From Rulebook to Reckoning
China's Personal Information Protection Law celebrated its fifth year in operation in November 2026 with something its drafters always intended but rarely delivered: systematic, multi-sector enforcement. On April 2, 2026, the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security jointly announced a nationwide campaign targeting what they called "unlawful and irregular personal information processing activities." Six sectors are in scope: apps and third-party SDKs, internet advertising, education, transportation, healthcare, and financial services.
This is not regulatory theatre. The April 2026 announcement marks a genuine shift in how China is administering PIPL — from a rule-setting phase focused on publishing regulations and technical standards to a rule-testing phase focused on whether companies have actually embedded those principles in operational systems.
What PIPL Actually Requires
PIPL, enacted August 20, 2021 and effective November 1, 2021, established a comprehensive framework for personal information processing in China. Its 74 articles impose data minimization, purpose limitation, and transparency requirements on any entity processing the data of individuals in China — including foreign companies doing business there. Unlike Europe's GDPR, PIPL does not include a "legitimate interests" legal basis: processors must rely on consent, contract necessity, statutory obligation, emergency response, or public interest. For companies accustomed to GDPR's flexibility, that gap is a genuine compliance burden.
The penalty structure is significant. Article 66 imposes fines of up to RMB 50 million (approximately $6.9 million) or 5% of annual revenue for severe violations, alongside possible suspension of business and bans on individuals holding corporate positions. Regulators have used these powers sparingly so far — CNKI, China's academic database giant, was fined RMB 50 million in 2023 for PIPL and Cybersecurity Law violations — but the April 2026 campaign signals a move toward routine enforcement rather than high-profile examples.
Steelmanning the Regulators
The sectors targeted in the 2026 sweep were not chosen arbitrarily. The enforcement priorities reflect documented and persistent abuses. Apps have long collected contact lists, SMS logs, and precise location data for purposes entirely unrelated to their core functionality. Education platforms have demanded facial recognition from minors without meaningful parental consent. Financial services apps have used biometrics as the sole authentication method, making privacy rights contingent on access to core financial services. These are real harms to real people, and regulators across every democratic jurisdiction have struggled to address them.
The CAC's January 2026 Q&A guidance sharpened enforcement expectations around facial recognition specifically: companies must conduct a mandatory Personal Information Protection Impact Assessment (PIPIA) before deploying facial recognition, evaluate data breach risks and protection measures, and retain the assessment for regulatory inspection. Treating impact assessments as enforceable compliance artifacts — not internal exercises — is an approach the EU is taking under the AI Act as well. That convergence is not a coincidence.
Where the Friction Is
The problem is not the goals of the April 2026 campaign; it is the execution risk. China's PIPL enforcement is distributed across the CAC, MIIT, the Ministry of Public Security, sector-specific regulators, and provincial-level authorities. Overlapping jurisdiction means that a single app violation could theoretically attract simultaneous investigations from multiple agencies applying different internal penalty guidelines. The absence of published consolidated penalty matrices — PIPL sets ceiling amounts, not predictable ranges tied to specific conduct — creates structural uncertainty for companies trying to calibrate compliance investment.
Smaller companies and startups face disproportionate compliance costs. The January 2026 draft regulations on app privacy (published January 10, 2026, comment period closed February 9) would require itemized privacy disclosures covering SDK details, precise storage durations, and opt-out mechanisms for algorithmic recommendations. Each requirement is individually defensible. Together, for an eight-person development team, they represent hundreds of hours of legal and engineering work before a product can ship.
The Cross-Border Progress
Not all of the recent regulatory activity is friction-generating. The October 2025 release of the Measures for Certification of Outbound Personal Information Transfer — effective January 1, 2026 — completed a three-pathway compliance framework for cross-border data flows that had been partially operational since 2023. Companies can now choose between a government-led Security Assessment (required for transfers involving over 1 million individuals' data), Standard Contractual Clause filing (for 100,000 to 1 million individuals), or third-party Certification (mirroring the SCC threshold but without a government filing requirement).
As of March 2025, the CAC had reviewed 298 security assessment submissions, a number that underscores how slowly the high-volume pathway had been operationalized. The certification route, valid for three years and accessible to foreign entities without Chinese subsidiaries through designated domestic representatives, may prove to be the most practical option for multinational companies with recurring, mid-volume data flows.
The September 2025 enforcement action against a European luxury brand's Shanghai subsidiary — penalized for transferring customer names, contact information, and purchase histories to France without completing any of the three required pathways — illustrated what regulators mean by cross-border accountability. The breach had been discovered in May 2025; by September, administrative penalties had been imposed. That is a five-month enforcement timeline, faster than most equivalent EU proceedings.
What Proportionality Requires
China's regulators have built a technically coherent data protection framework in under five years. The 2026 enforcement sweep is the stress test. Whether it produces proportionate outcomes depends on whether the CAC publishes clear penalty guidance tied to actual harm levels, whether smaller operators receive compliance assistance rather than immediate sanction, and whether the multi-agency coordination produces consolidated rather than duplicative proceedings.
The cross-border certification pathway is a genuine improvement for global businesses. The app privacy draft regulations raise the floor on transparency meaningfully. But surveillance-sector compliance costs and opaque multi-agency enforcement remain pressure points that could drive legitimate innovation offshore — the opposite of what a data protection framework should accomplish. Enforcement that protects people without chilling legitimate data use is achievable. China's PIPL architecture makes it possible. Whether the 2026 campaign delivers it depends on choices that will become visible in the next six months.