China — Scope & Applicability

China's Personal Information Protection Law (中华人民共和国个人信息保护法, "PIPL") came into force on November 1, 2021, establishing the country's first comprehensive framework for personal information protection. The PIPL is administered by the Cyberspace Administration of China (CAC, 国家网信部门), which coordinates enforcement with other state departments.

Article 3 territorial scope

Article 3 PIPL defines both domestic and extraterritorial application. The law applies to all personal information processing activities conducted within the territory of the People's Republic of China (Art. 3, para. 1).

Crucially, the PIPL also applies extraterritorially to processing activities conducted outside China's territory when they meet any of the following conditions (Art. 3, para. 2):

1. Offering products or services to individuals in China — processing personal information of individuals located in China for the purpose of providing products or services to them;

1. Analyzing or evaluating behavior — processing personal information to analyze or assess the behavior of individuals located in China; or

1. Other circumstances prescribed by law — additional scenarios specified in laws or administrative regulations.

This extraterritorial reach is modeled on the European Union's GDPR Article 3(2) targeting test. A foreign personal information processor subject to PIPL under Article 3(2) must establish a specialized institution in China or designate a representative to handle personal information protection matters, and file the name and contact details with the department responsible for personal information protection (Art. 53).

"境内自然人" — individuals located in China

The Chinese text uses the term "境内自然人" (literally "natural persons within the territory"). The PIPL does not define this phrase or contain a "citizenship" or "residency" filter. The consensus interpretation is that Article 3(2) is triggered by processing personal information of any natural person physically located within China's territory at the time of the data collection or processing, regardless of nationality or habitual residence. This is a location-based trigger, not an identity-based one.

Processing defined broadly

Article 4 defines "processing" (处理) to include collection, storage, use, processing (in the narrow sense), transmission, provision, disclosure, and deletion of personal information — a comprehensive lifecycle definition analogous to GDPR Article 4(2).

Effective date and legislative history

The PIPL was adopted by the Standing Committee of the 13th National People's Congress on August 20, 2021, and took effect on November 1, 2021. It forms the third pillar of China's data governance regime alongside the Cybersecurity Law (2017) and the Data Security Law (2021).

Source: Personal Information Protection Law of the People's Republic of China, Art. 3 (effective Nov. 1, 2021) Source: Personal Information Protection Law (English translation), Supreme People's Procuratorate

Article 4 of the Personal Information Protection Law (PIPL) defines "personal information" (个人信息) as the foundation for determining what data falls within the law's scope. Understanding this definition is the first step in scoping PIPL compliance obligations for any processor handling data connected to individuals in China.

Article 4 statutory definition

Article 4 PIPL defines personal information as "various information related to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymized information."

This is a two-part test:

1. Identified or identifiable natural person — the information must relate to a natural person who either is already identified, or can be identified (directly or indirectly) from that information, possibly in combination with other information.

1. Recorded electronically or by other means — the medium of recording is immaterial. Paper records, electronic databases, photographs, voice recordings, and video are all covered if they meet the identifiability test.

The Chinese text uses "各种信息" ("various information"), signaling a deliberately broad, technology-neutral sweep analogous to the European Union's GDPR Article 4(1) definition of "personal data."

The identifiability test

PIPL does not enumerate categories of personal information in Article 4 itself; instead, it adopts a functional test: if information can be used to identify a natural person—either standing alone (e.g., full name, national ID number 身份证号码, mobile phone number) or in combination with other data (e.g., IP address, device identifier, browsing history, geolocation)—it is personal information.

The Cyberspace Administration of China (CAC) and other regulators have consistently interpreted "identifiable" broadly. Information that, when combined with publicly available or other datasets, allows singling out an individual is personal information even if that information appears generic in isolation. For example, precise geolocation data, call detail records, and online behavioral profiles are personal information because they can identify or profile a natural person when cross-referenced.

Anonymized information excluded

Article 4 expressly excludes anonymized information (匿名化信息) from the definition of personal information. Information is considered anonymized when it has been irreversibly processed such that the natural person can no longer be identified, directly or indirectly, and the anonymization cannot be reversed.

This exclusion is narrower than it appears. The CAC has signaled in enforcement guidance that pseudonymization (where identifiers are replaced with pseudonyms but re-identification remains technically possible with a key) does not qualify as anonymization. Only truly irreversible de-identification—such that re-identification is infeasible even with reasonable effort and auxiliary data—removes the information from PIPL's scope. Aggregated statistical data that cannot be disaggregated to identify individuals is also excluded.

Processors bear the burden of demonstrating that anonymization is effective and irreversible. If there is any reasonable pathway to re-identify individuals, the data remains personal information and PIPL obligations apply in full.

Comparison to GDPR and practical implications

PIPL's Article 4 definition closely mirrors GDPR Article 4(1), reflecting the drafters' study of the European model. Both laws adopt an identifiability standard rather than a rigid list, and both exclude truly anonymized data. However, PIPL does not incorporate GDPR's explicit reference to "identifiers" such as location data, online identifiers, or genetic data in the recitals—though CAC enforcement practice treats these as personal information under the "identifiable" prong.

For cross-border businesses, this means that data classified as "personal data" under GDPR will almost always be "personal information" under PIPL if it relates to individuals located in China (see the Article 3 territorial-scope trigger in the existing section of this guide). Conversely, data that qualifies for the GDPR anonymization exclusion under Recital 26 should be analyzed separately under PIPL standards; Chinese regulators apply a strict irreversibility test and have been skeptical of pseudonymization and hashing techniques that retain a pathway to re-identification.

Article 4 does not define "processing"

Although Article 4 defines personal information, it also defines "personal information processing" (个人信息处理) in the second paragraph as including "collection, storage, use, processing [in the narrow sense], transmission, provision, disclosure and deletion, among others." This is an inclusive, lifecycle definition covering every stage from acquisition to destruction—analogous to GDPR Article 4(2). Any activity involving personal information, whether active (collection, analysis, sharing) or passive (retention), is "processing" and triggers PIPL obligations unless an exemption applies (see Article 13 lawful bases, covered in the /guides/china/lawful-bases guide).

Material scope — natural persons only

PIPL protects information relating to natural persons (自然人) only. Information about legal persons (companies, governmental bodies, other organizations) is not personal information under Article 4 and falls instead under the Data Security Law (DSL) and the Cybersecurity Law (CSL) if it qualifies as "important data" (重要数据) or relates to critical information infrastructure. Employee data, customer data, and user data are personal information; corporate registration details, publicly listed company financials, and organizational contact information (e.g., a generic info@company.cn email) are not, unless they can be linked to an identifiable individual (e.g., a named employee's direct work email).

Source: Personal Information Protection Law of the People's Republic of China, Art. 4 (effective Nov. 1, 2021)

Article 28 of the Personal Information Protection Law (PIPL) establishes a distinct category of "sensitive personal information" (敏感个人信息) subject to heightened processing obligations beyond those applicable to ordinary personal information. A practitioner scoping PIPL compliance must identify sensitive data early in the data-mapping exercise because processing it triggers mandatory separate consent (Art. 29), enhanced disclosure obligations (Art. 30), and strict necessity and purpose-limitation tests (Art. 28, para. 2).

Article 28 definition

Article 28 defines sensitive personal information as "personal information that once leaked or illegally used, may easily lead to the infringement of the personal dignity of a natural person or may endanger his personal safety or property."

The statute provides a non-exhaustive list of categories that qualify as sensitive:

1. Biometrics (生物识别) — fingerprints, facial recognition data, voiceprints, iris scans, gait patterns, and other biological identifiers used for identification or authentication;

1. Religious belief (宗教信仰);

1. Specific identity (特定身份) — including but not limited to Communist Party membership, union membership, and other identities that may trigger discrimination or profiling;

1. Medical health status (医疗健康) — medical records, diagnosis information, test results, prescription data, health insurance claims, and any information revealing an individual's physical or mental health condition;

1. Financial accounts (金融账户) — bank account numbers, credit card details, payment account credentials, securities account information, and transaction records; and

1. Personal whereabouts (行踪轨迹) — real-time or historical location data, including GPS coordinates, cell-site location information, travel patterns, and any data revealing where an individual has been or is going.

Critically, all personal information of a minor under the age of 14 years is classified as sensitive personal information under Article 28, regardless of content. A 13-year-old's email address, photograph, or browsing history is sensitive personal information even though the same data relating to an adult would be ordinary personal information (unless it falls into one of the six enumerated categories above).

