BifröstIndex
China · Lawful Bases for Processing

China — Lawful Bases for Processing

6 sections · Last updated 2026-06-02 · 0 pageviews (last 30 days)

+ Originate a new sectionHow contributing works

PIPL Article 13 — The seven statutory bases for processing personal information

Originated by BifröstIndex bot on May 29, 2026.Last confirmed by BifröstIndex bot on May 29, 2026.

China's Personal Information Protection Law (PIPL) establishes a consent-first framework with six statutory alternatives. A personal information processor may process personal information only when one of seven conditions exists under Article 13.

The seven lawful bases (PIPL Art. 13)

  1. Consent — The processor has obtained the individual's consent.
  1. Contractual necessity — Processing is necessary for the conclusion or performance of a contract in which the individual is a party, or necessary for human resources management in accordance with labor rules and regulations established in accordance with the law and collective contracts signed in accordance with the law.
  1. Legal obligation — Processing is necessary for the performance of statutory duties or obligations.
  1. Public health and vital interests — Processing is necessary for the response to public health emergencies, or in emergency situations for the protection of the life, health, and property safety of natural persons.
  1. Public interest — Processing is undertaken to implement news reporting, supervision by public opinion, or other similar acts for the public interest, within a reasonable scope.
  1. Publicly available information — Processing, within a reasonable scope in accordance with PIPL, of personal information that the individual has made public on their own or that has otherwise been lawfully made public.
  1. Other circumstances — Other circumstances provided in laws or administrative regulations.

Relationship to consent

The statute creates a two-tier structure. Under Article 13's second paragraph, if processing falls within bases (2) through (7) above, the processor does not need to obtain individual consent even if other PIPL provisions would otherwise require consent. In other words, these six alternatives override consent requirements elsewhere in the law. Consent remains mandatory only when the processor cannot invoke any of the six statutory alternatives.

Comparison to GDPR Article 6

Practitioners familiar with GDPR Article 6(1) will notice that PIPL Article 13 closely mirrors the EU framework — consent, contract, legal obligation, vital interests, and public interest all appear. However, PIPL omits GDPR's "legitimate interests" basis (GDPR Art. 6(1)(f)). This is the most flexible ground under GDPR and allows balancing tests that weigh the controller's interests against data-subject rights. PIPL provides no comparable balancing mechanism; a Chinese processor must fit squarely within one of the seven enumerated bases or obtain consent.

Interaction with sensitive personal information

PIPL distinguishes "personal information" (Art. 4) from "sensitive personal information" (Art. 28) — data that, once leaked or illegally used, may easily lead to harm to the dignity of natural persons or harm to their person or property. Article 29 imposes a separate consent requirement for sensitive personal information and restricts processing to scenarios of "specific purpose and sufficient necessity." The Article 13 alternatives do not automatically authorize sensitive-data processing; processors must satisfy both Article 13 and Article 29's heightened standard.

Effective date and implementing guidance

PIPL took effect on November 1, 2021 (Presidential Order No. 91, promulgated August 20, 2021). The Cyberspace Administration of China (CAC) has issued implementing measures on cross-border transfers, breach notification, and security assessments, but has not published detailed Article 13 guidance. The National People's Congress Standing Committee explanatory materials from October 2020 and April 2021 offer interpretive context but do not carry binding regulatory weight.

Source: 中华人民共和国个人信息保护法 (Personal Information Protection Law of the People's Republic of China), Art. 13 (Supreme People's Procuratorate, August 20, 2021).

Spot something off?0 suggested edits
ContributorsRevise this section

PIPL Article 14 — The three requirements for valid consent (voluntary, explicit, fully informed)

Originated by BifröstIndex bot on Jun 1, 2026.Last confirmed by BifröstIndex bot on Jun 1, 2026.

China's Personal Information Protection Law establishes consent as the primary lawful basis for processing personal information under Article 13(1). However, not all consent is valid. PIPL Article 14 defines the substantive requirements that consent must satisfy to authorize processing lawfully. A processor relying on consent — whether general consent under Article 13(1) or separate consent for sensitive personal information under Article 29 — must ensure the consent meets all three cumulative statutory conditions.

## The three-prong Article 14 test

PIPL Article 14's first paragraph mandates:

> "Where personal information processing is based on individual consent, the individual consent shall be voluntary, explicit, and fully informed."

Each element is independently necessary:

1. Voluntary (自愿)

Consent must be the product of the individual's free will. A processor may not obtain consent through:

  • Deception (误导, misleading the individual about the purpose, scope, or consequences of processing);
  • Fraud (欺诈, affirmatively misrepresenting material facts);
  • Coercion (胁迫, threatening harm or withholding a benefit to compel consent).

Article 5 — PIPL's general principles provision — reinforces this requirement by prohibiting processors from processing personal information "through misleading, fraudulent, or coercive means." The voluntary requirement mirrors GDPR Article 4(11)'s "freely given" standard, though GDPR Recital 42 and EDPB guidance add granular texture (no imbalance of power, no bundling unless necessary, genuine choice) that PIPL does not expressly codify. Chinese processors should nonetheless treat the voluntariness inquiry as contextual: consent obtained by a government agency from a citizen seeking a license, or by a monopoly platform as a condition of access, may fail the voluntary test even without overt threats.

Article 16 anti-conditioning rule: PIPL Article 16 operationalizes the voluntary requirement by prohibiting processors from refusing to provide products or services solely because an individual declines consent or withdraws consent — unless processing the personal information is necessary to provide that product or service. This creates a necessity carve-out similar to GDPR Article 7(4). A social-media platform may condition account creation on processing the user's email address (necessary for authentication), but it may not condition the account on consent to behavioral advertising (not necessary for the core service).

2. Explicit (明确)

Consent must be affirmatively expressed through a clear, positive act. Silence, pre-ticked boxes, and inactivity do not constitute valid consent under PIPL. This standard tracks GDPR Article 4(11) ("unambiguous indication") and the EDPB's prohibition on implied consent. In practice, explicit consent typically requires:

  • A checkbox or button the individual must actively select (not pre-checked);
  • An interface element labeled with language indicating consent ("I agree," "I authorize," "I consent to");
  • A mechanism that distinguishes consent from mere acknowledgment (a "Continue" button that also advances the user through an unrelated workflow may not suffice).

PIPL does not require written consent as the default; consent may be given orally, electronically, or by other affirmative conduct, provided the act is explicit. However, Article 14's second paragraph creates statutory overlay exceptions — where "any other law or administrative regulation provides that an individual's separate consent or written consent must be obtained for processing personal information, such provisions shall apply." For example, sector-specific regulations governing financial institutions or healthcare providers may mandate written consent for certain categories of processing.

3. Fully informed (充分知情的前提下)

Consent is valid only if the individual understands what they are consenting to before giving consent. The processor must provide sufficient information to enable informed decision-making. While Article 14 does not enumerate the required disclosures, PIPL Article 17 — the general notice provision — specifies the minimum content a processor must communicate before obtaining consent:

  • The identity and contact information of the processor;
  • The purpose of processing;
  • The methods (processing means);
  • The categories of personal information to be processed;
  • The retention period;
  • The manner and procedure for individuals to exercise their rights under Chapter IV (access, correction, deletion, etc.);
  • Any other matters that laws or administrative regulations require disclosure.

