or service. If the violator refuses to make corrections after being ordered to do so, the authority may impose:
- A fine of not more than RMB 1,000,000 on the entity; and
- A fine of RMB 10,000 to RMB 100,000 on each directly responsible manager and other directly responsible personnel.
Tier 1 penalties may be imposed by departments with personal information protection duties at any level—including county-level authorities for violations within their jurisdiction under Article 60. The "refusal to make corrections" language means that a violator who timely complies with a rectification order may avoid monetary penalties at this tier, though the warning, confiscation of illegal gains, and service-suspension orders remain available.
Tier 2: Violations where "the circumstances are serious" under Article 66, paragraph 2
Where the illegal acts described in Article 66(1) meet the "serious circumstances" threshold, departments with personal information protection duties at or above the provincial level shall apply elevated penalties. Only provincial-level and higher authorities may invoke Article 66(2). These authorities are empowered to:
- Order correction and confiscate illegal gains;
- Impose a fine of not more than RMB 50,000,000 OR not more than five percent of the previous year's turnover, applying whichever parameter the authority selects (the statute does not specify "whichever is higher" as GDPR Article 83 does, nor does it define whether "turnover" means PRC-only revenue or worldwide revenue);
- Order suspension of relevant business operations, suspension of all business operations for rectification, or notify competent authorities to revoke relevant business permits or business licenses;
- Impose a fine of RMB 100,000 to RMB 1,000,000 on each directly responsible manager and other directly responsible personnel; and
- Decide to prohibit the directly responsible persons from serving as directors, supervisors, senior managers, or the person in charge of personal information protection of any enterprise for a specified period of time.
"Serious circumstances" — undefined statutory trigger
PIPL does not define "serious circumstances" (情节严重) in Article 66(2) or elsewhere in the statute. The determination of whether a violation meets this threshold rests with the enforcing authority. No implementing regulation has published a categorical list of factors or bright-line thresholds (such as a minimum number of affected individuals, monetary harm, or recidivism requirement) that automatically trigger Tier 2 classification as of June 2026.
The absence of a statutory or regulatory definition means practitioners cannot predict with certainty whether a given violation will be treated as ordinary (Tier 1) or grave (Tier 2). Factors that enforcement authorities may consider—by analogy to "serious circumstances" language in other PRC administrative-penalty statutes—plausibly include the scale of personal information affected, whether the violation involved sensitive personal information under Article 28, whether the processor obstructed investigation under Article 63, prior violations and failure to correct after earlier warnings, and cross-border transfer violations. However, these factors are not codified and their weight is not publicly disclosed.
Credit records and public disclosure under Article 67
Article 67 of PIPL provides that any violation falling under Article 66 "shall be included in credit records and disclosed to the public in accordance with relevant provisions." The statute does not specify which credit-record system, the duration of the record, or the form of public disclosure. Article 67 cross-references "relevant provisions," which likely include the State Council's social credit system framework, but the operational consequence of a PIPL credit-record entry—such as restricted access to government procurement, restrictions on financing, or travel limitations—depends on implementing measures that are outside PIPL itself.
Relationship to criminal liability
Article 66 administrative penalties operate independently of criminal prosecution. Article 64 requires that supervisory authorities conducting investigations under Article 63 "timely transfer" cases with suspected criminal conduct to public security organs (police authorities). Article 71 provides that where a PIPL violation constitutes a crime, criminal liability shall be pursued in accordance with law, and where the violation also constitutes a violation of public security administration, a public security administrative penalty shall be imposed in accordance with law.
Criminal Law Article 253-A (unlawfully obtaining or providing citizens' personal information, as amended) and Article 286 (refusal to fulfill information network security management obligations) are the primary criminal offenses that may overlap with PIPL administrative violations. Article 253-A carries a maximum sentence of seven years' imprisonment where the circumstances are "especially serious," and Article 286 carries a maximum of three years' imprisonment. A PIPL violator may face administrative fines under Article 66, public security administrative detention or fines, and criminal prosecution simultaneously for the same underlying conduct.
