From global-privacy-regulations-skills
Guides compliance with China's PIPL: consent requirements, cross-border transfers via CAC assessment/contracts/certification, separate consent triggers, CIIO obligations.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin global-privacy-regulations-skillsThis skill uses the workspace's default tool permissions.
The Personal Information Protection Law of the People's Republic of China (PIPL, 个人信息保护法) was adopted by the Standing Committee of the National People's Congress on 20 August 2021 and took effect on 1 November 2021. The PIPL is China's first comprehensive national personal information protection law, operating alongside the Cybersecurity Law (CSL, effective 1 June 2017) and the Data Security La...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
The Personal Information Protection Law of the People's Republic of China (PIPL, 个人信息保护法) was adopted by the Standing Committee of the National People's Congress on 20 August 2021 and took effect on 1 November 2021. The PIPL is China's first comprehensive national personal information protection law, operating alongside the Cybersecurity Law (CSL, effective 1 June 2017) and the Data Security Law (DSL, effective 1 September 2021) to form China's data governance framework.
The Cyberspace Administration of China (CAC, 国家互联网信息办公室) is the primary regulator, with enforcement authority shared among the Ministry of Public Security, the Ministry of Industry and Information Technology (MIIT), and sector-specific regulators.
The PIPL applies to:
Overseas personal information processors falling under Art. 3(2) must:
Zenith Global Enterprises implementation: Zenith has designated its Shanghai office (Zenith Global Logistics (Shanghai) Co., Ltd) as the PRC representative entity, with the local Data Protection Manager serving as the designated contact.
| Basis | PIPL Article | Key Requirements |
|---|---|---|
| Consent | Art. 13(1) | Voluntary, explicit, informed; specific consent for sensitive PI, cross-border transfers, and public disclosure |
| Contract necessity | Art. 13(2) | Necessary to conclude or perform a contract to which the individual is a party, or for HR management per lawfully adopted labour rules |
| Statutory duty or obligation | Art. 13(3) | Necessary to fulfil statutory duties or obligations |
| Public health emergency | Art. 13(4) | Necessary to respond to public health emergencies or protect life/property in emergencies |
| Public interest activities | Art. 13(5) | Processing for news reporting, public opinion supervision, or other public interest activities within a reasonable scope |
| Processing within reasonable scope of lawfully disclosed PI | Art. 13(6) | Information already disclosed by the individual or through other lawful means |
| Other circumstances in laws/administrative regulations | Art. 13(7) | Catch-all provision for sector-specific legislation |
Key distinction from GDPR: The PIPL does not include a standalone legitimate interest basis. Art. 13(6) (processing lawfully disclosed information) is the closest analogue but far narrower in scope.
| Requirement | PIPL Provision | Implementation |
|---|---|---|
| Voluntariness | Art. 14 | Consent must not be obtained through deception, coercion, or inducement; services may not be refused solely for withholding consent unless PI is necessary for the service |
| Informedness | Art. 14 | Individuals must be fully informed before consenting; information provided per Art. 17 |
| Explicitness | Art. 14 | Clear affirmative action required; pre-ticked boxes or bundled consent are non-compliant |
| Withdrawal | Art. 15 | Individuals have the right to withdraw consent; processors must provide convenient withdrawal mechanisms; withdrawal does not affect prior lawful processing |
| Separate consent | Arts. 23, 25, 26, 29, 39 | Required for specific high-risk processing scenarios (see below) |
The PIPL requires separate consent (单独同意, dāndú tóngyì) — consent obtained independently from other consent collection — for the following processing activities:
| Trigger | Article | Context |
|---|---|---|
| Provision of PI to other processors | Art. 23 | When a processor provides personal information to another processor |
| Public disclosure of PI | Art. 25 | When a processor publicly discloses personal information |
| Processing images/personal identification from public surveillance | Art. 26 | Use of images or personal identification information collected via public places for purposes other than public safety |
| Processing sensitive personal information | Art. 29 | All processing of sensitive PI requires separate consent plus disclosure of necessity and impact |