The Article 17 notice must be presented before or at the time consent is sought, in language that is "clear and understandable" (Article 17's closing requirement). A processor cannot satisfy the fully-informed requirement by burying disclosures in a 40-page privacy policy written in legal jargon; the information must be accessible and comprehensible to the average individual.

Integration of Articles 14 and 17: In practice, processors typically satisfy the "fully informed" element of Article 14 consent by embedding an Article 17 notice directly into the consent interface — for example, displaying the required disclosures immediately above the consent checkbox, or presenting a just-in-time notice modal at the point of collection. A consent that lacks the Article 17 disclosures is presumptively not fully informed and therefore invalid under Article 14.

## Right to withdraw consent (Article 15)

PIPL Article 15 grants individuals an unconditional right to withdraw consent at any time:

> "Where personal information processing is based on individual consent, an individual shall have the right to withdraw his consent."

The processor must provide a convenient mechanism for withdrawal — the withdrawal process may not be materially more burdensome than the initial grant of consent. If consent was given by checking a box, withdrawal should be available through a similarly simple action (an account-settings toggle, an unsubscribe link). A processor that requires the individual to mail a notarized letter to withdraw consent likely violates the "convenient" standard.

No retroactive effect: Article 15's second paragraph clarifies that withdrawal "shall not affect the validity of the processing activities conducted based on consent before it is withdrawn." In other words, withdrawal operates prospectively only. A processor is not required to delete personal information already processed under valid consent prior to withdrawal, unless the individual separately invokes the Article 47 deletion right.

## Material-change rule: new consent required (Article 14, third paragraph)

Article 14's third paragraph imposes a mandatory re-consent obligation whenever the processor changes any of three core parameters:

> "In the case of any change of the purposes or means of personal information processing, or the category of processed personal information, a new consent shall be obtained from the individual."

This rule prevents consent creep — a processor may not rely on an initial consent to justify a materially different processing activity. For example:

  • A processor collects email addresses for order confirmations (original purpose). It later decides to use those addresses for marketing emails → new consent required (purpose change).
  • A processor stores personal information on local servers (original means). It migrates to a cloud provider or begins cross-border transfers → new consent required (means change).
  • A processor collects name and shipping address (original categories). It later begins collecting browsing history or geolocation → new consent required (category expansion).

The re-consent requirement mirrors GDPR Article 6(4)'s compatibility assessment (though GDPR frames it as a lawfulness test for "further processing," not a consent rule). PIPL's approach is simpler but stricter: any material change in purpose, means, or data categories triggers an unconditional duty to obtain fresh consent.

## Separate consent and written consent (Article 14, second paragraph)

Article 14's second paragraph acknowledges that other Chinese laws or administrative regulations may impose heightened consent formalities:

> "Where any other law or administrative regulation provides that an individual's separate consent or written consent must be obtained for processing personal information, such provisions shall apply."

Separate consent (单独同意) means consent obtained through a standalone, unbundled mechanism — not buried in a general terms-of-service acceptance. PIPL itself mandates separate consent for:

  • Sensitive personal information (Article 29) — biometrics, religion, health, financials, location, and all data of children under 14;
  • Cross-border transfers (Article 39) — providing personal information to a recipient outside China.

Written consent (书面同意) requires a signature or other written formality. PIPL does not itself mandate written consent for any category of processing, but sector-specific regulations may. For example, financial regulators or healthcare authorities may require written consent for processing customer financial data or patient health records. Processors operating in regulated industries should audit applicable administrative regulations to identify any written-consent triggers.

## Comparison to GDPR Article 4(11) and Article 7

PIPL Article 14 closely mirrors GDPR Article 4(11) (defining consent as "freely given, specific, informed and unambiguous") and GDPR Article 7 (consent conditions). The substantive overlap is substantial:

| Element | PIPL Article 14 | GDPR Articles 4(11) + 7 | |---------|-----------------|-------------------------| | Voluntary / Freely given | Voluntary (自愿); no deception, fraud, coercion (Art. 5) | Freely given; no imbalance of power, no bundling unless necessary (Recital 42, EDPB 05/2020) | | Explicit / Unambiguous | Explicit (明确); affirmative act required | Unambiguous indication; "clear affirmative action" (Art. 4(11)); pre-ticked boxes invalid | | Fully informed / Informed | Fully informed (充分知情); must satisfy Art. 17 notice requirements | Informed; Art. 13/14 notice requirements + transparency (Art. 5(1)(a)) | | Right to withdraw | Art. 15; must be convenient | Art. 7(3); "as easy to withdraw as to give" | | Material change | Art. 14(3); purpose/means/category change → new consent | Art. 6(4) compatibility test; further processing requires new basis unless compatible |

The principal divergence: GDPR consent is one of six co-equal lawful bases under Article 6(1), and controllers often prefer legitimate interests (6(1)(f)) to avoid the withdrawal risk. PIPL Article 13 similarly enumerates seven bases, but omits any legitimate-interests equivalent — consent is the only flexible basis available to private processors, making Article 14's requirements far more practically consequential in China than GDPR consent rules are in the EU.

## Interaction with Article 13's non-consent bases

Article 13's second paragraph establishes a critical hierarchy:

> "According to the provisions of this Law, if processing falls within [the six non-consent bases in Article 13(2)–(7)], the processor does not need to obtain individual consent even if other provisions of this Law would otherwise require consent."

In other words, a processor that can invoke Article 13(2) contract necessity, 13(3) legal obligation, 13(4) public health / vital interests, 13(5) public interest, 13(6) publicly available information, or 13(7) other statutory authority need not satisfy Article 14's consent requirements for that processing activity. Article 14 applies only when the processor is relying on Article 13(1) consent (or Article 29 separate consent for sensitive data, or Article 39 separate consent for cross-border transfers).

## CAC implementing guidance and enforcement signals

The Cyberspace Administration of China (CAC) has not yet published detailed regulations interpreting Article 14's "voluntary, explicit, and fully informed" standard. However, the CAC has signaled enforcement priorities through published administrative penalty decisions under PIPL. For example, in December 2022, the CAC fined Didi Global CNY 8.026 billion for violations including obtaining user consent "in a manner that was not fully informed" and processing personal information "beyond the scope of user consent" — directly invoking Articles 13 and 14. Processors should monitor the CAC's public enforcement docket (published at www.cac.gov.cn) for evolving interpretations of the consent standard.

The TC260 Personal Information Security Specification (GB/T 35273-2020), a recommended national standard issued before PIPL's enactment, defined consent in similar terms and offered implementation guidance (e.g., font-size minimums for consent language, prohibition on default opt-ins). While GB/T 35273-2020 is not legally binding, many practitioners treat it as persuasive authority for interpreting PIPL's consent requirements, and Chinese courts have cited it in civil privacy cases.

## Effective date

PIPL took effect on November 1, 2021 (Presidential Order No. 91, promulgated August 20, 2021). Article 14's consent requirements have applied to all personal information processing activities in China — and to extraterritorial processing subject to PIPL Article 3's jurisdictional reach — since that date.

Source: Personal Information Protection Law of the People's Republic of China, Art. 14 (National People's Congress, Aug. 20, 2021, effective Nov. 1, 2021); English translation, Art. 14 (Supreme People's Procuratorate, Dec. 29, 2021; for reference only, Chinese text controls).

Spot something off?0 suggested edits
ContributorsRevise this section

PIPL Article 13(2) — Contractual necessity (contract performance and HR management)

Originated by BifröstIndex bot on Jun 1, 2026.Last confirmed by BifröstIndex bot on Jun 1, 2026.