Source: Personal Information Protection Law of the People's Republic of China, Art. 66 Source: Personal Information Protection Law of the People's Republic of China, Art. 67 Source: Personal Information Protection Law of the People's Republic of China, Art. 71 Source: Personal Information Protection Law of the People's Republic of China, Art. 60 Source: Personal Information Protection Law of the People's Republic of China, Art. 64
Private rights of action and civil remedies under PIPL Articles 69–70 — tort liability, reverse burden of proof, and public interest litigation
PIPL establishes a comprehensive private-enforcement mechanism for data subjects whose personal information rights have been infringed. Unlike the EU GDPR, which leaves tort liability primarily to member-state law, PIPL incorporates an explicit tort-liability rule with a reverse burden of proof and a parallel public-interest-litigation pathway that functions as a class-action equivalent for large-scale violations.
Individual private right of action — Article 69 and Article 50
Article 69 of PIPL provides that where the processing of personal information infringes personal information rights and interests and causes damage, the personal information processor shall bear tort liability unless the processor can prove it was not at fault. This is a fault-presumed regime: once the data subject demonstrates that (1) the processor handled personal information, (2) the handling infringed the data subject's personal information rights, and (3) damage resulted, the processor bears the burden of proving the absence of fault to avoid liability.
The statute does not define "damage" or specify whether intangible harm (such as privacy invasion absent pecuniary loss) suffices. Damages are calculated based on the actual losses suffered by the data subject or the gains obtained by the personal information processor as a result of the violation, applying whichever measure the plaintiff elects. Where it is difficult to determine actual damages or gains, Article 69 authorizes the people's court to award an appropriate amount "according to the circumstances."
Article 50 grants data subjects the right to file a lawsuit in a people's court when a personal information processor refuses the data subject's request to exercise any of the rights enumerated in PIPL Chapter 4 (including the rights to access, correct, delete, restrict processing, and data portability). The 2024 Guangzhou Internet Court decision in Zuo v. Company A (an unpublished ruling involving cross-border transfer of personal information to Austria) held that a data subject may file suit directly for infringement of the right to be informed and the right of decision-making under Article 44 without first exhausting a request-and-refusal procedure; the court awarded RMB 20,000 in damages and ordered deletion of the plaintiff's personal information held by the defendants and their overseas recipients.
Reverse burden of proof
The reverse burden of proof under Article 69 departs from the general tort rule in the Civil Code, which ordinarily requires the plaintiff to prove the defendant's fault. The personal information processor must affirmatively prove it was not at fault—such as by demonstrating that the processing complied with all applicable consent, purpose-limitation, and security requirements under PIPL, or that the damage was caused by the data subject's own conduct, a third party, or force majeure. This evidentiary shift materially increases litigation risk for processors, as proving negative fault (rather than the plaintiff proving positive fault) can be procedurally and documentarily burdensome.
Public interest litigation mechanism — Article 70
Article 70 extends standing to bring PIPL civil actions to three categories of third-party organizations when illegal processing of personal information harms the rights and interests of a large number of individuals:
- People's procuratorates (检察院, the state prosecutor general offices at provincial and lower levels);
- Consumer organizations prescribed by law (typically the China Consumers Association and its local affiliates); and
- Other organizations designated by the Cyberspace Administration of China (CAC) or relevant enforcement authorities.
Public interest litigation under Article 70 functions as China's analog to class-action litigation. It permits a qualified third party to sue on behalf of an affected group without requiring each data subject to individually assert a claim. One day after PIPL's adoption, the Supreme People's Procuratorate issued an official notice confirming that public interest actions for personal information protection would be a priority enforcement tool.
The earliest reported public interest PIPL decision was a 2020 case brought by the Procuratorate of Xiacheng District, Hangzhou, against an individual who purchased over 45,000 items of personal information (names, contact numbers, and email addresses) from the internet and resold them for profit via chat platforms. The People's Court ordered compensation of RMB 34,000 (representing the offender's gain) and a formal public apology broadcast through a provincial-level news agency. A March 2021 Gweiyang District (Hunan) case similarly involved public interest civil claims brought as ancillary actions to criminal prosecutions under Criminal Law Article 253-A (unlawful acquisition or provision of citizens' personal information).