| Cross-border transfer of PI | Art. 39 | International transfer requires separate consent with specified disclosures |
Zenith Global Enterprises implementation:
Sensitive personal information (敏感个人信息) is personal information that, once leaked or illegally used, may easily lead to infringement of the dignity of natural persons or harm to their personal or property safety. It includes:
| Requirement | Detail |
|---|---|
| Separate consent | Art. 29: Separate consent required; written consent where required by laws/regulations |
| Necessity justification | Art. 28: Must have a specific purpose and sufficient necessity |
| Impact assessment | Art. 55: Personal information protection impact assessment (PIPIA) required before processing |
| Notification | Art. 30: Notify the individual of the necessity and impact on rights; for minors under 14, obtain consent from parent/guardian |
| Retention minimisation | Art. 28: Adopt strict protection measures; minimise retention period |
| Data Type | Classification | Purpose | Consent Type | PIPIA Reference |
|---|---|---|---|---|
| National ID numbers (身份证号) | Specific identity | Customs clearance identity verification | Separate written consent | PIPIA-CN-001 |
| Financial account information | Financial | Payment processing for freight charges | Separate consent | PIPIA-CN-002 |
| Employee health certificates | Medical/health | Occupational safety compliance | Separate consent | PIPIA-CN-003 |
| GPS tracking of delivery vehicles | Location tracking | Real-time shipment tracking for customers | Separate consent (drivers) | PIPIA-CN-004 |
The PIPL provides three primary mechanisms for transferring personal information outside the PRC, applicable based on the processor's scale and nature:
When required (mandatory for any of the following):
Process:
Zenith Global Enterprises status: As Zenith processes personal information of over 100,000 customers and employees in China, and has transferred personal information of more than 100,000 individuals abroad cumulatively, the CAC security assessment is the mandatory transfer mechanism.
When applicable (must meet all conditions):
Process:
Standard contract key provisions:
When applicable:
Process:
The CAC issued the Provisions on Facilitating and Regulating Cross-Border Data Flows (effective 22 March 2024), which introduced exemptions:
| Exemption | Condition |
|---|---|
| Contract/HR necessity | Cross-border transfer necessary for concluding/performing a contract to which the individual is a party, or for HR management under lawfully adopted labour rules |
| Small volume | Processor expects to transfer personal information of fewer than 100,000 individuals (excluding sensitive PI) abroad within one year |
| Free trade zones | Transfers from designated free trade zones subject to the negative list of that zone |
Important: These exemptions do not apply to CIIOs, transfers of important data, or transfers exceeding the specified thresholds.
| Transfer ID | Flow | Destination | Mechanism | Volume | Assessment Status |
|---|---|---|---|---|---|
| CBT-CN-001 | Customer logistics data → EU HQ | Germany | CAC Security Assessment | 150,000+ individuals | Approved (valid until August 2026) |
| CBT-CN-002 | Employee HR data → Regional HR | Singapore | CAC Security Assessment | 2,500 employees | Approved (valid until August 2026) |
| CBT-CN-003 | Vendor payment data → Treasury | United Kingdom | Standard Contract (filed) | 800 vendors | Filed with Shanghai CAC |
| CBT-CN-004 | Shipment tracking data → API partners | Japan | Contract necessity exemption | 50,000 individuals | Exemption documented |
Critical information infrastructure operators (关键信息基础设施运营者, CIIOs) face additional obligations:
| Obligation | Legal Basis | Detail |
|---|---|---|
| Data localisation | Art. 40 | Personal information and important data collected/generated during operations within the PRC must be stored domestically |
| Security assessment for export | Art. 40 | Mandatory CAC security assessment for any cross-border transfer (no alternative mechanisms) |
| Annual security assessment | CSL Art. 38 | Annual network security assessment and submission of assessment reports |
| Data security officer | DSL Art. 27 | Designate a data security responsible person |
The following sectors are designated as CII under the Critical Information Infrastructure Security Protection Regulations (effective 1 September 2021):
Zenith Global Enterprises assessment: As a logistics company, Zenith may be designated as CII under the transportation sector if its systems are determined to endanger national security or the public interest if damaged. Zenith maintains ongoing dialogue with the relevant sector authority (Ministry of Transport) regarding CII designation status.