Heightened processing obligations

Article 28, paragraph 2, imposes a foundational requirement: personal information processors can process sensitive personal information only when there is a specific purpose and when it is of necessity, under circumstances where strict protective measures are taken. This is a three-part gate:

• Specific purpose — general consent to "improve user experience" or "for business operations" is insufficient. The processor must identify a concrete, granular purpose (e.g., "to verify your identity for account login using facial recognition" or "to process your health insurance claim").

• Necessity — the processor must demonstrate that the sensitive data is indispensable to achieve the stated purpose and that no less-intrusive alternative exists. If a pseudonymized identifier or ordinary personal information would suffice, processing sensitive data fails the necessity test.

• Strict protective measures — encryption at rest and in transit, access controls limiting sensitive data to authorized personnel only, audit logging, and enhanced security protocols proportionate to the risk. The Cyberspace Administration of China (CAC) and sector regulators expect processors handling sensitive data to implement technical and organizational safeguards materially stronger than those applied to ordinary personal information.

Article 29: Separate consent mandatory

Article 29 PIPL mandates that for the processing of sensitive personal information, the processor must obtain the individual's separate consent. This is distinct from the general consent required under Article 13 for ordinary personal information processing based on the consent lawful basis.

"Separate consent" (单独同意) means the consent request must:

• Be presented separately from any general terms-of-service or privacy-policy acceptance;
• Clearly identify the categories of sensitive personal information to be processed (not merely "sensitive data" in the abstract — name the category: biometrics, health, financial accounts, etc.);
• Specify the purpose for which each category will be processed; and
• Be affirmative — pre-checked boxes, inferred consent, or bundled consent (where access to a service is conditioned on consent to process sensitive data unnecessary for that service) are prohibited.

Where other laws or administrative regulations mandate written consent for sensitive data processing (e.g., the Cybersecurity Law's requirements for critical-information-infrastructure operators), those stricter standards prevail (Art. 29, para. 2).

Article 30: Enhanced disclosure obligations

Article 30 requires that, in addition to the general disclosures mandated by Article 17 PIPL (identity of the processor, purpose, categories of data, retention period, etc.), a processor of sensitive personal information must notify the individual of:

1. The necessity of processing the sensitive personal information — a plain-language explanation of why the sensitive data is indispensable and why less-sensitive alternatives cannot achieve the purpose; and

1. The impact on the individual's rights and interests — a clear statement of the risks to dignity, safety, or property if the sensitive data is leaked, misused, or processed unlawfully.

This disclosure obligation applies except where Article 13 provides an exemption (e.g., emergency situations necessary to protect life or property, or processing necessary for履行法定职责或法定义务 履行 legal obligations under Chinese law). The burden is on the processor to demonstrate that an exemption applies; absent a clear statutory carve-out, the Article 30 enhanced disclosure is mandatory.

Article 31: Minors under 14

Article 31 PIPL establishes a parental-consent rule for processing personal information of minors under the age of 14. Because all such information is sensitive personal information under Article 28, the processor must obtain the consent of the parents or other guardians (not the minor's own consent) and must develop special rules for processing minors' personal information.

The age trigger is under 14 (未满十四周岁), measured in full years from date of birth under the Chinese calendar. A child who turns 14 is no longer subject to Article 31's parental-consent requirement, but her personal information remains sensitive if it falls into one of the six Article 28 categories (biometrics, health, financial, etc.).

Processing minors' data also triggers heightened obligations under the Provisions on the Online Protection of Minors' Personal Information (issued by the CAC in 2019, effective October 1, 2019), which impose additional consent, disclosure, retention-minimization, and security requirements. Practitioners handling minors' data must comply with both PIPL and the CAC minor-protection provisions.

Article 32: Sectoral regulations may impose further restrictions

Article 32 provides that where other laws or administrative regulations require an administrative permit for processing sensitive personal information or impose additional restrictions, those sectoral rules prevail. Examples include:

• The Regulations on the Administration of Human Genetic Resources (国务院令 第717号, effective July 1, 2019), which require administrative approval from the Ministry of Science and Technology for collecting, storing, or exporting human genetic data;
• The Anti-Terrorism Law and Cybersecurity Law provisions governing processing of data by critical-information-infrastructure operators; and
• The People's Bank of China regulations governing financial-account data held by banks and payment processors.

A processor handling sensitive data in a regulated sector must confirm whether a permit or registration is required in addition to PIPL's separate-consent and necessity requirements.

Comparison to GDPR special categories

Article 28 PIPL's sensitive personal information closely parallels the European Union's GDPR Article 9 "special categories of personal data," which prohibit processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, and data concerning sex life or sexual orientation. Both regimes recognize that certain data types carry heightened dignity and discrimination risks and require stronger safeguards.

Key differences:

• Minors' data: PIPL classifies all personal information of children under 14 as sensitive; GDPR does not (though GDPR Article 8 requires parental consent for children under 16 in the information-society-services context, and Recital 38 acknowledges that children merit specific protection).

• Financial accounts: PIPL expressly includes financial-account data as sensitive; GDPR does not list financial data as a special category (though it may qualify as "data concerning … economic situation" under national implementations or as ordinary personal data subject to strict purpose limitation).

• Specific identity: PIPL's "specific identity" category has no direct GDPR analogue; it is drafted to capture politically or socially sensitive affiliations that carry discrimination risk in the Chinese context.

• Legal basis: GDPR Article 9 prohibits processing special-category data unless one of ten enumerated conditions applies (explicit consent being one); PIPL Article 29 requires separate consent as a mandatory overlay in addition to satisfying one of the Article 13 lawful bases. Under PIPL, consent is not a substitute for demonstrating necessity and specific purpose under Article 28(2) — all three requirements must be met.

For cross-border processors handling data subject to both GDPR and PIPL, the practical approach is to classify data as sensitive if it qualifies under either regime and apply the stricter set of obligations. Data classified as GDPR special-category data should be treated as PIPL sensitive personal information for Chinese data subjects, and vice versa, to ensure compliance in both jurisdictions.

Source: Personal Information Protection Law of the People's Republic of China, Arts. 28–32 (effective Nov. 1, 2021)

The Personal Information Protection Law (PIPL) uses "personal information processor" (个人信息处理者) as its primary regulated entity. Understanding who qualifies as a processor is foundational for scoping PIPL obligations — it determines who must obtain consent, who is liable for breaches, and who bears the burden of demonstrating compliance. Unlike the European Union's GDPR, which distinguishes between "controllers" and "processors," PIPL adopts a unified "processor" terminology with a specialized entrusted-party relationship for service providers that mirrors the GDPR processor role functionally.

Article 73: Personal information processor defined

Article 73 PIPL defines a "personal information processor" (also translated as "personal information handler") as:

> "an organization or individual that autonomously determines the purposes and means of personal information processing."

This is a functional definition analogous to the GDPR Article 4(7) "controller" — the entity that decides why personal information is processed (the purpose) and how it is processed (the means) is the personal information processor and bears primary PIPL obligations.

The Chinese text uses "自主决定" (autonomously determines), emphasizing that the processor exercises independent decision-making authority over processing activities. If an organization or individual lacks autonomy — for example, a service provider that processes personal information strictly according to a client's instructions without discretion over purposes or means — it is not a personal information processor in its own right but rather an entrusted party (受托人) under Article 21 (see below).

"Organization or individual" — broad applicability

The definition encompasses both organizations (组织 — legal persons, unincorporated entities, governmental bodies, and other institutional actors) and individuals (个人 — natural persons operating in a business or professional capacity). A sole proprietor, a partnership, a corporation, a state-owned enterprise, and a government agency can all be personal information processors if they autonomously determine processing purposes and means.

Article 72 PIPL carves out a household exemption: the law does not apply to natural persons who process personal information "for personal or family affairs." For example, an individual maintaining a personal address book or family photo album is not a personal information processor subject to PIPL. However, the same individual operating a business (even informally, such as a freelance consultant collecting client contact information) is a processor and PIPL obligations apply in full.

Purpose and means test

The test hinges on autonomous determination of:

1. Purpose — the reason for processing. Examples: "to fulfill an e-commerce order," "to provide targeted advertising," "to conduct credit scoring," "to perform employee background checks."

1. Means — the method of processing. Examples: the choice of database vendor, encryption standards, retention periods, access controls, whether to anonymize or pseudonymize data, whether to share data with third parties.

An entity that decides both purpose and means is a personal information processor. An entity that decides only the means (e.g., a cloud-storage provider that chooses technical implementation details but processes data solely for the client's purposes as instructed) is an entrusted party, not an autonomous processor.