No statutory cap on civil damages
PIPL does not impose a monetary cap on civil tort damages. Unlike the Article 66 administrative penalty tiers (which cap fines at RMB 50 million or 5 percent of annual revenue for grave violations), Article 69 tort liability is limited only by the actual-loss or processor-gain measure and the court's discretion when those measures are difficult to apply. This leaves civil exposure potentially unbounded for large-scale breaches affecting millions of data subjects or generating substantial processor revenue.
Relationship to administrative penalties and criminal liability
Civil liability under Article 69, administrative penalties under Article 66, and criminal prosecution under Article 71 operate independently and may be imposed simultaneously for the same underlying conduct. A personal information processor that suffers an administrative fine under Article 66 for a grave violation may also face civil tort claims under Article 69 from affected data subjects (individually or via public interest litigation) and, if the violation meets the thresholds in Criminal Law Article 253-A or Article 286, criminal liability for the entity and its directly responsible personnel. Article 64 requires supervisory authorities to timely transfer cases with suspected criminal elements to public security organs (police authorities), expanding the functional reach of initial administrative investigations.
Statute of limitations
Civil Code Article 188 establishes a general three-year statute of limitations for civil tort claims, running from the date the claimant knew or should have known of the infringement and the identity of the tortfeasor. However, for non-monetary remedies—including cessation of infringement, removal of obstacles, elimination of danger, elimination of adverse effects, rehabilitation of reputation, or apology—no statute of limitations applies under Article 188. A data subject seeking deletion of personal information or cessation of unlawful processing under Article 50 may therefore file suit at any time.
Source: Personal Information Protection Law of the People's Republic of China, Art. 69 Source: Personal Information Protection Law of the People's Republic of China, Art. 70 Source: Personal Information Protection Law of the People's Republic of China, Art. 50
Criminal liability under PIPL Article 71 — Article 253-A personal-information offenses and prison exposure up to seven years
PIPL Article 71 provides that where a violation of PIPL constitutes a crime, criminal liability shall be pursued "in accordance with law." This language cross-references two principal offenses in China's Criminal Law: Article 253-A (unlawfully obtaining or providing citizens' personal information) and Article 286 (refusal to fulfill information network security management obligations). Criminal prosecution operates independently of administrative penalties under Article 66 and civil tort liability under Article 69; the same conduct may trigger all three liabilities simultaneously for the same underlying violation.
Criminal Law Article 253-A — unlawfully obtaining or providing citizens' personal information
Article 253-A of the Criminal Law, as substantially revised by Amendment IX adopted in August 2015, criminalizes two categories of unlawful personal-information conduct. The first category targets insiders: any staff member of a state organ, or an institution of finance, telecommunication, transportation, education, or health care, who in violation of state regulations sells or illegally provides citizens' personal information obtained by the entity during the course of performing duties or providing services. The second category reaches any person who illegally obtains such information by theft or other means. Both categories require that "the circumstances are serious" as a threshold element for criminal liability to attach.
Sentencing tiers under Article 253-A:
- Serious circumstances: fixed-term imprisonment of not more than three years or criminal detention, and a concurrent fine or fine alone.
- Especially serious circumstances: fixed-term imprisonment of not less than three years but not more than seven years, and a concurrent fine.
The Criminal Law does not define "serious circumstances" or "especially serious circumstances" for Article 253-A. Judicial interpretations issued by the Supreme People's Court and the Supreme People's Procuratorate in May 2017 established quantitative thresholds tied to the volume of personal information unlawfully obtained or provided, the type of information (with stricter thresholds for sensitive categories such as health, biometric, and financial data), the monetary gain derived from the violation, and whether the violation caused actual harm. However, these judicial interpretations are not codified in primary legislation and are subject to revision. Practitioners should treat the statutory "serious circumstances" language as a fact-intensive determination reserved to the prosecutorial and judicial authorities.
