Content updated on May 5, 2026
When China's Personal Information Protection Law (PIPL) came into force in November 2021, it was one of the most significant data privacy developments globally, placing China alongside the EU and California as a major regulatory force. Four years on, the framework has expanded considerably.
What began as a single piece of legislation is now a layered body of rules, with new obligations on cross-border transfers, compliance audits, and cybersecurity incident reporting that have direct consequences for any organisation handling personal data from individuals in China.
What is the PIPL (Personal Information Protection Law)?
The Personal Information Protection Law remains China's primary data privacy legislation. Like the GDPR in the EU, it applies both inside and outside China. Any organisation that processes personal information about individuals located in China, whether to provide products or services to them or to analyse their behaviour, falls within its scope regardless of where that organisation is based.
The core obligations have not changed: organisations must have a lawful basis for processing personal data, obtain informed and specific consent, and store certain categories of sensitive data on servers located within China. Fines for non-compliance remain steep, at up to RMB 50 million or 5% of annual turnover, with personal liability for senior personnel in serious cases.
A Framework That Has Kept Expanding
Since 2021, China has built out the PIPL with a series of implementing regulations that add practical compliance requirements:
- Measures for the Standard Contract for Outbound Transfer (June 2023)
- Regulations on Facilitating and Regulating Cross-Border Data Flows (March 2024)
- Network Data Security Management Regulation (January 2025)
- Measures for Personal Information Protection Compliance Audits (May 2025)
- Measures for the Administration of the Reporting of Cybersecurity Incidents (November 2025)
- Measures for the Certification of the Outbound Transfer (January 2026)
For multinational organisations, the cross-border transfer rules are particularly significant. Large-scale transfers involving over one million individuals or sensitive data exceeding ten thousand individuals must undergo a formal security review.
Mandatory Compliance Audits
One of the most consequential developments for 2026 is the introduction of mandatory compliance audits. The measures that took effect on 1 May 2025 make these audits a requirement for all processors subject to the PIPL.
Processors handling data for more than 10 million individuals must conduct at least one audit every two years. Organisations processing information for more than one million individuals must also appoint a designated person responsible for compliance audits, the equivalent of a Data Protection Officer (DPO).
Enforcement is Intensifying
Enforcement activity has increased steadily. Investigations are often triggered by a whistleblower or a data breach. In October 2024, a medical technology company was penalised following a whistleblower report that exposed system vulnerabilities leading to a data leakage.
In September 2025, authorities took action against the Shanghai subsidiary of a European luxury brand for illegally transferring personal information overseas. This case serves as a reminder that enforcement extends to foreign-owned entities and that regulators are watching cross-border data flows with extreme scrutiny.
What This Means for Your Whistleblowing Programme
Whistleblowing platforms that handle reports from employees based in China process personal data. Under the PIPL, that data is subject to Chinese law regardless of where the platform itself is hosted.
The PIPL framework makes clear that allowing foreign access to personal information stored in China is itself considered a cross-border transfer. For organisations running global whistleblowing programmes, this has practical consequences for how reports are stored, accessed, and investigated.
What Organisations Should Do Now
The compliance baseline for the PIPL is considerably higher today than it was at launch. Organisations should prioritise three things:
- Data Mapping: Identify exactly what personal data is collected in China and what crosses borders.
- Audit Readiness: Assess whether you meet the thresholds for the May 2025 Audit Measures.
- Transfer Review: Ensure your Standard Contract Clauses (SCCs) or certification routes align with the 2024 and 2026 rules.
Conclusion
The PIPL is no longer just a law on paper; it is a live operational requirement. Between mandatory audits and the reality of whistleblower-triggered investigations, the "wait and see" approach of 2021 is now a major business risk. If you are still using the same compliance baseline you set four years ago, you are likely out of step with the current landscape.
Whispli is built to help you navigate this exact level of complexity. We offer data localisation options that keep sensitive information within China’s borders, combined with end-to-end encryption that meets the highest security standards. By using a platform that understands the nuances of the PIPL, you don't just protect your data: you protect your people and your reputation in one of the world's most strictly regulated markets.
Explore more resources
Take case management to the next level
Move from fragmented reporting tools to a single, secure system of record designed for complex, global compliance environments.
Talk to our experts to see how Whispli supports whistleblowing, disclosures, and enterprise governance at scale.










.webp)

.webp)
.webp)










%201.avif)
%201%20(2).avif)
%201%20(1).avif)