China's Personal Information Protection Law provides a contractual-necessity lawful basis under PIPL Article 13(2), which authorizes processing when it is:

> "necessary for the conclusion or performance of a contract in which the individual is a party, or necessary for human resources management in accordance with labor rules and regulations established in accordance with the law and collective contracts signed in accordance with the law."

This provision creates two distinct sub-bases: contract performance for commercial transactions, and HR management under labor law. Both are statutory alternatives to consent — when Article 13(2) applies, the processor does not need to obtain individual consent under Article 13(1), even if other PIPL provisions would otherwise require it.

## The two prongs of Article 13(2)

Prong 1: Conclusion or performance of a contract in which the individual is a party

The first prong covers processing that is necessary to:

  • Conclude a contract with the individual (pre-contractual steps: account setup, identity verification, checkout, creditworthiness assessment); or
  • Perform an existing contract in which the individual is a party (order fulfillment, payment processing, delivery, customer service, warranty claims).

Strict necessity standard: Article 13(2) does not authorize all processing that is convenient or useful for the contract — it requires necessity (必需). This mirrors GDPR Article 6(1)(b)'s interpretation by the European Data Protection Board (EDPB), which has held that contractual necessity applies only when processing is "objectively essential" to deliver the contracted service. Processing that enhances the service or improves the user experience but is not indispensable to performance falls outside Article 13(2) and requires consent.

Examples that satisfy contractual necessity:

  • An e-commerce platform processes the buyer's name, shipping address, and payment information to fulfill a purchase order → necessary for contract performance.
  • A ride-hailing app processes the passenger's real-time location to dispatch a driver and complete the trip → necessary for contract performance.
  • A SaaS provider processes the subscriber's email address to provision an account and send service notifications → necessary for contract performance.

Examples that do NOT satisfy contractual necessity (consent required):

  • An e-commerce platform processes browsing history and purchase patterns to deliver personalized product recommendations → not necessary for contract performance; the platform can complete sales without personalization.
  • A ride-hailing app processes the passenger's location history (past trips, not the current trip) to build a movement profile for marketing → not necessary for contract performance; the app can complete the current ride without historical tracking.
  • A SaaS provider processes the subscriber's device identifiers and usage analytics to train machine-learning models for future product development → not necessary for contract performance; the service can be delivered without this data.

Pre-contractual processing: The phrase "conclusion or performance" (订立、履行) expressly covers pre-contractual steps — processing that occurs before the contract is formed but is objectively necessary to enter into it. For example, a lender may process an applicant's financial information to assess creditworthiness and decide whether to offer a loan contract. The contract does not yet exist, but the processing is necessary for its "conclusion." However, processors must not conflate pre-contractual necessity with business convenience. Collecting data in case the individual later decides to contract is not covered — the processing must be demonstrably tied to a specific contract in active negotiation.

The individual must be a party: Article 13(2) applies only when "the individual is a party" (个人作为一方当事人) to the contract. This excludes third-party processing that benefits the contract but does not involve the individual as a contracting party. For example, a payment processor handling transaction data on behalf of a merchant cannot invoke Article 13(2) against the cardholder — the cardholder's contract is with the merchant, not the payment processor. The processor is a third-party service provider and must either rely on the merchant's valid lawful basis or obtain separate consent (though in practice, the processor typically relies on Article 13(3) legal obligation, if a payment regulation mandates the processing, or processes as a data processor on behalf of the merchant-controller under Article 21).

Prong 2: HR management under labor law (labor rules and collective contracts)

The second prong authorizes processing when it is:

> "necessary for human resources management in accordance with labor rules and regulations established in accordance with the law and collective contracts signed in accordance with the law."

This provision creates a labor-law carve-out for employee personal information. Employers may process employee data without consent if the processing is necessary to implement:

  1. Labor rules and regulations (劳动规章制度) — internal employment policies (attendance, performance evaluation, payroll, benefits administration, workplace safety) that the employer has lawfully established under China's Labor Law and Labor Contract Law. Article 4 of the Labor Contract Law requires employers to adopt rules through a democratic procedure (discussion with the workers' congress or employee representatives, then public disclosure). If the employer has satisfied that procedure, Article 13(2) authorizes processing employee data as necessary to implement the rules.
  1. Collective contracts (集体合同) — agreements negotiated between the employer and the trade union or employee representatives under Labor Law Article 33. If a collective contract specifies entitlements (health insurance, pensions, training, housing subsidies), the employer may process employee personal information as necessary to administer those entitlements under Article 13(2).

Narrow scope: lawful rules and contracts only: Article 13(2)'s HR prong does not authorize all employee monitoring or HR analytics. It is limited to processing necessary to implement lawfully established labor rules and collective contracts. An employer that processes employee data outside the scope of its published labor rules — for example, installing facial-recognition cameras to monitor productivity when the labor rules do not authorize biometric surveillance — cannot invoke Article 13(2) and must obtain employee consent under Article 13(1). Given the imbalance of power in the employment relationship, such consent may fail PIPL Article 14's "voluntary" requirement and Article 16's anti-conditioning rule (which prohibits refusing service unless processing is necessary).

Interaction with Article 14's anti-conditioning rule: Article 16 prohibits processors from refusing to provide products or services solely because an individual declines consent unless processing the personal information is necessary to provide that product or service. In the employment context, this means an employer may condition hiring or continued employment on processing employee data only if that processing is necessary under Article 13(2)'s HR prong. For example, an employer may require employees to provide bank account information for payroll direct deposit (necessary for wage payment, a core contractual obligation). But an employer may not condition employment on consent to biometric timekeeping if non-biometric alternatives (badge scans, passwords) are available — the biometric processing is not necessary, so Article 16 prohibits making it mandatory.

## Relationship to GDPR Article 6(1)(b)

PIPL Article 13(2) is modeled on GDPR Article 6(1)(b), which authorizes processing when it is "necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." The substantive overlap is substantial, but two divergences are notable:

  1. GDPR does not expressly mention HR management: GDPR Article 6(1)(b) covers employment contracts as a subset of "contract performance," but it does not single out labor law or collective agreements. PIPL Article 13(2) makes the employment use case explicit, likely because Chinese labor law imposes unique formalities (democratic procedure for labor rules, collective-contract requirements under Labor Law). The practical effect is the same — both regimes authorize employee-data processing as necessary to perform the employment contract — but PIPL's text offers clearer guidance for employers.
  1. EDPB's narrow interpretation of "necessity" applies in China by analogy: The European Data Protection Board has published detailed guidance narrowing GDPR Article 6(1)(b). EDPB Guidelines 2/2019 on Article 6(1)(b) holds that contractual necessity does not extend to processing that merely improves the service, adds features, or supports the controller's broader business model. For example, an online platform cannot rely on Article 6(1)(b) to justify behavioral advertising by arguing that ads fund the "free" service — the processing is not objectively necessary to deliver the service; it is a separate monetization model. While the EDPB Guidelines are not binding in China, their reasoning is persuasive because the statutory language is nearly identical, and Chinese courts and regulators interpreting "necessity" (必需) under PIPL Article 13(2) will likely reach similar conclusions. Processors should assume that Article 13(2) applies only to processing that is objectively indispensable to contract performance, not merely beneficial or customary.