Joint processors — Article 20

Where two or more organizations or individuals jointly determine the purposes and means of processing certain personal information, they are joint personal information processors under Article 20 PIPL. Joint processors must reach an agreement specifying their respective rights and obligations, and each is liable to the data subject for the full extent of the harm caused by the joint processing. This is analogous to GDPR Article 26 joint controllers.

For example, two companies co-developing a consumer-facing mobile application, both deciding what user data to collect, for what marketing purposes, and how long to retain it, are joint processors. Conversely, if one company is the app publisher (deciding purposes and means) and the other is merely a hosting provider (following instructions), the relationship is processor-to-entrusted-party, not joint processing.

Article 21: Entrusted party — the PIPL equivalent of a GDPR processor

Article 21 PIPL creates a specialized entrusted-party (受托人) relationship for service providers that process personal information on behalf of a processor but do not autonomously determine purposes or means. This is functionally equivalent to the GDPR "processor" (as distinct from "controller").

Article 21 requires that a personal information processor entrusting the processing of personal information to another party (the entrusted party) must:

1. Reach a written agreement with the entrusted party specifying:

• The purposes of processing;
• The period (duration) of the entrustment;
• The means of processing;
• The categories of personal information to be processed; and
• Protection measures (security and confidentiality safeguards).

1. Supervise the entrusted party's personal information processing activities to ensure compliance with the agreement.

The entrusted party, in turn, must process personal information in accordance with the agreement and may not process personal information beyond the agreed purposes, means, or other conditions. The entrusted party is prohibited from making autonomous decisions about processing that fall outside the scope of the entrustment.

Liability allocation

Under Article 21, the entrusting processor (the principal, analogous to the GDPR controller) retains primary responsibility for compliance. The entrusted party (analogous to the GDPR processor) is contractually bound to follow the processor's instructions and implement agreed security measures, but it does not bear the same breadth of PIPL obligations as an autonomous processor — for example, it is not required to obtain consent from data subjects (that duty rests with the entrusting processor), nor to respond to data-subject-rights requests directly (though it must assist the entrusting processor in doing so).

However, if the entrusted party processes personal information in violation of the agreement — for example, by using the data for its own commercial purposes, or by retaining data beyond the agreed retention period — it may incur direct liability under PIPL for unlawful processing. Article 66 PIPL imposes administrative penalties on any processor (including entrusted parties) that violates the law, and Article 69 creates a private right of action against processors that infringe personal information rights.

Comparison to GDPR controller / processor

| PIPL term | GDPR equivalent | Key distinction | |--------------------------------------|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Personal information processor (处理者) | Controller | Autonomously determines purposes and means; bears primary PIPL obligations (consent, disclosure, security, data-subject rights, breach notification). | | Entrusted party (受托人) | Processor | Processes on behalf of a processor, strictly per contractual instructions; no autonomous decision-making; narrower liability unless it exceeds the scope of entrustment. |

The terminology differs — PIPL uses "processor" (处理者) for the decision-maker and "entrusted party" (受托人) for the service provider, whereas GDPR uses "controller" and "processor" respectively — but the functional roles are parallel. A cross-border business familiar with GDPR can map PIPL obligations as follows:

• GDPR controller → PIPL personal information processor (主处理者)
• GDPR processor → PIPL entrusted party (受托人)

Practical scoping implications

For a practitioner scoping PIPL compliance, the Article 73 test determines who must comply:

• If your organization decides what personal information to collect from individuals in China, why to collect it, and how to use it, you are a personal information processor. PIPL obligations apply in full: you must establish a lawful basis under Article 13 (see the /guides/china/lawful-bases guide), provide Article 17 disclosures, honor data-subject rights under Chapter 4, implement Article 51 security measures, notify breaches under Article 57, and — if you are outside China and subject to Article 3(2) extraterritorial reach — appoint an Article 53 representative in China.

• If you process personal information collected by a Chinese customer strictly according to that customer's instructions (for example, as a cloud-infrastructure provider hosting a Chinese e-commerce platform's customer database, or as a payment processor handling transactions for a Chinese merchant), you are an entrusted party. Your PIPL obligations are defined primarily by the Article 21 contract with the entrusting processor, and you must implement agreed security measures and stay within the scope of entrustment. You are not independently responsible for obtaining consent or responding to data-subject requests, but you must assist the entrusting processor in fulfilling those duties.

• If you jointly decide purposes and means with another party, Article 20 joint-processor rules apply. You and the co-processor are each liable for the full scope of harm to data subjects, and you must enter into a joint-processing agreement allocating internal responsibilities (though that allocation does not limit the data subject's right to sue either or both processors for the full measure of damages).

No legitimate-interest basis complicates the processor calculus

GDPR controllers can rely on "legitimate interests" (GDPR Article 6(1)(f)) as a lawful basis for processing without consent in many business contexts. PIPL does not include a legitimate-interest basis in Article 13's enumerated lawful bases. Instead, PIPL processors must obtain consent (Art. 13(1)) or satisfy one of the six narrower non-consent bases (contractual necessity, legal obligation, emergency, public-interest journalism, already-publicly-disclosed information, or other circumstances prescribed by law).

This absence of a flexible legitimate-interest basis means that PIPL processors bear a heavier consent burden than GDPR controllers in analogous scenarios. For example, a GDPR controller might rely on legitimate interests to send direct marketing to existing customers (subject to the ePrivacy Directive opt-out for electronic marketing); a PIPL processor must obtain affirmative consent for the same activity unless the marketing falls within the Article 13(2) contractual-necessity basis (a narrow fit) or another statutory exception.

Entrusted parties inherit the legal basis established by the entrusting processor, so an entrusted party processing personal information on behalf of a processor that obtained valid consent need not obtain separate consent. However, if the entrusting processor's legal basis is deficient, the entrusted party's processing is also unlawful.

Critical-information-infrastructure operators — heightened overlay

Personal information processors that qualify as critical information infrastructure operators (CIIOs, 关键信息基础设施运营者) under the Cybersecurity Law (CSL) and the Data Security Law (DSL) face additional obligations beyond baseline PIPL requirements. CIIOs are entities operating in sectors critical to national security or the national economy — telecommunications, energy, finance, transportation, water, and public services — whose disruption would severely harm national security, public welfare, or economic stability.

CIIOs that are also personal information processors must comply with PIPL plus heightened CSL and DSL requirements, including mandatory security assessments before transferring personal information abroad (Art. 40 PIPL cross-references the CSL CIIO data-localization and security-assessment regime), appointment of dedicated security personnel, annual security audits, and reporting to the Cyberspace Administration of China (CAC). The CIIO designation does not change the Article 73 processor definition — a CIIO is still a personal information processor if it autonomously determines processing purposes and means — but it layers on additional compliance burdens.

Household exemption — Article 72

Article 72 PIPL provides that "the processing of personal information by a natural person for personal or family affairs" is not subject to the law. This is a narrow carve-out analogous to the GDPR Recital 18 household exemption.

Examples of exempt household processing:

• Maintaining a personal contact list on a mobile phone;
• Organizing family photographs in a personal cloud-storage account;
• Sending invitations to a private family event.

Examples where the exemption does not apply (and PIPL processor obligations attach):

• A freelance graphic designer collecting client contact information and project details for commercial work;
• An individual operating a small online store selling handicrafts, collecting customer shipping addresses and payment information;
• A homeowner installing a video-surveillance camera that captures footage of a public sidewalk or neighboring property (processing personal information of passersby or neighbors, not purely "family affairs").

The exemption is personal or family in purpose, not merely in scale. An individual processing small volumes of data for business purposes is a personal information processor; a household processing large volumes of data for purely family purposes (e.g., digitizing decades of family home videos) is exempt.

Attribution to foreign processors under Article 3 extraterritorial reach

A foreign organization or individual with no physical presence in China can be a personal information processor subject to PIPL if its processing activities trigger Article 3(2) extraterritorial jurisdiction:

1. Processing personal information for the purpose of providing products or services to individuals located in China (Art. 3(2)(1));
2. Processing personal information to analyze or assess the behavior of individuals located in China (Art. 3(2)(2)); or
3. Other circumstances prescribed by law or regulation (Art. 3(2)(3)).

Such extraterritorial processors must appoint a representative in China under Article 53 to handle personal information protection matters and file the representative's contact details with the CAC (see the existing territorial-scope section of this guide for details on the Article 3 triggers). The representative does not replace the foreign processor; the foreign organization or individual remains the Article 73 personal information processor and bears full PIPL liability. The representative serves as the in-China point of contact for regulators and data subjects.