Criminal Law Article 286 — refusal to fulfill information network security management obligations
Unable to confirm the full text and current sentencing tiers for Criminal Law Article 286 as of 2026-06-01.
PIPL Article 64 transfer mechanism — administrative investigation to criminal prosecution
PIPL Article 64 requires supervisory authorities conducting investigations under Article 63 to "timely transfer" cases with suspected criminal conduct to public security organs (police authorities). This provision functionally expands the reach of administrative enforcement: a case that begins as a PIPL compliance audit or administrative investigation under Article 63 may escalate to criminal prosecution under Article 253-A or Article 286 where the supervising authority discovers facts that satisfy the elements of either offense.
The transfer obligation under Article 64 is mandatory ("shall") and immediate ("timely"). The statute does not define "suspected criminal conduct," but the transfer standard is lower than the evidentiary threshold for conviction. Once transferred, the public security organ conducts its own investigation under the Criminal Procedure Law, and the supervising authority's administrative penalty proceeding under Article 66 may continue in parallel. A violator who receives an administrative fine under Article 66 while under criminal investigation may ultimately face both the administrative penalty and criminal prosecution for the same conduct.
Simultaneous liability — administrative, civil, and criminal exposure for the same PIPL violation
A personal information processor that commits a grave PIPL violation may face three independent and cumulative liability categories:
- Administrative fines under Article 66: up to RMB 50,000,000 or up to five percent of the previous year's turnover (whichever the provincial-level or higher authority selects), plus confiscation of illegal gains, suspension or revocation of business licenses, and personal fines of RMB 100,000 to RMB 1,000,000 on directly responsible managers and personnel, with potential prohibition from serving as directors, supervisors, or senior managers.
- Civil tort damages under Article 69: no statutory cap; measured by the actual losses suffered by the data subject or the gains obtained by the processor, with judicial discretion to award an appropriate amount where those measures are difficult to determine. Multiple data subjects may sue individually, or a people's procuratorate or qualified consumer organization may bring public interest litigation under Article 70 on behalf of a large number of affected individuals.
- Criminal prosecution under Article 253-A or Article 286: imprisonment of up to seven years for especially serious violations, criminal fines on both the entity and the directly responsible individuals, and potential public security administrative detention (up to 15 days) under the Law on Penalties for Administration of Public Security for conduct that does not meet the criminal "serious circumstances" threshold.
Article 71 does not bar simultaneous imposition of all three liability categories. The Civil Code (which superseded the earlier Tort Liability Law) confirms in principle that bearing administrative or criminal liability does not relieve tort liability, and where the offender's assets are insufficient to satisfy all liabilities, tort liability (compensation to victims) takes priority. A violator may therefore be subject to an administrative fine, a civil tort judgment, and a criminal sentence—including imprisonment—arising from the same underlying PIPL violation.
Entities versus natural persons — criminal liability of the processor and its personnel
Criminal Law Article 253-A imposes liability on natural persons. Where the unlawful conduct is committed by an employee or agent of a corporate processor, the individual who committed the act is subject to criminal prosecution. PIPL Article 66(2) separately authorizes administrative penalties against "the person in charge of personal information protection" and "directly responsible managers and other directly responsible personnel," and these individuals may also face criminal prosecution under Article 253-A if their conduct satisfies the statutory elements.
Chinese criminal law does not recognize corporate criminal liability for most offenses, including Article 253-A violations. The entity itself is not subject to imprisonment, but its directly responsible individuals are. The administrative penalty provisions in Article 66 fill this gap by imposing entity-level fines, business-license revocations, and prohibition orders on individuals that function similarly to the disqualification remedies familiar in other jurisdictions.
Relationship to public security administrative penalties
Article 2 of the Law on Penalties for Administration of Public Security provides that where an act is harmful to society but "not serious enough for criminal punishment" according to the Criminal Law, the public security organ shall impose an administrative penalty for public security (detention up to 15 days, fines up to specified amounts). This creates an intermediate sanction tier for personal-information violations that exceed the threshold for PIPL Article 66(1) administrative penalties but do not meet the "serious circumstances" threshold for criminal prosecution under Article 253-A.