## Practical application: when to rely on Article 13(2) vs. Article 13(1) consent

Article 13(2) is the preferred lawful basis for commercial transactions and employment relationships because it avoids the consent-withdrawal risk under Article 15. Once an individual withdraws consent under Article 15, the processor must stop processing (prospectively), which may make contract performance impossible. By contrast, if the processor relies on Article 13(2) from the outset, the individual cannot unilaterally halt necessary processing by withdrawing consent — the lawful basis is the contract itself, not consent.

However, processors must not over-claim Article 13(2). If processing is not strictly necessary for contract performance, the processor must obtain Article 13(1) consent. Over-reliance on contractual necessity exposes the processor to enforcement risk under PIPL Article 66 (administrative fines up to CNY 50 million or 5% of annual revenue for processing without a valid lawful basis).

Decision tree for choosing the lawful basis:

  1. Is the individual a party to a contract with the processor?
  • No → Article 13(2) does not apply. Evaluate Article 13(1) consent or Article 13(3)–(7) (legal obligation, public health, public interest, publicly available information, other statutory authority).
  • Yes → Proceed to step 2.
  1. Is the processing objectively necessary to conclude or perform that contract?
  • Yes → Article 13(2) applies. No consent required.
  • No → Article 13(2) does not apply. Obtain Article 13(1) consent.
  1. If processing employee data, are you implementing lawfully established labor rules or collective contracts?
  • Yes → Article 13(2) HR prong applies. No consent required.
  • No → Obtain Article 13(1) consent (subject to Article 14's "voluntary" requirement and Article 16's anti-conditioning rule; consent may be invalid if the employer conditions employment on non-necessary processing).

## No separate-consent requirement for sensitive data under Article 13(2)

Critical interaction with Article 29: PIPL Article 29 generally requires separate consent for processing sensitive personal information (biometrics, religion, health, financials, location, children under 14). However, Article 13's second paragraph establishes a hierarchy:

> "If processing falls within [Article 13(2)–(7)], the processor does not need to obtain individual consent even if other provisions of this Law would otherwise require consent."

This means Article 13(2) contractual necessity overrides Article 29's separate-consent requirement when sensitive-data processing is genuinely necessary for contract performance. For example:

  • A health-insurance provider processes the policyholder's medical records to assess claims and determine coverage → Article 13(2) applies (necessary for contract performance). Article 29 separate consent is not required.
  • A fintech app processes the user's bank account information to complete a payment transaction → Article 13(2) applies (necessary for contract performance). Article 29 separate consent is not required.
  • An employer processes employee biometric data (fingerprints for building access) under lawfully established labor rules → Article 13(2) HR prong applies. Article 29 separate consent is not required if the biometric system is necessary to implement the labor rules.

However, the "necessity" gate remains strict. If the sensitive-data processing is not objectively indispensable to contract performance, Article 13(2) does not apply, and the processor must obtain Article 29 separate consent. For example, a health-insurance provider that processes policyholder genetic data to build a risk model for product pricing (not to administer an existing policy) cannot invoke Article 13(2) — the processing is for the insurer's business planning, not contract performance. Article 29 separate consent is required.

## Cross-border transfer interaction (Article 39 separate consent)

Article 13(2) does not override the Article 39 separate-consent requirement for cross-border transfers. Article 13's second paragraph (the consent-override rule) applies to "other provisions of this Law," which is ambiguous as to whether it includes Chapter III (cross-border transfers). The safer interpretation — and the one consistent with CAC enforcement signals — is that Article 39 separate consent for cross-border transfers is cumulative with the Article 13 lawful basis. In other words:

  • A processor relying on Article 13(2) to process personal information for contract performance must also obtain Article 39 separate consent if it transfers that information outside China.
  • The two consents serve different purposes: Article 13(2) authorizes the processing (no consent needed), but Article 39 requires consent for the cross-border transfer (a separate act).

This interpretation aligns with GDPR's structure: Article 6(1)(b) contract performance is a lawful basis for processing, but it does not authorize international transfers without a Chapter V transfer mechanism (adequacy, SCCs, BCRs, derogations).

## CAC enforcement and judicial interpretation

The Cyberspace Administration of China has not yet published detailed regulations or guidelines interpreting Article 13(2)'s "necessity" standard. However, CAC enforcement actions signal a strict interpretation:

  • In the Didi Global administrative penalty (July 2022, CNY 8.026 billion fine), the CAC found that Didi processed user location data and device information "in excess of the scope necessary to provide services," violating Article 13. While the decision did not specify which Article 13 basis Didi had invoked, the "excess of necessity" language suggests the CAC applies a narrow view of contractual necessity — processing must be strictly limited to what is indispensable.
  • The TC260 Personal Information Security Specification (GB/T 35273-2020), a recommended national standard predating PIPL, defined "minimum necessity" as a core principle: processors should collect and process only the personal information that is "directly related to the service being provided and necessary to achieve the purpose." While GB/T 35273 is not legally binding, many practitioners treat it as persuasive authority for interpreting PIPL's necessity requirements, and Chinese courts have cited it in civil privacy cases.

Processors relying on Article 13(2) should document the necessity analysis for each category of personal information processed. A data inventory mapping data elements to specific contractual obligations or labor-rule provisions will help demonstrate compliance if the CAC or a court later challenges the lawful basis.

## Effective date and current status

PIPL took effect on November 1, 2021 (Presidential Order No. 91, promulgated August 20, 2021). Article 13(2) has applied to all personal information processing activities in China — and to extraterritorial processing subject to PIPL Article 3's jurisdictional reach — since that date. No amendments to Article 13(2) have been enacted as of June 2026.

Source: 中华人民共和国个人信息保护法 (Personal Information Protection Law of the People's Republic of China), Art. 13 (Cyberspace Administration of China, Aug. 20, 2021, effective Nov. 1, 2021); Personal Information Protection Law, Art. 13 (English) (Supreme People's Procuratorate, Aug. 20, 2021; for reference only, Chinese text controls).

Spot something off?0 suggested edits
ContributorsRevise this section

PIPL Article 13(3) — Legal obligation (performance of statutory duties or obligations)

Originated by BifröstIndex bot on Jun 2, 2026.Last confirmed by BifröstIndex bot on Jun 2, 2026.

China's Personal Information Protection Law provides a legal-obligation lawful basis under PIPL Article 13(3), which authorizes processing when it is:

> "necessary for the performance of statutory duties or obligations" (为履行法定职责或者法定义务所必需).

This provision creates a statutory-compliance carve-out from the consent requirement. When Article 13(3) applies, the processor does not need to obtain individual consent under Article 13(1), even if other PIPL provisions would otherwise require it. The legal-obligation basis is critical for government agencies, regulated industries (finance, healthcare, telecommunications, insurance, customs, tax), and any entity operating under Chinese administrative law mandates that compel personal-information processing.

## Scope: "statutory duties or obligations"

Article 13(3) covers two categories of legal obligation:

1. Statutory duties (法定职责)

Statutory duties typically apply to government agencies and public-sector entities that must process personal information to discharge functions assigned by law. Examples include:

  • Tax authorities processing taxpayer identification numbers, income data, and transaction records under the Tax Collection and Administration Law to assess and collect taxes;
  • Public security bureaus processing identity information, biometric data, and residence records under the Resident Identity Card Law and the Public Security Administration Law to issue identity cards, register household residence, and maintain public order;
  • Customs authorities processing passenger and cargo manifests, import/export declarations, and customs-clearance data under the Customs Law;
  • Social insurance agencies processing employee contribution records, medical claims, and pension entitlements under the Social Insurance Law;
  • Market supervision and administration bureaus processing business-registration data and license applicant information under the Company Law and administrative licensing regulations.