Source: Personal Information Protection Law of the People's Republic of China, Arts. 20, 21, 72, 73 (effective Nov. 1, 2021)

Article 72 of the Personal Information Protection Law (PIPL) creates two statutory carve-outs from the law's applicability: personal or household processing by natural persons, and government-organized statistical and archival activities where other laws provide specific rules. Understanding these exemptions is foundational for scoping PIPL compliance obligations — processing that qualifies for an Article 72 exemption is outside the law entirely, meaning no PIPL obligations apply (no consent requirement, no data-subject-rights obligations, no breach notification, no security measures under Articles 51–57). Practitioners must apply these exemptions narrowly; ambiguous cases should be analyzed as in-scope processing subject to full PIPL obligations.

Article 72, paragraph 1: Personal or household affairs exemption

Article 72 provides:

> "This Law is not applicable where a natural person processes personal information for personal or household affairs."

This is a narrow household exemption analogous to the European Union's GDPR Recital 18 household exception and the Data Protection Directive 95/46/EC Article 3(2) second-indent exemption. The Chinese text uses "个人或者家庭事务" (personal or household affairs), signaling that the exemption covers only purely private, non-commercial, non-professional activities conducted by a natural person.

Qualifying activities

Processing qualifies for the Article 72 paragraph 1 exemption only if all of the following conditions are met:

1. Natural person — The processor must be a natural person (自然人, an individual human being). Legal persons (companies, organizations, governmental bodies) can never claim the household exemption, regardless of the nature of the processing. A sole proprietor operating a business is a natural person but is not processing for personal or household affairs when conducting business activities; the exemption does not apply.

1. Personal or household affairs — The purpose of the processing must be purely personal or domestic. Processing is for personal or household affairs when it serves the private, family, or social life of the individual and has no connection to a professional, commercial, or public activity.

1. No commercial or professional dimension — If the processing serves any business purpose, generates revenue, supports a professional activity, or is intended to be accessible to an indefinite number of third parties outside the household or personal sphere, the exemption does not apply.

Examples of exempt processing

• Maintaining a personal contact list on a mobile phone or in a cloud-based personal address book (names, phone numbers, email addresses of friends, family, acquaintances) used solely for personal communication;

• Organizing family photographs or videos in a personal computer, tablet, or cloud-storage account (e.g., storing photos of family vacations, children's school events, private gatherings) with no intent to publish or distribute them beyond the family circle;

• Sending invitations to a private family event (a wedding, birthday party, or family reunion) via email or messaging apps to a closed list of invitees;

• Maintaining household financial records (personal bank statements, receipts, tax documents) for the individual's or family's own budgeting and tax-filing purposes;

• Keeping a personal diary or journal in electronic or paper form, even if it mentions other individuals by name, provided the diary is purely private and not intended for publication or public access.

Examples where the exemption does NOT apply

• A freelance consultant, graphic designer, or translator collecting client names, contact details, project descriptions, and payment information to perform services for hire. Even if the individual operates informally (no registered business entity, working from home), the processing is for professional purposes, not personal or household affairs. PIPL obligations apply in full, and the individual is a personal information processor under Article 73.

• An individual operating a small online store on an e-commerce platform (Taobao, JD.com, or a standalone website) collecting customer names, shipping addresses, payment details, and order histories. The processing serves a commercial purpose — selling goods or services to third parties — and is therefore outside the Article 72 exemption.

• A homeowner installing a video-surveillance camera that captures footage of a public sidewalk, street, or neighboring property. Processing images or video of passersby or neighbors is not purely household — it affects individuals outside the household, and PIPL obligations apply. The European Court of Justice (ECJ) established this principle in Ryneš v. Office for Personal Data Protection, Case C-212/13 (Dec. 11, 2014), interpreting the analogous EU Directive 95/46/EC household exemption; although not binding on Chinese courts, the Ryneš reasoning is persuasive: a camera pointed outward from private property at public or semi-public space processes data of third parties and cannot be purely "household."

• A natural person collecting and sharing personal information on social media (posting photographs, names, or identifying details of friends, family, or acquaintances on WeChat Moments, Weibo, Douyin, or other platforms accessible to an indefinite number of third parties beyond a closed personal network). Once processing is intended to reach an unlimited or semi-public audience, the household exemption no longer applies. The EU's Article 29 Working Party (predecessor to the European Data Protection Board) has consistently held that posting personal data on publicly accessible social-media pages is not household processing (Opinion 5/2009 on online social networking).

• A natural person maintaining a blog, podcast, or YouTube channel (even if non-commercial, e.g., a personal travel blog or opinion vlog) that publishes names, images, or other personal information of individuals. The intent to disseminate to the public removes the processing from the personal-or-household sphere; such activity may instead qualify for the journalistic, academic, or public-interest processing safe harbor discussed in other PIPL provisions (though those are subject to conditions and are not blanket exemptions under Article 72).

Scale is irrelevant; purpose is dispositive

The exemption turns on purpose, not volume. A natural person processing a small dataset (e.g., five client contacts) for commercial purposes is not exempt. Conversely, a household processing a large volume of personal information (e.g., digitizing decades of family home videos, creating a comprehensive genealogy database of extended-family members for family-history purposes) is exempt if the purpose remains purely personal or familial and the data is not made publicly accessible or used for any commercial or professional end.

Burden of proof

The natural person claiming the Article 72 paragraph 1 exemption bears the burden of demonstrating that the processing is genuinely and exclusively for personal or household affairs. If the Cyberspace Administration of China (CAC) or a sectoral regulator investigates and finds that the processing has a commercial dimension, professional purpose, or is accessible to an indefinite public, the exemption will be denied and PIPL obligations will apply retroactively. In practice, ambiguous cases — for example, an individual who occasionally monetizes a personal blog through advertising, or a homeowner who shares doorbell-camera footage with neighbors in a WeChat group — should be treated as in-scope processing to avoid enforcement risk.

Article 72, paragraph 2: Government statistical and archival activities

Article 72, paragraph 2, provides:

> "Where other laws provide personal information processing in statistical or archives management activities organized and conducted by the people's governments at all levels and the relevant departments thereof, such provisions shall apply."

This is a sectoral carve-out, not a blanket exemption. It recognizes that government agencies (people's governments at central, provincial, municipal, county, and township levels, and their departments) conduct statistical surveys, census activities, and archival-management functions pursuant to other laws — principally the Statistics Law of the People's Republic of China (中华人民共和国统计法, revised 2009) and the Archives Law of the People's Republic of China (中华人民共和国档案法, revised 2020). When those laws impose specific obligations, procedures, or safeguards for processing personal information in the course of statistical or archival work, those sectoral laws prevail over PIPL, and PIPL does not apply to the extent the sectoral law provides.

Conditions for the government-statistics exemption

The Article 72 paragraph 2 carve-out applies only when all of the following elements are satisfied:

1. Government-organized activity — The processing must be organized and conducted by the people's governments at all levels (中央政府, provincial governments, municipal governments, county governments, township governments) or their relevant departments (e.g., the National Bureau of Statistics, provincial statistics bureaus, local archives bureaus). Private companies, research institutes, universities, and non-governmental organizations conducting statistical or archival work do not qualify for this exemption.

1. Statistical or archives management — The activity must be a statistical survey (统计调查) as defined and regulated by the Statistics Law (e.g., national census, economic surveys, demographic studies) or archives management (档案管理) as defined by the Archives Law (e.g., preservation of historical records, government documents, cultural heritage materials). Processing for other governmental purposes (e.g., law enforcement, taxation, social-welfare administration) does not fall within Article 72 paragraph 2 and is instead subject to PIPL Articles 34–36 (state-organ processing obligations) or other applicable PIPL provisions.

1. Other laws provide — There must be a specific statutory provision in another law (the Statistics Law, the Archives Law, or an administrative regulation promulgated under those laws) that governs the processing of personal information in that context. The sectoral law must provide substantive rules — for example, confidentiality obligations, data-minimization requirements, permitted uses, retention periods, or penalties for unauthorized disclosure. If the sectoral law is silent on personal-information processing, the exemption does not apply and PIPL governs.

