China enacted the Personal Information Protection Law (PIPL) in November 2021, positioning itself among global privacy standard-setters alongside the EU's GDPR. For three years, enforcement was real but scattered — meaningful enough to generate compliance workshops but not consequential enough to change how multinational companies structured their data flows. That phase ended in 2025.
A Four-Agency Campaign Signals Intent
On March 28, 2025, the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, and the State Administration for Market Regulation (SAMR) jointly announced a special PIPL enforcement campaign targeting six sectors: mobile applications and mini-programs, software development kits (SDKs), smart terminals, facial recognition systems in public spaces, offline consumer transactions, and criminal personal data theft.
The 2024 baseline numbers reveal how seriously regulators have pursued the underlying mandate. According to the CAC's own enforcement newsletter, authorities reviewed 11,159 website platforms in 2024, imposed warnings or fines on 4,046 of them, removed 200 apps, and — working jointly with MIIT — shut down 10,946 additional platforms. In August 2025, China's National Computer Virus Emergency Response Center flagged 70 mobile applications for PIPL violations including absent consent mechanisms, missing privacy policies, and inadequate protections for children's data, warning operators that non-compliance could result in removal from app stores.
This is not selective signaling. It is a regularized enforcement machine.
The Cross-Border Enforcement Flashpoint
The most significant development came in May 2025: Shanghai authorities imposed the first publicly disclosed administrative penalty under the PIPL specifically for unlawful cross-border transfer of personal information. A European luxury brand's Shanghai subsidiary had been routing user data to its French headquarters without completing any of the three legally required transfer pathways — no CAC security assessment, no standard contractual clauses (SCCs), and no personal information protection (PIP) certification.
The penalty did not disclose a specific fine amount, suggesting the violation did not reach the "grave circumstances" threshold that triggers the PIPL's maximum sanctions: fines of up to RMB 50 million or 5 percent of prior-year revenue, whichever is greater. But the case's significance lies elsewhere. This was the first enforcement action establishing that routine intracompany data sharing with a foreign parent — HR records, customer information, operational data — constitutes a legally actionable PIPL violation requiring explicit regulatory approval. Every multinational operating in China is now on notice.
The Three-Pathway Framework Completes
The enforcement case arrived precisely as the cross-border transfer architecture reached its final form. On October 14, 2025, the CAC and SAMR jointly issued the Measures for Certification of Cross-Border Personal Information Transfer, effective January 1, 2026. Combined with the existing security assessment and standard contract pathways, China's three-tier cross-border regime is now fully operational:
- CAC security assessment: Required for transfers involving 1 million or more individuals' personal data annually, or involving critical information infrastructure operators
- Standard contractual clauses: Available for processors in the 100,000-to-1-million individual range
- PIP certification: New as of 2026, covering the same range through accredited third-party certification bodies, with certificates valid for three years
The measures explicitly prohibit data-volume splitting or other circumvention tactics designed to avoid the security assessment threshold. The amended Cybersecurity Law, also effective January 1, 2026, adds a new severe-violation penalty category carrying fines up to RMB 10 million.
The Compliance Audit Overlay
Running parallel to cross-border enforcement is a mandatory audit regime that took effect May 1, 2025. Under measures the CAC issued on February 14, 2025, companies processing personal data of more than 10 million individuals must conduct a PIPL compliance audit at least once every two years. Those processing more than 1 million must designate a personal information protection officer reporting to senior management. Audits span 27 compliance categories. A data breach affecting more than 1 million records triggers a mandatory third-party regulatory audit.
The final thresholds represent a meaningful retreat from the draft version, which would have required annual audits for all processors above 1 million individuals. Regulators absorbed industry feedback and adjusted. That responsiveness is worth acknowledging.
The Legitimate Case — and Its Structural Flaw
The strongest argument for robust PIPL enforcement is direct: China hosts one of the world's largest digital economies, with documented commercial abuses including biometric harvesting at retail checkpoints, opaque SDK data pipelines, and undisclosed third-party data sharing embedded in consumer apps. A law without enforcement protects no one. The PIPL's consent requirements, data minimization principles, and breach notification obligations are structurally sound. The compliance burden on companies is proportionate to the scale of the data they handle.
The problem is structural asymmetry. The PIPL largely exempts state agencies from its core obligations. The regulatory apparatus that mandates three-pathway approval for a European luxury brand routing sales data to its Paris headquarters does not impose equivalent restrictions on state security entities collecting biometric data in public spaces or intelligence agencies processing communications at scale. What is framed as privacy protection also functions as a structural constraint on foreign data flows — while leaving domestic state data practices insulated from equivalent scrutiny.
The Calculus for Foreign Companies
For multinationals operating in China, compliance is the only viable path — the enforcement regime is real, the precedents are established, and the penalties are now consequential. Companies should map all intracompany data flows crossing China's border, classify transfers by volume and data sensitivity, complete the applicable pathway (SCC filing, certification application, or formal security assessment), and appoint a personal information protection officer if processing data on more than 1 million individuals in China.
China has built a functioning privacy enforcement infrastructure. The question that remains — for Chinese users as much as for foreign companies — is whether a regime that disciplines corporate data flows while shielding the state's own data apparatus can honestly be called a privacy law, or whether it is something more precisely described as selective data sovereignty.