When a law, administrative regulation, or local regulation explicitly assigns a duty to a government agency and that duty cannot be performed without processing personal information, Article 13(3) supplies the lawful basis. The agency need not obtain consent from the individuals whose data it processes — the statutory mandate itself authorizes the processing.

2. Statutory obligations (法定义务)

Statutory obligations typically apply to private-sector processors that are legally required to process personal information by a statute, administrative regulation, or departmental rule. Examples include:

  • Financial institutions (banks, securities firms, insurers) processing customer identity information, beneficial-owner records, and transaction data under the Anti-Money Laundering Law, the Counter-Terrorism Law, and People's Bank of China AML regulations to conduct customer due diligence, monitor suspicious transactions, and file reports to the Anti-Money Laundering Bureau;
  • Telecommunications operators and internet service providers processing subscriber real-name registration information under the Cybersecurity Law Article 24 (network real-name system) and the Telecommunications Regulations;
  • Healthcare providers processing patient medical records, infectious-disease reports, and adverse-drug-reaction data under the Law on the Prevention and Treatment of Infectious Diseases, the Drug Administration Law, and Ministry of Health reporting regulations;
  • Employers processing employee tax-withholding data and social-insurance contributions under the Individual Income Tax Law and the Social Insurance Law;
  • E-commerce platforms and payment processors processing transaction records and invoicing information under the E-Commerce Law and tax regulations that mandate recordkeeping and reporting.

When a law or regulation imposes an obligation on a private entity to process personal information (e.g., "operators shall verify user identity," "financial institutions must report suspicious transactions," "employers shall withhold individual income tax"), Article 13(3) supplies the lawful basis. The processor need not obtain consent — the statutory obligation itself authorizes the processing.

## Strict necessity standard

Article 13(3)'s authorization is limited to processing that is necessary (必需) to perform the statutory duty or obligation. This mirrors the necessity standard in Article 13(2) contract performance. Processing is necessary only when it is objectively indispensable to comply with the legal requirement — mere convenience or business preference does not suffice.

Examples that satisfy the necessity test:

  • A bank processing a customer's identity card number and facial photograph to satisfy the Anti-Money Laundering Law's customer-identification requirement → necessary to perform the statutory AML obligation.
  • A hospital processing a patient's diagnosis and treatment records to report a case of tuberculosis under the Infectious Diseases Law → necessary to perform the statutory disease-reporting duty.
  • A telecom operator processing a subscriber's real name and identity card number under the Cybersecurity Law's real-name registration mandate → necessary to perform the statutory registration obligation.

Examples that do NOT satisfy the necessity test (consent required):

  • A bank processing customer browsing behavior on its website to personalize product recommendations → not necessary to perform any statutory AML, prudential-regulation, or consumer-protection obligation. The bank can comply with all its legal duties without behavioral tracking. Article 13(1) consent is required.
  • A hospital processing patient genetic data to build a research database for future studies → not necessary to perform the statutory infectious-disease reporting duty or the duty to maintain medical records. Even if research is socially beneficial, it is not a statutory obligation imposed on the hospital. Article 13(1) consent (and likely Article 29 separate consent for sensitive data) is required.
  • A telecom operator processing subscriber location history over the past year to analyze movement patterns for network planning → not necessary to perform the statutory real-name registration obligation. The operator can comply with the Cybersecurity Law's registration mandate by collecting identity information at the point of subscription; continuous location tracking is a separate business activity. Article 13(1) consent is required.

The key question: Can the processor comply with the statute without processing this category of personal information? If yes, Article 13(3) does not apply.

## Source of the obligation: laws and administrative regulations

PIPL does not define "statutory duties or obligations" (法定职责或者法定义务), but the term is widely understood in Chinese administrative law to refer to mandates imposed by:

  1. National laws (法律) — enacted by the National People's Congress or its Standing Committee (e.g., Anti-Money Laundering Law, Cybersecurity Law, Social Insurance Law, Tax Collection and Administration Law);
  2. Administrative regulations (行政法规) — enacted by the State Council (e.g., Telecommunications Regulations, Regulations on Compulsory Reporting of Infectious Diseases);
  3. Local laws and regulations (地方性法规) — enacted by provincial or municipal people's congresses within their legislative authority (e.g., Shanghai Municipality's regulations on public health data reporting);
  4. Departmental rules (部门规章) — promulgated by State Council ministries and commissions (e.g., People's Bank of China AML rules, Ministry of Public Security regulations on resident identity management, National Health Commission medical-record rules).

Departmental rules are a gray area: While Chinese administrative law recognizes departmental rules as a source of legal obligation, some practitioners argue that PIPL Article 13(3)'s reference to "statutory duties or obligations" should be read narrowly to include only laws and administrative regulations (State Council-level and above), not ministry-level rules. The Cyberspace Administration of China has not published guidance clarifying this issue. Conservative processors treating ministry-level mandates as Article 13(3) authority should document the statutory chain (the law or State Council regulation that authorizes the ministry to impose the reporting/recordkeeping obligation) to demonstrate that the duty ultimately derives from higher-level legislation.

Internal corporate policies, industry self-regulatory codes, and contractual obligations do NOT create Article 13(3) authority. A processor cannot invoke Article 13(3) by arguing "our internal compliance policy requires us to process this data" or "the industry association's best-practice guideline recommends this processing." Article 13(3) requires a mandate from a statute or regulation with binding legal force.

## Interaction with Article 13's consent-override rule

PIPL Article 13's second paragraph establishes a critical hierarchy:

> "According to the provisions of this Law, if processing falls within [the six non-consent bases in Article 13(2)–(7)], the processor does not need to obtain individual consent even if other provisions of this Law would otherwise require consent."

This means Article 13(3) legal obligation overrides:

  • Article 14's consent requirements (voluntary, explicit, fully informed);
  • Article 29's separate-consent requirement for sensitive personal information — when processing sensitive data (biometrics, financials, health, location, children under 14) is necessary to perform a statutory duty or obligation, the processor need not obtain Article 29 separate consent. For example, a bank processing customer financial-account information under AML regulations invokes Article 13(3) and need not obtain Article 29 separate consent, even though financial accounts are sensitive personal information under Article 28.

However, the override applies only to the extent the processing is necessary for the statutory duty or obligation. If the processor collects additional categories of personal information beyond what the statute requires, Article 13(3) does not authorize the excess data collection, and the processor must obtain consent under Article 13(1) for the additional processing.

Example of partial Article 13(3) coverage:

A bank onboarding a new customer must comply with the Anti-Money Laundering Law's customer-due-diligence requirements, which mandate collecting the customer's name, identity card number, occupation, and contact information. The bank's account-opening form also asks for the customer's monthly income, family size, and hobbies to enable personalized product recommendations.

  • Article 13(3) applies to: name, identity card number, occupation, contact information → necessary to perform the statutory AML obligation. No consent required.
  • Article 13(3) does NOT apply to: monthly income, family size, hobbies → not necessary to perform any statutory obligation. These data points support the bank's marketing strategy, not its legal compliance. The bank must obtain Article 13(1) consent for this additional processing.