Examples of qualifying government activities

• National Population Census (全国人口普查) conducted by the National Bureau of Statistics under the Statistics Law, which collects personal information (names, ages, household composition, addresses) from all residents of China. The Statistics Law Article 9 imposes a duty of confidentiality on census workers and prohibits disclosure of individual respondent data; aggregated statistical results may be published, but individual-level data cannot be. Because the Statistics Law provides specific processing rules, PIPL does not apply to the census itself under Article 72 paragraph 2.

• Government archival preservation of historical personnel records, land-registry documents, judicial case files, and other public records under the Archives Law. Article 15 of the Archives Law (revised 2020) requires archives departments to protect state secrets, commercial secrets, and personal privacy when managing and providing access to archival materials. This sectoral framework prevails over PIPL for government-archives management.

• Economic surveys (such as enterprise surveys, agricultural production surveys, or industrial output surveys) conducted by provincial or municipal statistics bureaus under the Statistics Law. If the survey collects personal information of enterprise owners, farm operators, or individual business proprietors, the Statistics Law's confidentiality and data-security provisions apply, and PIPL obligations do not.

Examples where the exemption does NOT apply

• A university research team conducting a social-science survey or public-opinion poll involving personal information. Even if the research is funded by a government grant or serves a public-interest purpose, the university is not "the people's governments at all levels and the relevant departments thereof." The researchers are personal information processors under PIPL and must comply with Article 13 lawful bases (likely consent, unless the research qualifies for the public-interest exemption under Article 13(6), which is narrowly construed), Article 17 disclosure obligations, Article 14 consent requirements, and Chapter 4 data-subject-rights provisions. There is no blanket research exemption in PIPL, though the Article 13 commentary in some sectoral guidance suggests that anonymized research data or processing of already-publicly-disclosed information under Article 27 may provide narrow safe harbors.

• A government agency processing personal information for law enforcement, taxation, social-welfare administration, or other regulatory purposes outside the scope of statistics or archives. Such processing is governed by PIPL Chapter 3, Section 3 (Articles 34–36), which imposes specific obligations on "state organs" (国家机关). State organs must process personal information only to the extent necessary to perform their statutory duties (Article 34), must not disclose or provide personal information to third parties except as prescribed by law (Article 35), and must publish their personal-information processing rules (Article 36). These are not exemptions; they are specialized PIPL obligations tailored to government actors. Article 72 paragraph 2 does not exempt law-enforcement or regulatory processing.

• A private-sector entity contracted by a government agency to conduct a statistical survey or manage archival digitization. The contractor is an entrusted party under Article 21 PIPL, processing personal information on behalf of the government agency. The government agency (the entrusting processor) may benefit from the Article 72 paragraph 2 sectoral-law framework, but the contractor itself is subject to PIPL Article 21 obligations: it must enter into a written agreement specifying purposes, means, categories of data, and security measures; it must process strictly according to the agreement; and it must implement appropriate security safeguards. The household exemption (Article 72 paragraph 1) does not apply to legal persons or organizations, and the government-statistics exemption (Article 72 paragraph 2) applies only to government entities themselves, not to their contractors.

Interaction with PIPL Articles 34–36 (state-organ processing)

Article 72 paragraph 2 is not a blanket exemption for all government processing. It applies only to government-organized statistical and archival activities where other laws provide. For all other government processing — law enforcement, taxation, social security, healthcare administration, education, and regulatory oversight — PIPL does apply, but through the specialized regime in Articles 34–36:

• Article 34: State organs processing personal information to perform statutory duties must do so within the scope necessary for those duties and must comply with the purpose-limitation and data-minimization principles in Articles 6 and 7 PIPL.

• Article 35: State organs may not disclose or provide personal information to third parties except as prescribed by laws or administrative regulations.

• Article 36: State organs must publicly disclose their personal-information processing rules unless such disclosure would harm national security or the public interest.

These are special obligations, not exemptions. State organs are personal information processors under Article 73 when they autonomously determine processing purposes and means, and they must comply with PIPL security obligations (Articles 51–57), breach-notification obligations (Article 57), and must honor data-subject rights (Chapter 4) to the extent compatible with the performance of their statutory duties. For example, a data subject's right to erasure under Article 47 may be limited if the personal information is required to be retained by law (e.g., tax records, criminal investigation files), but the state organ must still provide access under Article 45 and correction under Article 46 unless a statutory exemption applies.

No express exemption for journalism, academic research, or public-interest processing in Article 72

Unlike the European Union's GDPR Article 85 (which requires member states to provide exemptions and derogations for processing "for journalistic purposes or the purpose of academic artistic or literary expression" to reconcile data protection with freedom of expression), PIPL Article 72 does not expressly exempt journalism, academic research, or public-interest processing. The household exemption (Article 72 paragraph 1) is limited to personal or household affairs of natural persons; professional journalists, news organizations, academic institutions, and public-interest advocacy groups are not exempt under Article 72.

However, Article 13(6) PIPL provides a lawful basis for processing personal information that has been disclosed by the individual himself/herself or otherwise lawfully disclosed, and Article 13(7) provides a catch-all for "other circumstances prescribed by laws and administrative regulations." Some commentators and practitioners interpret these provisions — read in conjunction with the Civil Code Article 1036 (which protects freedom of speech and requires balancing personal-information protection against public-interest reporting) — as creating a limited safe harbor for processing already-public information for news, academic, or public-interest purposes. This is not a blanket exemption, and the contours remain under-litigated. Journalists and researchers processing non-public personal information should obtain consent (Article 13(1)) or demonstrate that the processing is necessary to respond to a public-health emergency or protect vital interests (Article 13(4)), or that it falls within another Article 13 lawful basis. Relying on an implied public-interest exemption carries enforcement risk absent clear statutory or regulatory guidance from the CAC.

Deceased persons

PIPL applies to personal information of natural persons (自然人). Article 2 PIPL states that the law protects the "personal information rights and interests of natural persons." Chinese civil law distinguishes between natural persons (living individuals with legal personality) and deceased individuals, whose rights and interests are protected through inheritance law and personality-rights provisions in the Civil Code but who are no longer natural persons for purposes of most statutes.

PIPL does not expressly state whether personal information of deceased individuals is covered. Article 49 PIPL provides:

> "For the sake of their own lawful and legitimate rights and interests, the close relatives of a natural person may, after the natural person's death, exercise the rights of access, reproduction, correction, and deletion of the deceased's personal information, unless the natural person had arrangements to the contrary before death."

This provision implies that some PIPL protections extend to deceased persons' personal information through the agency of close relatives, but it does not resolve whether the law as a whole applies to such data. The prevailing interpretation, based on Civil Code Articles 994–997 (personality-rights protections for deceased persons) and PIPL Article 49, is:

• Personal information of deceased individuals is not "personal information" under Article 4 PIPL in the strict sense (because the deceased is no longer an "identified or identifiable natural person"), but
• Processors should treat such data as if it were personal information to the extent necessary to honor the Article 49 rights of close relatives, and
• Disclosure or misuse of deceased persons' personal information that harms the dignity or reputation of the deceased or causes emotional distress to close relatives may give rise to civil liability under Civil Code Article 994 (protection of the name, portrait, reputation, honor, privacy, and remains of deceased persons) even if PIPL does not apply directly.

In practice, best practice is to apply PIPL security, confidentiality, and purpose-limitation obligations to personal information of deceased individuals, particularly sensitive personal information (medical records, financial accounts, biometrics), to avoid Civil Code tort liability and reputational harm.

Enforcement and penalties for misuse of the household exemption

If a natural person claims the Article 72 paragraph 1 household exemption but the CAC or a sectoral regulator determines that the processing is actually commercial, professional, or public-facing, the individual will be treated as a personal information processor under Article 73 and subject to retroactive PIPL obligations. Article 66 PIPL authorizes the CAC and relevant departments to:

• Order rectification;
• Issue warnings;
• Confiscate illegal gains;
• Impose fines up to RMB 1 million (for processing that violates PIPL but does not reach the higher-tier penalty thresholds); or
• Impose fines up to RMB 50 million or 5% of the prior year's turnover for serious violations (Article 66, para. 2).

Additionally, if the processing involves unlawful collection, use, or disclosure of personal information and the conduct violates the Criminal Law, the individual may be subject to criminal liability under Criminal Law Article 253-1 (crime of infringing citizens' personal information), which provides for imprisonment of up to three years (or up to seven years for "particularly serious circumstances") and/or fines.

The lesson for practitioners: the Article 72 household exemption is narrow. When in doubt, treat the processing as in-scope and comply with PIPL.