A violator may therefore face layered administrative exposure: PIPL Article 66 administrative fines imposed by the CAC or another supervisory authority under Article 60, and public security administrative detention and fines imposed by the police under the public-security-penalties law, with both proceeding in parallel to (or as alternatives to) criminal prosecution under Article 253-A.
Source: Personal Information Protection Law of the People's Republic of China, Art. 71 Source: Personal Information Protection Law of the People's Republic of China, Art. 64 Source: Criminal Law of the People's Republic of China, Amendment VII (2009), Art. 253-A Source: Law of the People's Republic of China on Penalties for Administration of Public Security, Art. 2
Extraterritorial enforcement under PIPL Article 42 — CAC blacklist mechanism and restrictions on cross-border data provision to foreign entities
PIPL Article 42 creates an extraterritorial enforcement tool that extends China's personal information protection regime beyond its borders by authorizing the Cyberspace Administration of China (CAC) to designate foreign organizations and individuals for blacklisting. This mechanism operates independently of the Article 66 administrative penalty framework and does not require territorial presence or voluntary compliance — the CAC may blacklist a foreign entity based solely on the entity's offshore processing activities, and Chinese processors are then prohibited or restricted from transferring personal information to the blacklisted party.
Article 42 statutory text and trigger
Article 42 provides that where any overseas organization or individual engages in personal information processing activities that infringe upon the personal information rights and interests of citizens of the People's Republic of China, or that endanger the national security or public interest of the People's Republic of China, the State Cyberspace Administration (the CAC) may include the offending overseas organization or individual in a "list of restricted or prohibited provision of personal information," announce the list publicly, and take measures to restrict or prohibit the provision of personal information to such overseas organization or individual.
The statute does not define "infringe upon personal information rights and interests" or "endanger national security or public interest." No implementing regulation has published categorical thresholds, factors, or examples of conduct that automatically trigger blacklisting as of June 2026. The determination rests entirely with the CAC's discretion. Practitioners treating Article 42 as an analogue to blocking statutes in other jurisdictions should note that the CAC is not required to demonstrate a PRC territorial nexus for the underlying processing activity — the foreign entity need not have assets, personnel, or operations in China for the CAC to designate it under Article 42.
Substantive reach — offshore processing by foreign entities with no PRC presence
Article 42 applies to "overseas organizations or individuals." An entity incorporated, headquartered, and operating entirely outside China may be blacklisted if the CAC determines that the entity's personal information processing activities harm PRC citizens' personal information rights or harm national security or public interest. This extraterritorial assertion of jurisdiction operates through the secondary enforcement mechanism: once an entity is placed on the Article 42 blacklist, any personal information processor subject to PIPL — including processors operating within China or subject to PIPL's extraterritorial scope under Article 3 — is restricted or prohibited from providing personal information to the blacklisted entity.
Article 3 of PIPL establishes extraterritorial scope for the statute itself. PIPL applies to personal information processing activities outside the territory of the People's Republic of China where (1) the purpose is to provide products or services to natural persons located within China, or (2) the purpose is to analyze or assess the behavior of natural persons located within China. A foreign processor that falls within Article 3's extraterritorial scope and is later blacklisted under Article 42 faces both the direct compliance obligations of PIPL (including the Article 66 administrative penalty exposure for violations) and the secondary enforcement consequence that other processors cannot lawfully provide it with personal information.
The combined effect is that a foreign entity operating a website accessible to PRC users (triggering Article 3's extraterritorial scope), which then processes PRC citizens' personal information in a manner the CAC deems harmful to national security — such as by transferring the data to a government authority in the entity's home jurisdiction in response to a foreign law-enforcement request without obtaining CAC approval under Article 41 — may be blacklisted under Article 42. Once blacklisted, no processor in China or subject to PIPL may transfer personal information to that entity without violating PIPL, even if the original cross-border transfer was conducted under one of the lawful transfer mechanisms in Chapter V (security assessment, standard contracts, or certification).
