From Statute to Enforcement Machine
When China's Personal Information Protection Law (PIPL) took effect on November 1, 2021, it was immediately compared to Europe's GDPR: a sweeping omnibus framework covering consent, data minimisation, cross-border transfers, and individual rights, with penalties reaching RMB 50 million or 5% of annual revenue for the most serious violations. For the first two years, regulators used PIPL primarily as a blunt instrument — landing two enormous, high-signal fines that put the market on notice. Now, approaching the law's fifth anniversary, the Cyberspace Administration of China (CAC) has pivoted to something more systematic: simultaneous enforcement campaigns across seven industry sectors, paired with rapid-fire app takedown notices and a newly completed cross-border transfer architecture.
That shift began in earnest on April 2, 2026, when the CAC, the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) jointly announced a series of nationwide special enforcement campaigns — targeting apps and SDKs, internet advertising, education, transportation, healthcare, financial services, and criminal data trafficking networks. The same month, the CAC published a notification calling out 33 named apps for privacy violations, ordering corrections within 15 working days under threat of penalty.
The Fine Architecture That Made PIPL Credible
The law's credibility rests on two early enforcement actions that demonstrated regulators were willing to follow through at scale.
The first was the Didi case. On July 21, 2022, the CAC fined the ride-hailing giant RMB 8.026 billion (approximately USD 1.2 billion), the world's largest data protection fine at the time, surpassing Amazon's EUR 746 million GDPR penalty from 2021. The CAC found that Didi had illegally processed over 64.7 billion pieces of personal information across a seven-year period beginning in 2015, in violation of the Cybersecurity Law, the Data Security Law, and the PIPL. The company's chairman and CEO were each personally fined RMB 1 million — the statutory maximum for individuals under Article 66 of the PIPL.
The second came in September 2023, when the CAC fined China National Knowledge Infrastructure (CNKI), the country's largest academic database, RMB 50 million for violations including collecting personal information without consent, failing to provide account deletion mechanisms, and operating 14 apps that gathered data beyond what was necessary for their stated functions. The enforcement was notable for extending PIPL sanctions beyond the big tech sector into academic publishing — a signal that no industry would be exempt.
The Cross-Border Architecture, Now Complete
For multinational companies, the more consequential development arrived in the second half of 2025. On October 14, 2025, the CAC and the State Administration for Market Regulation (SAMR) jointly issued the Measures for Certification of Cross-Border Personal Information Transfer, effective January 1, 2026. This completed PIPL's three-pathway cross-border framework: security assessment (mandatory for large-scale transfers), standard contract (for smaller data flows), and certification (for the middle tier, covering entities transferring personal information of between 100,000 and one million individuals annually, or sensitive data of fewer than 10,000 per year).
A second wave of technical standards, covering certification body accreditation and sector-specific processing rules, is set to become mandatory from July 1, 2026. The certification pathway's three-year validity period and pre-requisite impact assessment requirements add meaningful compliance overhead — but they also provide legal clarity that was previously absent. Companies transferring data to headquarters abroad had operated in grey areas; the new framework closes that gap, as the September 2025 enforcement action against a European luxury brand's Shanghai subsidiary for transferring customer data to France without any of the three compliance mechanisms made plain.
The 2026 Enforcement Campaigns: Breadth Is the Point
The April 2, 2026 joint enforcement announcement is significant not because of any individual action but because of its deliberate breadth. The seven campaigns span nearly every domain of digital life. In internet advertising, regulators are targeting platforms that continue collecting behavioural data after users opt out of personalised ads — a requirement that exceeds practices currently mandated under the EU's ePrivacy Directive. In education, the campaigns specifically prohibit the use of facial recognition as a sole authentication method for minors and restrict excessive collection of location and enrolment data. In finance, lenders and insurers are being targeted for collecting contact lists, SMS records, and location data under the cover of fraud prevention. And a dedicated criminal enforcement track coordinates with the Ministry of Public Security to pursue organised personal information trafficking rings.
On April 27, 2026, the CAC published a list of 33 apps found to have violations across four categories: missing or inadequate privacy policies, failure to disclose SDK data collection to users, excessive data collection beyond necessary functions, and blocking or conditioning account cancellation. The named apps span sectors from productivity to automotive to fitness — and each faces a 15-day correction deadline before potential penalty proceedings.
A Proportionality Signal Worth Noting
To be fair to the regulatory architecture, there are genuine consumer protection rationales here. China's digital economy processes personal data at a scale few other jurisdictions match, and enforcement actions have documented real harms: Didi collected facial recognition images and family relationship data from passengers without disclosure; CNKI's 14 apps gathered information that had no relationship to their academic functions. The case for robust enforcement is not merely political — it rests on documented asymmetries between what platforms disclosed and what they actually collected.
That said, the operational cost for smaller businesses is real. The compliance burden of PIPL — separate consent for sensitive data, impact assessments, cross-border certification, DPO obligations — is calibrated for large enterprises. Recognising this, the CAC published draft Simplified Personal Information Protection Measures for Small-Scale Personal Information Processors on April 3, 2026, proposing a lighter-touch regime for entities that process data of fewer than 100,000 individuals. The draft also introduces leniency provisions for first-time minor violations promptly corrected. This calibration is welcome: proportionate enforcement is the difference between a law that improves data practices and one that simply advantages incumbents who can afford compliance teams.
What the Operational Phase Means
For global companies operating in China, the signal from 2026 is unambiguous. The cross-border transfer pathways are now closed — every outbound data flow requires one of three documented mechanisms. The app enforcement campaigns are naming companies publicly and imposing tight correction windows. And the coordination between the CAC, MIIT, and MPS means that serious violations can escalate from administrative penalty to criminal referral. PIPL is no longer a compliance aspiration; it is an operational reality with enforcement teeth.