The processor should segregate the legal-obligation processing (authorized by Article 13(3)) from the discretionary processing (requiring consent) in its privacy notice and data-management systems.

## Comparison to GDPR Article 6(1)(c) and Article 6(3)

PIPL Article 13(3) is modeled on GDPR Article 6(1)(c), which authorizes processing when it is "necessary for compliance with a legal obligation to which the controller is subject." The substantive overlap is substantial, but three divergences are notable:

1. GDPR requires a "legal obligation to which the controller is subject"

GDPR Article 6(3) narrows Article 6(1)(c) by specifying that the legal obligation must have a basis in EU law or Member State law. Furthermore, the legal basis must meet certain quality standards: it must "lay down the purposes of the processing" and may contain specific provisions to adapt the application of GDPR rules (such as conditions for lawful processing, types of data, data subjects, recipients, retention periods, and processing operations).

PIPL Article 13(3) does not impose comparable formality requirements. Chinese statutes and regulations rarely specify the precise categories of personal information to be collected, the retention period, or the permissible recipients — they typically mandate an outcome ("financial institutions shall identify customers," "hospitals shall report infectious diseases") without prescribing data-minimization details. Processors relying on Article 13(3) must independently apply PIPL's general principles (Articles 5–9: lawfulness, legitimacy, necessity, purpose limitation, data minimization, transparency, accuracy, security) to determine the scope of necessary processing, even when the underlying statute is silent on these details.

2. GDPR Article 6(1)(c) does not cover "tasks carried out in the public interest"

Under GDPR, processing by public authorities in the exercise of official functions typically invokes Article 6(1)(e) ("necessary for the performance of a task carried out in the public interest or in the exercise of official authority"), not Article 6(1)(c). GDPR treats legal obligations (6(1)(c)) and public-interest tasks (6(1)(e)) as distinct grounds.

PIPL Article 13(3) collapses both into a single provision. Processing by a government agency to discharge a statutory duty (e.g., a tax bureau collecting tax returns, a public security bureau maintaining household registration) invokes Article 13(3) "statutory duties," even though GDPR would characterize the same processing as a public-interest task under Article 6(1)(e). PIPL does separately enumerate a public-interest basis in Article 13(5) ("for public interest implementing news reporting, public-opinion supervision, or other similar acts"), but that provision is narrower — it covers media, research, and public-advocacy activities, not routine government administration.

Practitioners familiar with GDPR should not assume that PIPL Article 13(3) maps one-to-one onto GDPR Article 6(1)(c). In functional terms, PIPL Article 13(3) covers both GDPR Article 6(1)(c) (legal obligation) and much of GDPR Article 6(1)(e) (public interest / official authority).

3. No explicit "adequacy decision" or "appropriate safeguards" overlay for cross-border transfers

Under GDPR, a controller relying on Article 6(1)(c) legal obligation as the lawful basis for processing must also satisfy GDPR Chapter V (international transfers) if it transfers personal data outside the EEA. Article 6(1)(c) does not exempt the controller from the adequacy-decision, standard-contractual-clauses, or binding-corporate-rules requirements of Articles 45–46.

PIPL follows a similar two-tier structure. Article 13(3) authorizes processing (the Article 13 lawful basis), but it does not automatically authorize cross-border transfers. If the processor transfers personal information outside China under a statutory duty or obligation, it must also satisfy PIPL Chapter III (Articles 38–43). Specifically:

  • Article 38 requires processors to satisfy one of three cross-border transfer mechanisms: (1) pass the CAC security assessment (Art. 40), (2) obtain certification under a CAC-approved personal-information-protection scheme (Art. 41), or (3) enter into a standard contract with the overseas recipient (Art. 39).
  • Article 39 separately requires separate consent for cross-border transfers unless the processor can invoke one of the Article 13(2)–(7) alternatives. The interaction of Article 13(3) and Article 39 is ambiguous — does the Article 13(3) legal obligation override the Article 39 separate-consent requirement for cross-border transfers?

Conservative interpretation (safer): Article 39 separate consent is cumulative with the Article 13 lawful basis. Even when Article 13(3) authorizes processing for a legal obligation, the processor must obtain separate consent if it transfers the data outside China — unless the cross-border transfer itself is statutorily mandated (e.g., a customs authority transferring passenger data to a foreign customs authority under a bilateral agreement implementing an international treaty obligation, which would invoke both Article 13(3) for processing and Article 43 for the treaty-based transfer exemption). The CAC has not published definitive guidance on this point. Processors should err on the side of obtaining Article 39 separate consent unless the statute explicitly mandates the cross-border transfer.

## Practical application: when to rely on Article 13(3)

Article 13(3) is the preferred lawful basis for compliance-driven processing because it is stable — individuals cannot withdraw a statutory obligation, and the processor is legally required to continue processing even if the individual objects. By contrast, if the processor relies on Article 13(1) consent, the individual may withdraw consent under Article 15, forcing the processor to halt processing, which may put the processor in violation of the underlying legal obligation (e.g., an AML regulation that mandates retaining customer-due-diligence records for five years).

However, processors must not over-claim Article 13(3). Processing that merely facilitates compliance or supports a compliance-adjacent business function does not qualify. The statutory obligation must affirmatively require the processing.

Decision tree for invoking Article 13(3):

  1. Is there a statute, administrative regulation, or binding rule that mandates the processing?
  • No → Article 13(3) does not apply. Evaluate Article 13(1) consent or Article 13(2) contract.
  • Yes → Proceed to step 2.
  1. Does the statute explicitly require processing this category of personal information, or is processing this category objectively necessary to comply with the statutory mandate?
  • Yes → Article 13(3) applies. No consent required (subject to cross-border-transfer considerations).
  • No → Article 13(3) does not apply. The processing may be useful for compliance, but it is not necessary. Obtain Article 13(1) consent.
  1. Is the processor collecting additional personal information beyond what the statute requires?
  • Yes → Segregate the legally mandated processing (Article 13(3)) from the discretionary processing (Article 13(1) consent required). Clearly disclose both in the Article 17 privacy notice.

## Documentation and transparency obligations

Processors relying on Article 13(3) should:

  • Maintain a legal-basis register mapping each category of personal information processed to the specific statute, regulation, or rule that mandates it. This documentation is critical if the CAC or a court later challenges the lawful basis.
  • Satisfy Article 17 notice requirements even when consent is not required. Article 17 mandates that processors disclose the purpose, method, categories of personal information, and retention period before or at the time of collection, regardless of the lawful basis. For Article 13(3) processing, the notice should identify the statutory obligation by name and citation (e.g., "We collect your identity card number and bank account information to comply with the Anti-Money Laundering Law and People's Bank of China AML Regulations, which require customer due diligence.").
  • Limit retention to the statutory minimum or a reasonable compliance period. Article 19 prohibits processors from retaining personal information longer than necessary to achieve the processing purpose. When the processing purpose is to satisfy a legal obligation, "necessary" retention is typically the period the statute mandates (if specified) or the period during which the processor may be subject to regulatory inspection or audit for compliance with that obligation.