Procedural mechanics — CAC designation and public announcement
Article 42 vests blacklisting authority exclusively in "the State Cyberspace Administration" (国家互联网信息办公室, also translated as the Cyberspace Administration of China or CAC). The CAC is the lead coordinator for personal information protection enforcement under Article 60 and holds primary responsibility for cross-border data transfer security assessments under Article 40. No other enforcement authority — including the Ministry of Public Security, provincial-level cyberspace administrations, or sectoral regulators such as MIIT or SAMR — may designate entities for the Article 42 blacklist, though these authorities may refer cases to the CAC for blacklisting consideration.
The statute requires the CAC to "announce" (公布) the blacklist. Article 42 does not specify the publication medium, update frequency, or whether the CAC must provide notice to the designated entity before or after publication. The statute's plain language permits the CAC to publish the blacklist unilaterally without prior notice to the affected foreign entity. Once published, the blacklist binds all processors subject to PIPL: they "shall be restricted or prohibited from providing personal information" to the designated entity. Whether a given blacklisted entity is subject to a "restriction" (partial prohibition, such as for specific categories of personal information or specific processing purposes) or an absolute "prohibition" is not specified in Article 42 and appears to be a case-by-case CAC determination reflected in the published blacklist entry.
Enforcement consequences — prohibition on data provision by Chinese processors
The primary enforcement consequence of Article 42 blacklisting is not a fine or penalty imposed on the blacklisted foreign entity (which may be beyond the CAC's territorial enforcement reach), but rather a prohibition imposed on processors within China or subject to PIPL. Article 42 states that the CAC "shall take measures to restrict or prohibit the provision of personal information" to the blacklisted entity. In practice, this means that any processor — whether a PRC-resident entity, a foreign processor with a PRC establishment under Article 53, or an offshore processor subject to PIPL's extraterritorial scope under Article 3 — commits a PIPL violation if it transfers personal information to a blacklisted entity.
A processor that provides personal information to a blacklisted entity after the CAC has published the blacklist may face administrative penalties under Article 66. If the violation meets the "serious circumstances" threshold under Article 66(2), the processor is subject to fines of up to RMB 50,000,000 or up to five percent of the previous year's turnover, confiscation of illegal gains, suspension or revocation of business licenses, and personal fines of RMB 100,000 to RMB 1,000,000 on directly responsible managers. The processor may also face civil tort liability under Article 69 if the transfer to the blacklisted entity results in harm to data subjects, and criminal prosecution under Article 71 and Criminal Law Article 253-A if the transfer constitutes unlawful provision of citizens' personal information.
Article 43 reciprocal countermeasures
Article 43 of PIPL complements the Article 42 blacklist by authorizing reciprocal countermeasures. Where any country or region adopts discriminatory prohibitive, restrictive, or similar measures against the People's Republic of China in respect of personal information protection, the People's Republic of China may, based on the actual circumstances, take corresponding measures against such country or region. Article 43 does not specify which PRC authority holds the power to impose reciprocal countermeasures (likely the State Council or the CAC, by analogy to export-control and unreliable-entity-list frameworks), nor does it define "discriminatory" or enumerate the forms that countermeasures may take.
Article 43 countermeasures are conceptually distinct from Article 42 blacklisting. Article 42 targets specific foreign organizations or individuals based on their personal information processing activities. Article 43 targets countries or regions based on their policies or laws. A practitioner advising a multinational client should assess both exposure pathways: the client's own processing may trigger Article 42 blacklisting, and the client's home jurisdiction's data-protection or national-security laws may trigger Article 43 countermeasures that apply categorically to all processors in that jurisdiction.
Interaction with cross-border transfer mechanisms under Chapter V
PIPL Chapter V establishes three lawful mechanisms for cross-border personal information transfers: (1) CAC security assessment under Article 40 for critical information infrastructure operators and processors meeting specified volume thresholds; (2) standard contracts under Article 38, filed with provincial-level CAC authorities; and (3) personal information protection certification under Article 38, obtained from accredited certification bodies. A processor that successfully completes one of these mechanisms — such as by obtaining CAC security assessment approval or filing standard contracts — does not receive immunity from Article 42 blacklisting.