| Trigger | Description |
|---|---|
| Processing sensitive personal information | Any processing of sensitive PI (Art. 28) |
| Automated decision-making | Using personal information for automated decisions (Art. 24) |
| Entrusted processing | Entrusting a third party to process personal information (Art. 21) |
| Cross-border transfer | Providing personal information to overseas parties (Art. 38) |
| Public disclosure | Publicly disclosing personal information (Art. 25) |
| Other high-impact processing | Processing that has a significant impact on individual rights |
| Element | Description |
|---|---|
| Legality and legitimacy | Whether the processing purpose, method, and scope are lawful, legitimate, and necessary |
| Impact assessment | Assessment of the impact on individual rights and interests and the level of risk |
| Security measures | Whether the protective measures adopted are lawful, effective, and proportionate to the risk |
| Risk mitigation | Identification of risks and proposed mitigation measures |
The PIPIA report and processing records must be retained for at least 3 years (Art. 56).
| Right | Article | Implementation at Zenith Global Enterprises |
|---|---|---|
| Right to know and to decide | Art. 44 | Privacy notice in Simplified Chinese on all collection points |
| Right to restrict or refuse processing | Art. 44 | Opt-out mechanisms in customer portal; employee objection procedure |
| Right to access and copy | Art. 45 | Self-service data export from customer account; employee requests through HR |
| Right to portability | Art. 45(3) | Structured export to designated recipient (per CAC implementation rules when issued) |
| Right to correction and supplementation | Art. 46 | Self-service correction in customer portal; HR system for employees |
| Right to deletion | Art. 47 | Automated deletion workflows triggered by: purpose fulfilment, consent withdrawal, service termination, processing violation |
| Right to explanation | Art. 48 | Individuals may request explanation of PI processing rules; processor must provide timely response |
| Right regarding automated decision-making | Art. 24 | Right to request explanation of automated decisions; right to refuse decisions made solely through automated means |
| Right of deceased persons' relatives | Art. 49 | Close relatives may exercise rights of deceased individuals unless deceased arranged otherwise |
| Violation Level | Organisation Penalty | Individual Penalty (directly responsible person) |
|---|---|---|
| General violations | Order to rectify; warning; confiscation of unlawful income; suspension or termination of related application; fine up to RMB 1 million | Fine of RMB 10,000–100,000 |
| Serious violations | Order to rectify; confiscation of unlawful income; fine up to RMB 50 million or up to 5% of previous year's revenue; suspension of business; revocation of business licence | Fine of RMB 100,000–1,000,000; prohibition from serving as director, supervisor, senior manager, or DPO for a specified period |
Didi Global CAC Investigation (2021-2022):
SAMR/CAC App Compliance Campaigns (2021-2025):
| Component | Detail |
|---|---|
| PRC representative entity | Zenith Global Logistics (Shanghai) Co., Ltd |
| Data Protection Manager (China) | Li Wei, Director of Information Security, Shanghai office |
| PIPIA programme | Mandatory PIPIA for all triggers under Art. 55; retained for minimum 3 years |
| Cross-border transfer compliance | CAC Security Assessment approved for primary data flows; standard contracts filed for lower-volume flows |
| Consent management | Platform configured for general and separate consent per Arts. 14, 23, 25, 29, 39 |
| Training | Annual PIPL compliance training for all PRC employees; quarterly refreshers for data handling roles |
| Incident response | 72-hour notification to CAC for incidents affecting PI security; coordinated with headquarters incident response team |