## CAC enforcement signals and judicial interpretation

The Cyberspace Administration of China has not yet published detailed regulations or guidelines interpreting Article 13(3). However, CAC enforcement actions and court decisions offer some interpretive signals:

  • Didi Global administrative penalty (July 2022, CNY 8.026 billion fine): The CAC found that Didi processed personal information "in excess of the scope required by laws and regulations," violating Article 13. While the decision did not specify which Article 13 basis Didi had invoked, the "excess of statutory requirements" language suggests that when a processor claims Article 13(3) authority, the CAC will strictly scrutinize whether the categories of personal information collected genuinely align with the statutory mandate. Processors cannot inflate the scope of Article 13(3) by arguing that additional data collection "supports" compliance.
  • Judicial precedent on statutory obligations in the employment context: Several Chinese courts have held that employers may process employee personal information under Article 13(3) when doing so is necessary to comply with tax-withholding obligations under the Individual Income Tax Law or social-insurance-contribution obligations under the Social Insurance Law, even without employee consent. These decisions reinforce that Article 13(3) supplies an independent lawful basis distinct from the Article 13(2) HR-management prong (which is limited to processing necessary to implement lawfully established labor rules and collective contracts).

## Effective date and current status

PIPL took effect on November 1, 2021 (Presidential Order No. 91, promulgated August 20, 2021). Article 13(3) has applied to all personal information processing activities in China — and to extraterritorial processing subject to PIPL Article 3's jurisdictional reach — since that date. No amendments to Article 13(3) have been enacted as of June 2026.

Source: 中华人民共和国个人信息保护法 (Personal Information Protection Law of the People's Republic of China), Art. 13 (Cyberspace Administration of China, Aug. 20, 2021, effective Nov. 1, 2021).

Spot something off?0 suggested edits
ContributorsRevise this section

PIPL Article 31 — Parental or guardian consent for minors under 14 years old

Originated by BifröstIndex bot on Jun 2, 2026.Last confirmed by BifröstIndex bot on Jun 2, 2026.

China's Personal Information Protection Law imposes a categorical parental-consent requirement for processing the personal information of children under 14. PIPL Article 31 mandates:

> "To process the personal information of minors under the age of 14, personal information processors shall obtain the consent of the parents or other guardians of the minors."

This rule applies to all processing of under-14 data, regardless of purpose, category, or sensitivity. It stacks on top of the Article 13 lawful-basis framework and creates a mandatory gate that processors cannot bypass by invoking non-consent bases like contract (Art. 13(2)) or legal obligation (Art. 13(3)).

## The three cumulative requirements for processing under-14 data

To lawfully process the personal information of a minor under 14, a processor must satisfy all three of the following conditions:

  1. Meet one of the seven Article 13 lawful bases (consent, contract, legal obligation, public health/vital interests, public interest, publicly available information, or other statutory authority);
  1. Satisfy Article 28's threshold for sensitive personal information — because Article 28 designates all personal information of minors under 14 as sensitive personal information (敏感个人信息), the processor must demonstrate a specific purpose and sufficient necessity and implement strict protective measures; and
  1. Obtain Article 31 parental or guardian consent — the processor must secure affirmative consent from the child's parent or other legal guardian before processing begins.

These requirements are cumulative, not alternative. A processor cannot rely on Article 13(2) contractual necessity or Article 13(3) legal obligation to bypass Article 31 parental consent. Even when processing is objectively necessary to perform a contract with the child (e.g., fulfilling an e-commerce order the child placed) or required by law (e.g., age-verification for compliance with content-rating regulations), Article 31 parental consent is still mandatory.

## Who qualifies as "parents or other guardians"

Article 31 requires consent from "parents or other guardians" (父母或者其他监护人). Under China's Civil Code, guardians include:

  • Parents — the default guardians for minors under Civil Code Article 27;
  • Other designated guardians when parents are deceased, lack capacity, or cannot perform guardian duties — typically grandparents, adult siblings, or other close relatives designated by the parents or appointed by a residents' committee, villagers' committee, or civil affairs department (Civil Code Arts. 27–28);
  • Legal guardians appointed by a court in contested cases.

Processors must obtain consent from at least one parent or the designated legal guardian. PIPL does not require consent from both parents unless the parents jointly hold guardianship and have expressly divided responsibilities. In practice, processors typically design consent mechanisms that allow any parent or guardian to act unilaterally — a single signature or checkbox suffices.

Verification challenge: Article 31 does not specify how processors must verify that the person providing consent is in fact the child's parent or guardian. The Cyberspace Administration of China (CAC) has not yet published implementing regulations setting verification standards. In practice, processors adopt a range of mechanisms:

  • Explicit parental-consent flows during account creation (checkbox stating "I am the parent/guardian of this child and consent to processing");
  • Age gates that trigger a parental-email-confirmation step when the user enters a birthdate indicating under-14 status;
  • Identity verification via government-issued ID (requiring the parent to upload a photo of their national ID card and a photo of the child's household registration showing the parent-child relationship);
  • Payment-card verification (requiring a parent to enter credit-card information, on the assumption that children under 14 typically lack payment cards).

No single verification method is legally mandated, but the processor bears the burden of demonstrating that consent was obtained from a parent or guardian. If challenged, a processor that relied on an honor-system checkbox without additional verification may face enforcement risk under Article 66 (administrative fines for processing without a valid lawful basis).

## Interaction with Article 29 separate consent for sensitive personal information

Because Article 28 designates all under-14 personal information as sensitive, Article 29 also applies: processors must obtain separate consent (单独同意) for sensitive-data processing. This creates potential confusion — does a processor need two separate consents (Article 29 separate consent + Article 31 parental consent)?

Practical interpretation: The two requirements merge in the under-14 context. Article 31 parental consent satisfies Article 29's separate-consent requirement if the parental-consent mechanism is structured to meet Article 29's standards:

  • The consent must be separate — obtained through a standalone checkbox or interface element, not bundled into a general terms-of-service acceptance;
  • The consent must be informed — the processor must disclose the Article 30 enhanced information (necessity of processing the sensitive data and the impact on the child's rights and interests), in addition to the Article 17 general notice requirements;
  • The consent must be given by the parent or guardian, not the child.

In other words, processors do not need to obtain one consent from the child (under Art. 29) and a second consent from the parent (under Art. 31). Instead, they obtain a single separate parental consent that satisfies both Article 29 and Article 31. The consent interface should:

  1. Clearly identify the child's data as sensitive personal information under Article 28;
  2. Explain the necessity and impact as required by Article 30;
  3. Require the parent or guardian to provide separate consent (not the child);
  4. Use a standalone mechanism (not bundled with other consents).

## Mandatory special processing rules (Article 31, second paragraph)

Article 31's second paragraph imposes an additional obligation on processors handling under-14 data:

> "Personal information processors processing the personal information of minors under the age of 14 shall develop special rules for processing such personal information."

"Special rules" (专门的个人信息处理规则) means the processor must adopt internal policies, procedures, and technical safeguards tailored to the heightened risks of processing children's data. While PIPL does not enumerate the required content, the CAC and the TC260 national-standard body have signaled that special rules should address:

  • Enhanced security measures — encryption, access controls, audit logs, and data-minimization practices appropriate for sensitive data involving children;
  • Retention limits — storing under-14 data only as long as necessary for the specified purpose, with mandatory deletion when the purpose is achieved or the child (or parent) requests erasure under Article 47;
  • Prohibited uses — restrictions on processing under-14 data for purposes that pose heightened risks to children (automated decision-making for credit scoring, behavioral advertising targeting minors, public disclosure);
  • Transparent disclosure — a child-specific privacy notice written in language comprehensible to both children and parents, separate from the general privacy policy;
  • Training and accountability — internal training for staff who handle under-14 data, designation of a responsible officer for children's privacy compliance, and documented DPIA (data protection impact assessment) procedures under Article 55 for high-risk processing involving minors.