Article 42 operates as a post-transfer enforcement tool. A foreign recipient that was lawfully receiving personal information from a PRC processor under an Article 38 standard contract may subsequently be blacklisted under Article 42 if the CAC determines that the recipient's processing activities harm PRC citizens' personal information rights or national security. Once blacklisted, the processor must cease transferring personal information to the recipient, even if the standard contract remains on file and the underlying cross-border transfer would otherwise satisfy PIPL's Chapter V requirements.
The CAC has not published guidance clarifying whether blacklisting under Article 42 automatically invalidates prior security assessments or standard contract filings, or whether the processor must affirmatively withdraw the filing. Until the CAC publishes implementing regulations or enforcement decisions addressing this interaction, practitioners should treat Article 42 blacklisting as a superseding prohibition that renders any prior cross-border transfer authorization inoperative for transfers to the blacklisted entity.
Absence of published blacklist and enforcement decisions as of June 2026
As of June 2026, the CAC has not published an Article 42 blacklist or announced any entity designated under Article 42. The mechanism remains dormant in the statute. The absence of enforcement precedent does not diminish the legal risk: Article 42 is fully operative, and the CAC retains the authority to designate entities and publish the blacklist at any time without advance notice to affected parties or prior implementing regulations. A foreign processor that handles PRC citizens' personal information and falls within PIPL's Article 3 extraterritorial scope should monitor CAC announcements for Article 42 blacklist publications and assess whether its processing activities — particularly cross-border transfers to foreign governments, foreign law-enforcement authorities, or third countries subject to Article 43 countermeasures — may trigger designation.
Practitioners advising multinational clients on PIPL compliance should incorporate Article 42 blacklisting into the cross-border transfer risk assessment. The risk is heightened for processors that (1) transfer PRC personal information to jurisdictions with mandatory data-access laws (such as foreign intelligence or national-security statutes requiring disclosure to government authorities), (2) operate in sectors the PRC government views as sensitive (telecommunications, social media platforms, location services, health data, genetic data, or biometric data), or (3) are headquartered in or controlled by entities in jurisdictions the PRC government has publicly criticized for discriminatory data-protection or national-security measures.
Relationship to the Data Security Law Article 2 and the Unreliable Entity List
PIPL Article 42 is part of a broader suite of PRC extraterritorial enforcement tools. The Data Security Law (DSL), which entered into force on September 1, 2021 (two months before PIPL), provides in Article 2 that where data processing activities outside the territory of the People's Republic of China harm the national security, public interests, or legitimate rights and interests of citizens or organizations of the People's Republic of China, legal liability shall be pursued in accordance with law. DSL Article 2 establishes territorial jurisdiction for data-harm claims but does not create an explicit blacklist mechanism analogous to PIPL Article 42.
The Ministry of Commerce's Provisions on the Unreliable Entity List (effective September 19, 2020) authorize the designation of foreign entities, organizations, or individuals that endanger China's national sovereignty, security, or development interests, or that violate normal market transaction principles and cut off supply to Chinese enterprises or discriminate against Chinese enterprises. The Unreliable Entity List is a separate designation framework administered by the Ministry of Commerce (not the CAC), with different triggers (supply-chain disruption and discrimination rather than personal information processing) and different consequences (export restrictions, import restrictions, prohibition on investment, and work-permit restrictions for responsible individuals).
PIPL Article 42 and the Unreliable Entity List may overlap for entities whose conduct satisfies both sets of triggers. A foreign technology company that processes PRC citizens' personal information in violation of PIPL and simultaneously cuts off supply of technology services to PRC customers under foreign sanctions may be designated on both the Article 42 blacklist (by the CAC) and the Unreliable Entity List (by the Ministry of Commerce). The designations are independent and cumulative; placement on one list does not require or preclude placement on the other.
Source: Personal Information Protection Law of the People's Republic of China, Art. 42 Source: Personal Information Protection Law of the People's Republic of China, Art. 43 Source: Personal Information Protection Law of the People's Republic of China, Art. 3 Source: Personal Information Protection Law of the People's Republic of China, Art. 41