Source: Personal Information Protection Law of the People's Republic of China, Art. 72 (effective Nov. 1, 2021) Source: Statistics Law of the People's Republic of China (2009 Revision) Source: Archives Law of the People's Republic of China (2020 Revision)

Article 27 of the Personal Information Protection Law (PIPL) creates a limited exemption that permits "reasonable processing" of personal information that has been publicly disclosed without obtaining the individual's consent under Article 13(1). This exemption is critical for processors engaged in journalism, academic research, background checks, and online-reputation monitoring, but its scope is narrow and its application is heavily conditioned on the nature of the disclosure, the individual's objection, and the potential impact on the individual's rights and interests. Practitioners must understand the two-part structure of Article 27: the baseline permission for reasonable processing, and the mandatory consent override when the processing would have a significant impact on rights and interests.

Article 27, paragraph 1: The baseline exemption for publicly disclosed information

Article 27, paragraph 1, PIPL provides:

> "A personal information processor may reasonably process the personal information disclosed by an individual himself or other legally disclosed personal information, except where the individual expressly refuses."

This establishes three conditions for processing personal information without consent (i.e., without satisfying Article 13(1)):

1. The personal information is "disclosed by an individual himself" — the data subject voluntarily made the information public, for example by posting it on a social-media profile set to public visibility, publishing it in a blog or article under the individual's name, or disclosing it in a public speech, interview, or court filing. The key is that the individual exercised autonomous control over the disclosure; information leaked or disclosed by a third party without the individual's consent is not "disclosed by an individual himself."

1. Or the personal information is "other legally disclosed personal information" (其他已经合法公开的个人信息) — information that has been made public through a lawful process, including:

• Government records made public under China's open-government-information regulations (e.g., corporate registration filings naming directors and shareholders, court judgments naming parties, administrative-penalty decisions naming violators);
• Publicly available professional directories (e.g., lawyer or doctor licensing databases maintained by regulatory authorities);
• Media reporting that lawfully disclosed the information under Article 13(7) PIPL's journalism exemption (see below); or
• Information disclosed in compliance with legal obligations (e.g., mandatory environmental-impact disclosures, securities-filing beneficial-ownership data).

Information obtained through unlawful means — for example, stolen databases, leaked corporate records, or information disclosed in breach of confidentiality obligations — is not "legally disclosed" and cannot be processed under the Article 27 exemption.

1. The individual has not "expressly refused" — even if the information is publicly disclosed, the individual retains a veto right. If the individual notifies the processor that he or she objects to the processing, the processor must cease. This is an opt-out mechanism: the processor may begin processing without prior consent, but must honor a refusal when communicated. The Chinese text uses "明确拒绝" (expressly refuses), requiring an affirmative, unambiguous objection — silent disagreement or general privacy preferences are insufficient. However, once the individual has expressly refused, continued processing is unlawful unless the processor can satisfy one of the other Article 13 lawful bases (e.g., contractual necessity, legal obligation, or emergency).

The "reasonably process" requirement — purpose limitation and context fidelity

Article 27 permits only "reasonable processing" (合理处理) of publicly disclosed information. Although PIPL does not define "reasonable" in Article 27 itself, the Cyberspace Administration of China (CAC) and Chinese privacy scholars interpret this as a context-appropriate, purpose-limited standard analogous to the "reasonable expectations" test in common-law privacy doctrine.

Reasonable processing means:

• Processing consistent with the purpose or context of the original disclosure. For example, if an individual disclosed her email address in a public blog post soliciting freelance-writing inquiries, a publisher may process that email to send a writing assignment offer (purpose-consistent use). However, using the same email to send unrelated marketing emails for financial products, or selling the email to a data broker, would likely not be reasonable processing because it diverges from the original disclosure context.

• No material change in the nature or scope of processing. For example, scraping publicly posted LinkedIn profile data (name, job title, employer, city) to build a professional-networking tool arguably fits within the reasonable-expectations boundary of a LinkedIn user who set her profile to public. However, using the same data to build a facial-recognition database (if profile photos are included), or to generate psychometric personality scores for targeted political advertising, would exceed "reasonable" because the nature of processing (biometric identification, invasive profiling) materially differs from the professional-networking purpose for which the data was disclosed.

• Respect for the individual's dignity and autonomy. Processing that exploits publicly disclosed information in ways that harm the individual's reputation, economic interests, or personal safety is not reasonable even if technically lawful. For example, compiling a public database of individuals' home addresses scraped from property-registration records and marketing it to debt collectors or stalkers would likely violate the reasonableness standard under Article 27, even though the underlying property records are legally public.

Chinese courts and regulators apply a case-by-case reasonableness analysis informed by the sensitivity of the data, the nature of the original disclosure, the processor's purpose, and the foreseeable impact on the individual. Processors relying on Article 27 bear the burden of demonstrating that their processing is reasonable within the meaning of the statute.

Article 27, paragraph 2: Mandatory consent override for "significant impact" processing

Article 27, paragraph 2, imposes a critical limitation on the Article 27 exemption:

> "Where the processing of disclosed personal information may have a significant impact on an individual's rights and interests, the personal information processors shall first obtain the individual's consent in accordance with the provisions of this Law."

This is a consent override: even if the personal information is publicly disclosed and the processing would otherwise be "reasonable" under paragraph 1, the processor must obtain consent under Article 13(1) if the processing may have a significant impact on the individual's rights and interests.

"Significant impact" is a fact-specific threshold. The CAC has not issued formal guidelines defining the term, but Chinese privacy practitioners and academic commentary identify the following scenarios as likely to trigger the paragraph-2 consent requirement:

• Large-scale aggregation or profiling — scraping thousands or millions of publicly disclosed social-media posts to build behavioral profiles or train machine-learning models for targeted advertising, credit scoring, or employment screening. Although each individual post is public, the aggregate profiling creates new insights and risks (discrimination, manipulation, reputational harm) that the individual did not contemplate when posting. This exceeds the "reasonable" boundary and requires consent.

• Cross-context linkage — combining publicly disclosed information from multiple sources to create a comprehensive dossier on an individual. For example, linking an individual's publicly posted resume (name, job history), social-media posts (political opinions, lifestyle habits), and property-registration records (home address, financial status) to generate a "360-degree profile" for sale to marketers or employers. The linkage creates a level of exposure and vulnerability beyond what the individual reasonably expected from each isolated public disclosure, triggering the significant-impact threshold.

• Sensitive or high-risk uses — processing publicly disclosed information for purposes that carry inherent dignity or safety risks, such as:
• Facial-recognition systems trained on publicly posted photographs;
• Automated decision-making (ADM) systems that affect credit, employment, or access to services, using publicly disclosed data as inputs;
• Processing for law-enforcement or surveillance purposes (subject to separate Article 34 rules for state organs, see below);
• Publishing or amplifying the information in a manner that materially increases reputational or safety risk (e.g., republishing a public court judgment naming a domestic-violence victim in a high-traffic news outlet with SEO optimization, increasing the victim's exposure).

If the processor's intended use triggers the significant-impact threshold, Article 27 paragraph 2 restores the Article 13(1) consent requirement. The processor must obtain affirmative, informed, specific consent from the individual before proceeding. The exemption in paragraph 1 is effectively nullified for high-impact processing.

Interaction with Article 13 lawful bases — Article 27 as an alternative, not a displacement

Article 27 provides an alternative pathway for processing publicly disclosed information without consent, but it does not displace the other Article 13 lawful bases. A processor may still rely on:

• Article 13(2) (contractual necessity) — for example, processing a job applicant's publicly posted resume to evaluate her candidacy under an employment contract;
• Article 13(3) (履行法定职责或法定义务, performance of statutory duties or legal obligations) — for example, a regulatory authority processing publicly disclosed corporate filings to perform its oversight function;
• Article 13(4) (emergency to protect life or property);
• Article 13(6) (processing necessary for public-interest journalism or supervising conduct in the public interest, within reasonable scope) — the journalism safe harbor discussed below; or
• Article 13(7) (other circumstances prescribed by law or administrative regulation).

Article 27's "reasonable processing" exemption is most useful when the processor cannot satisfy any of the other Article 13 bases and the processing does not have a significant impact. If the processor can establish contractual necessity (Art. 13(2)) or a public-interest journalism basis (Art. 13(6)), those provide firmer legal grounding than the fact-specific "reasonableness" analysis under Article 27.

Public-interest journalism and supervision — Article 13(6) safe harbor

Article 13(6) PIPL establishes a separate lawful basis (not an exemption, but an independent basis that displaces the consent requirement) for processing personal information when it is "necessary for conducting news reporting or supervising conduct in the public interest, and is processed within a reasonable scope."

