China China Cybersecurity Law data localisation

China's TC260 Standards Turn PIPL's Dormant Data Portability Right Into an Operational Obligation

Two national standards effective July 1, 2026 operationalise PIPL's Article 45 portability clause and mandatory biennial audit regime, closing a five-year implementation gap.

China's PIPL: From Paper Rights to Operational Rules People of Internet Research · China >10M Biennial audit threshold Companies processing over 10 milli… 27 Audit categories covered TC260's compliance audit standard … RMB 50M or 5% Max PIPL penalty Serious PIPL violations carry fine… ~5 years Years portability dormant PIPL Article 45's portability righ… peopleofinternet.com

Key Takeaways

Five Years of a Paper Right

When China's Personal Information Protection Law (PIPL) passed in August 2021, Article 45 established a data portability right: individuals could request transfer of their personal information to another handler "where conditions specified by the Cyberspace Administration of China are met." The clause was forward-looking and legally incomplete in equal measure. No conditions had been specified. The right existed on paper and nowhere else.

That changes as of July 1, 2026. Two national standards issued by China's TC260 Cybersecurity Standardisation Technical Committee entered force today: Data Security Technology — Requirements for the Transfer of Personal Information Based on Personal Requests and Data Security Technology — Requirements for Personal Information Protection Compliance Audits. Both were published by the State Administration for Market Regulation and the National Standardization Administration. Together they constitute the first systematic attempt to make PIPL's data rights enforceable as operational procedures rather than aspirational text.

What the Portability Standard Does

TC260 itself describes the portability standard as China's "first document to systematically refine" the Article 45 right. It establishes scope, prerequisite conditions, process requirements, timelines, fee rules, and data formats that personal information controllers must follow when a data subject requests transfer to a competing controller.

This closes a gap that has been a meaningful practical problem. Since PIPL took effect November 1, 2021, the portability right has been acknowledged in every major platform's privacy policy and exercised by almost no one, because no procedural framework existed. Today's standard gives users a defined pathway and gives compliance officers a defined checklist. Data controllers now have clear obligations; individuals have a basis for complaints and regulatory referrals when those obligations go unmet.

The anti-lock-in rationale is worth stating clearly. When legislators added Article 45 in the final reading of the PIPL bill, the explicit concern was Internet platforms using large troves of user data to lock users on their platforms and fend off emerging competitors. By specifying formats and timelines, the TC260 standard makes that competition-policy objective actionable — users switching between social platforms, e-commerce services, or cloud storage now have a documented right to take their data with them on a defined schedule.

The Audit Standard Operationalises a Separate Mandatory Obligation

The compliance audit standard implements the Administrative Measures for Personal Information Protection Compliance Audits, which the CAC issued February 14, 2025 and which took effect May 1, 2025. Those measures established that companies processing personal information of more than 10 million individuals must conduct compliance audits at least once every two years. The TC260 standard now provides the specific methodologies, evidence requirements, and 27-category assessment framework that makes the obligation operable rather than nominal.

The 10 million threshold is defensible. It concentrates the audit obligation on the companies — large consumer internet platforms, e-commerce operators, payment processors, and multinational firms with substantial China customer bases — where data processing risks are genuinely large. The final CAC measures represent a significant relaxation from the 2023 draft, which required annual audits at a 1 million individual threshold. The shift to biennial audits at 10 million reduced regulatory burden on smaller operators without meaningfully diluting protection where it matters most.

Companies above the threshold now carry two interlocking compliance obligations: the audit itself, covering 27 categories spanning legal basis, consent, cross-border transfers, breach response, and data minimisation; and the evidence trail that regulators can use in enforcement proceedings. For companies below 10 million individuals, no mandatory frequency applies — but the measures specify that regulators can require third-party audits following any breach affecting more than one million records or 100,000 sensitive records.

The State-Gated Model

The most consequential analytical point about the portability standard is structural: it is not the same thing as GDPR Article 20, and treating it as a functional equivalent would be a compliance error.

Under GDPR Article 20, data portability is a broadly available individual right, triggered by consent-based or contract-based processing and exercisable without regulatory pre-approval. Under PIPL Article 45, the right remains conditional on meeting requirements set by the CAC. The TC260 standard fills in those requirements, but the architecture remains one of state-mediated access rather than individual entitlement. Regulatory authorities retain authority over the conditions under which the right can be exercised — and can modify those conditions.

That gap matters concretely for multinationals. A GDPR-compliant portability workflow built for European users will not automatically satisfy the TC260 standard's specific prerequisites and format requirements. The two regimes reflect genuinely different premises: GDPR treats data portability as a pre-existing individual right that regulation protects; PIPL treats it as a conditionally available entitlement within a state-supervised data governance architecture.

There are legitimate arguments for both models. The GDPR's rights-first approach maximises user autonomy; the PIPL's conditional model allows regulators to ensure that portability mechanisms don't inadvertently enable data exfiltration or platform circumvention of security rules. What is not legitimate is treating the two as equivalent from a compliance standpoint.

Enforcement Is No Longer Hypothetical

The stakes have teeth. PIPL's penalty framework reaches RMB 50 million (approximately USD 7 million) or 5 percent of prior-year annual revenue for serious violations. In September 2025, a European luxury brand's Shanghai subsidiary became one of the first publicly disclosed PIPL enforcement cases, penalised for transferring customer data to its French headquarters without completing a required CAC security assessment or obtaining properly unbundled consent. A second case in the same month penalised a Guiyang company for activating cloud synchronisation that created an unlicensed cross-border data transfer.

The Cybersecurity Law amendments that took effect January 1, 2026 reinforce the framework further, explicitly integrating the CSL with PIPL and the Civil Code as a unified compliance architecture, and increasing maximum fines for severe network security violations to RMB 10 million. The audit standard's evidence requirements mean that companies found in violation will now face a concrete paper trail — and regulators will have a specific 27-category checklist to reference when assessing whether a company met its obligations.

The Bottom Line

The July 2026 TC260 standards are a genuine advance for data subjects in China and, over time, for competitive dynamics in the consumer internet market. That operationalising a portability right took five years reflects real implementation complexity — format standards, inter-controller transfer protocols, and scope definitions are not trivial engineering problems. But the architecture that emerges is distinctly Chinese: state-supervised, audit-mediated, and premised on the government setting the conditions for individual data rights. For multinationals operating across GDPR and PIPL simultaneously, that distinction is not academic. It is the compliance challenge.

Sources & Citations

  1. CAC: Personal Information Protection Compliance Audit Measures (2025)
  2. CAC: Cybersecurity Law (amended, effective Jan 1 2026)
  3. DigiChina: Seven Major Changes in China's Finalized PIPL
  4. Arnold & Porter: China Data Privacy Enforcement — Cross-Border Cases (2025)
  5. Mayer Brown: China Finalises Personal Information Protection Compliance Audit Measures
  6. MLex: China Issues New Standards Governing Personal Data Portability