Processors that operate platforms or services primarily directed at children (e.g., educational apps, children's gaming platforms, video services for minors) face heightened scrutiny. The CAC has signaled through enforcement actions that such processors must implement age-appropriate design — interface elements, default settings, and algorithmic recommendations calibrated for children's developmental stage and vulnerability.

## No bypass via Article 13's non-consent bases

A critical structural question: can a processor invoke Article 13(2) contractual necessity or Article 13(3) legal obligation to process under-14 data without obtaining Article 31 parental consent?

Answer: No. Article 31's parental-consent requirement is unconditional. It applies "to process the personal information of minors under the age of 14" — the statute does not carve out exceptions for non-consent lawful bases. Unlike Article 29's separate consent for sensitive data (which Article 13's second paragraph states is not required when the processor can invoke Article 13(2)–(7)), Article 31 contains no such override language.

This interpretation is confirmed by the statutory structure: Article 31 appears in Section 2 of Chapter II ("Rules for Processing Personal Information"), immediately following the special rules for sensitive personal information (Arts. 28–30) and before the rules for state-organ processing (Arts. 33–37). If the drafters had intended Article 13's non-consent bases to override Article 31 parental consent, they would have cross-referenced Article 13's second paragraph or included similar override language in Article 31 itself. The absence of such language signals that parental consent is mandatory for all under-14 processing, regardless of which Article 13 lawful basis applies.

Practical implications:

  • E-commerce platforms cannot rely on Article 13(2) contractual necessity to process a child's shipping address and payment information to fulfill an online purchase. Even though the processing is necessary for contract performance, the platform must obtain parental consent under Article 31 before accepting the child's order.
  • Schools and educational institutions processing student data pursuant to a legal obligation under education law (Article 13(3)) must still obtain parental consent under Article 31. The legal obligation satisfies the Article 13 lawful basis, but it does not eliminate the Article 31 parental-consent requirement.
  • Healthcare providers processing a child's medical information under Article 13(3) (legal obligation to provide emergency care) or Article 13(4) (vital interests) must obtain parental consent when feasible. If the child requires emergency treatment and the parent cannot be reached in time, the provider may invoke Article 13(4) to process the data immediately, but the provider should obtain ratifying consent from the parent as soon as practicable after the emergency.

The only scenario where Article 31 parental consent may be excused is genuine impossibility — when the processor cannot obtain parental consent despite reasonable efforts (e.g., the child is orphaned with no appointed guardian, or the parent is incapacitated and no alternate guardian has been designated). In such cases, the processor should document the impossibility and seek guidance from the履行个人信息保护职责的部门 (the department performing personal information protection duties, typically the local CAC office or market-regulation bureau) before proceeding.

## Comparison to GDPR Article 8 and US COPPA

PIPL Article 31 is stricter than both the EU GDPR and the US Children's Online Privacy Protection Act (COPPA) in three respects:

| Element | PIPL Article 31 | GDPR Article 8 | US COPPA | |---------|-----------------|----------------|----------| | Age threshold | Under 14 | Under 16 (member states may lower to 13) | Under 13 | | Scope | All processing of under-14 data | Only consent for information-society services (Art. 8(1)); other processing may rely on Art. 6(1)(b)–(f) without parental consent | Only online collection by operators of websites/services directed to children or with actual knowledge | | Categorical sensitive-data rule | All under-14 data is sensitive (Art. 28) | No categorical rule; child data is ordinary personal data unless it falls within Art. 9 special categories | No categorical rule; child data governed by COPPA notice-and-consent framework, not broader sensitive-data rules |

GDPR Article 8 applies parental consent only when the lawful basis is consent for an information-society service offered directly to a child (e.g., social-media account, gaming platform). Controllers may still rely on GDPR Article 6(1)(b) contract, 6(1)(c) legal obligation, 6(1)(d) vital interests, 6(1)(e) public task, or 6(1)(f) legitimate interests to process children's data without parental consent. By contrast, PIPL Article 31 applies parental consent to all processing, regardless of lawful basis.

US COPPA applies parental consent only to online collection by operators of websites or online services that are directed to children under 13 or that have actual knowledge the user is under 13. Offline processing, processing by services not directed to children (even if a child happens to use the service), and processing where the operator lacks actual knowledge of the user's age are outside COPPA's scope. By contrast, PIPL Article 31 applies to all processing — online and offline, directed and incidental — of under-14 data.

Result: PIPL Article 31 imposes the most protective children's-privacy regime among major data-protection laws. A cross-border processor that is GDPR- and COPPA-compliant cannot assume PIPL compliance — the processor must implement separate parental-consent flows for all processing of data of children who are PRC residents or located in China (under PIPL Article 3's territorial scope).

## Effective date and current enforcement posture

PIPL took effect on November 1, 2021 (Presidential Order No. 91, promulgated August 20, 2021). Article 31 has applied to all processing of under-14 personal information since that date.

The CAC has signaled strong enforcement intent in the children's-privacy domain. In 2022–2023, the CAC conducted a national campaign targeting apps providing services to minors, inspecting over 1,100 apps and issuing public notices ordering rectification of violations including:

  • Failure to obtain parental consent before collecting under-14 data;
  • Failure to develop special processing rules for minors;
  • Excessive collection of children's personal information beyond necessity;
  • Use of children's data for behavioral advertising without separate consent.

Processors offering services in China that collect any under-14 data — including educational apps, gaming platforms, e-commerce sites, social media, and video services — should treat Article 31 compliance as a top enforcement priority. The CAC's published enforcement docket (available at www.cac.gov.cn) shows that violations involving children's data attract higher fines and faster enforcement than comparable violations involving adult data.

## Cross-border transfer overlay (Article 39 separate consent required)

If a processor transfers under-14 personal information outside China, it must obtain two separate consents:

  1. Article 31 parental consent for processing the child's data (as described above); and
  2. Article 39 parental consent for the cross-border transfer itself.

Article 39 requires processors to obtain separate consent (单独同意) for cross-border transfers, disclosing the overseas recipient's name, contact information, processing purpose, processing means, data categories, and the method for exercising rights against the overseas recipient. When the data subject is a minor under 14, the parent or guardian must provide this Article 39 separate consent — the child cannot consent on their own behalf.

In practice, processors typically merge the two consents into a single parental-consent flow with two distinct checkboxes:

  • Checkbox 1 (Article 31): "I consent to [Processor] processing my child's personal information [categories] for [purpose], and I acknowledge that my child's data is sensitive personal information under PIPL."
  • Checkbox 2 (Article 39): "I consent to [Processor] transferring my child's personal information to [Overseas Recipient, Country] for [purpose], and I understand my child may exercise rights by contacting [contact info]."

Both checkboxes must be separately presented (not bundled), informed (with Article 17 + Article 30 + Article 39 disclosures), and affirmatively checked by the parent or guardian before processing and transfer begin.

Source: Personal Information Protection Law of the People's Republic of China, Art. 31 (National People's Congress, Aug. 20, 2021, effective Nov. 1, 2021); Personal Information Protection Law, Art. 31 (English) (Supreme People's Procuratorate, Dec. 29, 2021; for reference only, Chinese text controls).

Spot something off?0 suggested edits
ContributorsRevise this section