This journalism safe harbor overlaps with the Article 27 exemption but is broader in two respects:

1. It applies to non-public information if the processing is necessary for journalism or public-interest supervision. A journalist investigating government corruption may process leaked documents or whistleblower-provided personal information (not publicly disclosed) under Article 13(6) without consent, provided the processing is necessary and within a reasonable scope.

1. It does not require prior public disclosure. A news organization may collect and process personal information (e.g., interviewing witnesses, reviewing private documents provided by sources) to produce investigative journalism, and the Article 13(6) basis applies at the point of collection, not only after publication.

However, Article 13(6) imposes two constraints that Article 27 does not:

• Necessity — the processing must be indispensable to the journalistic or public-interest purpose. Using personal information for commercial advertising or unrelated business purposes does not qualify.
• Reasonable scope — the processing must be proportionate to the public-interest value. Publishing a public official's home address and family members' names in an investigative report about official misconduct may exceed "reasonable scope" if the family information is irrelevant to the misconduct and creates undue safety or privacy risk.

Processors engaged in journalism, academic research, or civil-society watchdog functions often invoke Article 13(6) in combination with Article 27. When the underlying information is already publicly disclosed, Article 27 provides a baseline permission; when the information is not public but the processing serves a public interest, Article 13(6) supplies the lawful basis.

State-organ processing — Article 33 et seq. special rules

Article 33 PIPL provides that "state organs" (国家机关 — governmental bodies exercising sovereign functions) are subject to PIPL when processing personal information, but special rules in Articles 33–36 modify the general obligations.

Under Article 34, when state organs process personal information "in order to perform their statutory duties," they:

• Must act in accordance with the authority and procedures prescribed by laws and administrative regulations;
• Shall not exceed the scope and limits necessary to perform their statutory duties (a strict necessity and purpose-limitation standard tighter than the private-sector "reasonable scope" test); and
• Are exempt from the Article 17 notification obligation if (a) notification is not required under Article 18 exceptions (e.g., emergency situations, or where providing notice would impair an ongoing investigation or law-enforcement action), or (b) notification would hinder the state organs from performing their statutory duties (Article 35).

This means a public-security bureau conducting a criminal investigation, or a tax authority auditing a taxpayer, may process personal information (including publicly disclosed and non-public data) without consent and without notification to the data subject, provided the processing is within the scope of the agency's statutory duties and prescribed procedures.

However, Article 36 imposes a transparency overlay: state organs must "manage government data resources in a coordinated manner, in accordance with law, disclose information to the public in accordance with law, and provide convenient inquiry services." This is a limited open-government obligation, not a blanket exemption from PIPL. State organs remain bound by purpose limitation, necessity, and security obligations under PIPL Articles 51 et seq.

Comparison to GDPR Article 6(1)(f) legitimate interests — a critical difference

Practitioners familiar with the European Union's GDPR may be tempted to analogize Article 27 PIPL's "reasonable processing" of publicly disclosed information to GDPR Article 6(1)(f) legitimate interests. This analogy is partially correct but materially incomplete.

Both regimes recognize that processing personal information for purposes reasonably aligned with the context of disclosure, without consent, can be lawful when balanced against the individual's rights. However:

• GDPR Article 6(1)(f) is a general lawful basis that applies to any personal data (public or non-public) when the controller's legitimate interests outweigh the data subject's rights and the processing is necessary to achieve those interests. It is subject to a balancing test codified in GDPR Recital 47 and refined by CJEU case law (e.g., Rigas, C-13/16; Fashion ID, C-40/17).

• PIPL Article 27 is a narrow exemption that applies only to publicly disclosed personal information and is subject to (a) a reasonableness analysis, (b) an individual opt-out right, and (c) a mandatory consent override for significant-impact processing. It does not provide a general legitimate-interests basis for processing non-public data.

China's PIPL does not include a GDPR Article 6(1)(f) equivalent for non-public data. A Chinese processor cannot invoke "legitimate business interests" to process personal information without consent unless the processing fits within one of the six narrow Article 13 bases (consent, contract, legal obligation, emergency, journalism/public interest, or other law-prescribed circumstances). This makes PIPL's consent burden heavier than GDPR's in many commercial scenarios — for example, direct marketing to existing customers, fraud prevention using customer data, or internal HR analytics on employee performance.

The Article 27 exemption partially fills this gap for publicly disclosed information, but processors handling non-public data must either obtain consent or satisfy one of the other Article 13 bases. There is no residual "legitimate interests" catch-all.

Practical guidance for processors relying on Article 27

1. Document the source and lawfulness of the disclosure. Maintain records showing that the personal information was either (a) disclosed by the individual himself (screenshot of the public social-media post, timestamped archive of the public website, etc.), or (b) legally disclosed by a government authority, court, or other lawful process. If the information came from a data broker or third-party scraper, verify the broker's chain of custody and the lawfulness of the original disclosure — leaked or stolen data cannot be "legally disclosed" under Article 27.

1. Conduct a context-fidelity analysis. Ask: What was the purpose or reasonable expectation associated with the original disclosure? Is our intended use aligned with that context, or does it materially diverge? For example, an individual posting a photograph on a hobby forum to share a craft project likely expects the photo to be viewed by fellow hobbyists, not scraped into a facial-recognition training set. The latter use exceeds reasonable scope.

1. Assess significant-impact risk. If the processing involves large-scale aggregation, cross-context linkage, automated decision-making, or sensitive subject matter (health, political opinions, precise geolocation, biometrics), assume the Article 27 paragraph 2 consent override applies and obtain consent under Article 13(1). Do not rely on the paragraph-1 exemption for high-impact processing.

1. Implement an opt-out mechanism. Article 27 paragraph 1 requires cessation of processing when the individual "expressly refuses." Provide a clear, accessible channel for individuals to object (e.g., an email address or web form linked in your privacy policy) and honor objections promptly. Continued processing after an express refusal is unlawful.

1. Consider whether Article 13(6) journalism or another lawful basis provides firmer grounding. If your organization is engaged in news reporting, academic research, or public-interest watchdog work, the Article 13(6) journalism basis may be more defensible than the Article 27 exemption because it does not hinge on "reasonableness" (a subjective, evolving standard) and is not subject to individual opt-out (though it is subject to "reasonable scope" and necessity tests). If the processing is necessary to perform a contract or comply with a legal obligation, invoke Article 13(2) or (3) rather than relying on Article 27.

1. Monitor CAC enforcement and judicial interpretation. As of June 2026, the CAC and Chinese courts have issued limited public guidance on the Article 27 "reasonable processing" standard. Processors should track enforcement decisions and administrative penalty notices (公告) published by provincial-level cyberspace administration offices and the CAC to identify emerging red lines — for example, data-broker sales of scraped public data, or large-scale social-media scraping for AI training, have drawn CAC scrutiny in recent years.

Source: Personal Information Protection Law of the People's Republic of China, Art. 27 (effective Nov. 1, 2021)

Article 72 of the Personal Information Protection Law (PIPL) establishes two critical exclusions from the law's scope. These carve-outs define categories of personal information processing to which PIPL obligations — consent, disclosure, data-subject rights, breach notification, and security measures — do not apply. A practitioner scoping PIPL compliance must identify whether the processing falls within one of these exemptions before analyzing lawful bases or implementing data-protection safeguards.

Article 72, first paragraph: household exemption

Article 72 provides that PIPL is not applicable where a natural person processes personal information for personal or household affairs (个人或者家庭事务). This is a complete exemption — the law does not apply at all to such processing.

The Chinese text uses "个人或者家庭事务" (personal or household affairs), signaling a narrow, purpose-based test analogous to the European Union's GDPR Recital 18 household exemption. The exemption turns on why the natural person is processing the information, not merely on the volume or sensitivity of the data.

Processing that qualifies for the household exemption:

• Maintaining a personal address book or contact list on a mobile phone or personal computer for private correspondence;
• Organizing family photographs in a personal cloud-storage account or on a home server, accessible only to family members;
• Managing household budgets or personal financial records for the individual's own use or shared with immediate family;
• Sending invitations to a private family event (a wedding, birthday, or reunion) using a personal email list;
• Keeping a personal diary or journal, whether in paper or electronic form; or
• Recording home security footage from a camera installed on private property that captures only the interior of the home or immediate family members, and is not shared with third parties or used for commercial purposes.

The exemption is strictly limited to processing for the individual's own personal purposes or those of their immediate household. It does not extend to any processing conducted in the course of a professional, commercial, or public activity, even if conducted by a natural person acting alone.

Processing that does NOT qualify (PIPL applies in full):

• A freelance graphic designer collecting client contact information, project briefs, and billing details for commercial work — this is processing for a professional purpose, not personal or household affairs;
• An individual operating a small online store (e.g., selling handicrafts on an e-commerce platform) who collects customer names, shipping addresses, and payment information — commercial activity, even if small-scale;
• A homeowner installing exterior security cameras that capture video footage of a public sidewalk, neighboring properties, or passersby — processing personal information of individuals outside the household for a security purpose that affects third parties' rights;
• A landlord maintaining tenant records (lease agreements, contact details, payment histories) for rental properties — processing in a business or property-management capacity;
• A natural person managing a community social-media group or online forum that collects and stores usernames, email addresses, and posts from members — public or community activity, not household affairs; or
• An individual collecting and analyzing publicly disclosed personal information from social media or other sources for research, journalism, or commentary purposes — even non-commercial research is not a personal or household affair if it involves systematic processing of third parties' data.

The test is purpose, not scale. A natural person processing a small volume of data for commercial purposes is a PIPL personal information processor; a household processing large volumes of data for purely family purposes (e.g., digitizing decades of family home videos and photographs for archival preservation within the family) remains exempt.

No legal-entity or organizational exemption

Article 72's household exemption is available only to natural persons. A legal person, company, non-profit organization, or other institutional entity — even if small or family-owned — cannot invoke the household exemption. PIPL applies in full to all organizational processing of personal information, regardless of size or purpose, unless another statutory exemption applies (such as the government statistics exemption discussed below).

Article 72, second paragraph: government statistical and archival activities

Article 72 provides a second carve-out: where other laws contain provisions governing the processing of personal information in statistical or archives management activities organized and conducted by the people's governments at all levels and their relevant departments, those provisions shall prevail over PIPL.

This is a sectoral override, not a blanket exemption. PIPL applies to government statistical and archival processing except to the extent that another statute — typically the Statistics Law (中华人民共和国统计法, adopted 1983, revised 2009) or the Archives Law (中华人民共和国档案法, adopted 1987, revised 2020) — imposes specific rules on the same processing activity. Where the sectoral law is silent on a PIPL-covered obligation (for example, if the Statistics Law does not address breach notification), PIPL fills the gap and applies.

Scope of the government-statistics override

The exemption applies only to processing by:

1. People's governments at all levels (the State Council, provincial governments, municipal governments, county governments, and township governments); and
2. Their relevant departments (governmental agencies or bureaus tasked with statistical or archival functions, such as the National Bureau of Statistics, provincial statistics bureaus, and national or local archives authorities).

The exemption does not extend to:

• Private companies or consultancies conducting statistical analysis or archival services on behalf of a government agency (such contractors are personal information processors or entrusted parties under Article 21 PIPL, and PIPL obligations apply in full);
• State-owned enterprises (SOEs) processing personal information for commercial purposes, even if wholly owned by the state (SOEs are legal persons subject to PIPL unless they qualify as state organs under Article 33);
• Academic or research institutions conducting statistical research, unless they are expressly delegated public-management functions by law or regulation and fall within Article 37 PIPL's authorized-organization rule; or
• Non-governmental organizations or civil-society groups maintaining membership databases or historical archives (these are personal information processors under PIPL).

Which "other laws" prevail?

The most commonly applicable sectoral statutes are:

• Statistics Law of the People's Republic of China (中华人民共和国统计法, as revised 2009) — governs the collection, reporting, compilation, and publication of statistical data by government statistics agencies. Article 9 of the Statistics Law requires that statistical survey objects (individuals and organizations providing data to official surveys) truthfully provide statistical information, and Article 25 prohibits the unauthorized disclosure or use of statistical data for non-statistical purposes. Where these provisions conflict with PIPL consent or disclosure rules, the Statistics Law prevails for government statistical activities.

• Archives Law of the People's Republic of China (中华人民共和国档案法, as revised 2020) — governs the collection, preservation, and use of archival materials by national and local archives bureaus. Article 14 of the Archives Law requires state organs, organizations, and individuals to transfer archival materials of permanent or long-term preservation value to archives repositories, and Article 27 permits public access to declassified archives. Where PIPL's data-minimization and retention-limitation principles (Article 6) or data-subject erasure rights (Article 47) would conflict with statutory archival-preservation duties, the Archives Law prevails.

Article 72 does not specify a hierarchy if PIPL and the sectoral law can be read harmoniously. In practice, government statistical and archival processors should comply with both regimes to the extent possible: satisfy the sectoral law's reporting, confidentiality, and preservation requirements and implement PIPL's security measures (Article 51), breach-notification procedures (Article 57), and data-subject-rights response mechanisms (Chapter 4) unless the sectoral law expressly prohibits such compliance.

No general "public interest" exemption in Article 72

Unlike the European Union's GDPR Article 6(1)(e) (processing necessary for a task carried out in the public interest) or Article 89 (research, statistical, and archival processing in the public interest), PIPL does not include a broad public-interest exemption in Article 72 or elsewhere in the statute. Government agencies processing personal information for purposes other than statistics or archives — such as law enforcement, social services, tax administration, or regulatory oversight — are subject to PIPL under Section 2 of Chapter 3 (Articles 33–37, "Special Provisions for Processing Personal Information by State Organs").

State organs processing personal information to perform their statutory duties must comply with Article 34 (processing only within the scope and limits necessary to perform statutory duties, in accordance with legal authority and procedures) and Article 35 (fulfill notification obligations under Article 17, except where notification would hinder performance of statutory duties or other Article 18 exemptions apply). State organs do not benefit from the Article 72 exemption unless they are conducting statistical or archival activities governed by sectoral law.

Comparison to GDPR household exemption

PIPL Article 72's household exemption is functionally identical to GDPR Recital 18, which excludes from GDPR scope "the processing of personal data by a natural person in the course of a purely personal or household activity." Both regimes apply a purpose test and both exclude the exemption from professional, commercial, or public activities. The European Court of Justice has consistently interpreted the GDPR household exemption narrowly: in Bodil Lindqvist (Case C-101/01), the CJEU held that a natural person publishing information about church volunteers on a personal website accessible to the public did not qualify for the household exemption because the activity had a public dimension; in Ryneš (Case C-212/13), the CJEU held that a homeowner recording video footage of a public street with a home security camera did not qualify because the processing extended beyond the household sphere.

PIPL practitioners should expect Chinese regulators to interpret Article 72's household exemption with similar strictness. Any processing that touches third parties' personal information for purposes beyond the immediate family — even if the processor is a natural person acting without commercial intent — likely falls outside the exemption and triggers full PIPL compliance obligations.

Deceased individuals — no Article 72 exemption, but limited PIPL protection

Article 72 does not address processing of personal information relating to deceased individuals. PIPL applies to information "related to an identified or identifiable natural person" (Article 4), and the law does not define whether a deceased person remains a "natural person" for PIPL purposes.

However, Article 49 PIPL provides that "where a natural person has died, the close relatives of the deceased person may, for their own lawful and legitimate interests, exercise the rights of the deceased in respect of personal information," including access, copying, correction, and deletion rights, unless the deceased expressly provided otherwise before death. This provision implies that PIPL does extend limited protections to the personal information of the deceased, enforceable by next of kin, and therefore that processing such information is not exempt under Article 72.

The Cyberspace Administration of China has not issued comprehensive guidance on the scope of PIPL's protections for deceased individuals' data. Prudent practice is to treat personal information of recently deceased individuals as subject to PIPL obligations — particularly security safeguards and breach-notification duties — and to honor Article 49 requests from close relatives, unless the deceased's own directive (e.g., in a will or privacy directive) provides otherwise.

Article 72 does not exempt cross-border transfers

Even if domestic processing qualifies for the Article 72 household exemption or government-statistics exemption, cross-border transfer of personal information may trigger separate restrictions under PIPL Chapter 3 (Articles 38–43). For example, a government statistical bureau exempt from general PIPL obligations under Article 72 remains subject to Article 36 PIPL, which requires state organs to store personal information within the territory of the People's Republic of China and to conduct a security assessment before providing it overseas. The Article 72 exemption applies to domestic processing obligations (consent, disclosure, data-subject rights), not to cross-border transfer restrictions, which are governed by a distinct statutory regime.

Source: Personal Information Protection Law of the People's Republic of China, Art. 72 (effective Nov. 1, 2021)