Personal Data Leaks: Rights Under China PIPL 2026
Your Data Leaked in China? Your Rights Under the PIPL (2026 Update) Explained
Short answer: If your personal data is leaked in China, you have the right to demand the data handler immediately stop the breach, notify you of what happened, delete your data, and compensate you for any harm. The primary law protecting you is the Personal Information Protection Law (PIPL), effective since 2021, with key updates and interpretations in 2026. This article explains your rights step-by-step under Chinese law.
1. What Law Protects Your Personal Data in China?
China’s data protection framework is built on three pillars:
- Personal Information Protection Law (PIPL) – The main law, similar to the EU’s GDPR. It applies to any organization handling personal data of people in China.
- Civil Code of the People's Republic of China – Articles 1034–1039 recognize personal information as a civil right. You can sue for damages under tort law.
- Cybersecurity Law – Requires data handlers to take security measures and report breaches.
The 2026 updates to the PIPL (through judicial interpretations and regulatory guidelines) have clarified: (a) what counts as a "data breach," (b) your right to sue without proving fault in certain cases, and (c) higher compensation standards for emotional distress.
2. Step-by-Step: What to Do When Your Data Leaks
Step 1: Confirm It’s a “Data Leak” Under the PIPL
A data leak (or breach) means any unauthorized access, disclosure, destruction, or loss of personal data. Examples:
- Your online shopping account password is stolen.
- Your ID number, phone number, or address is posted online without your consent.
- A company’s database is hacked, and your data is sold on the dark web.
Legal basis: PIPL Article 57 requires data handlers to immediately take remedial measures and notify affected individuals within 48 hours if the breach may cause harm.
Step 2: Demand Immediate Action from the Data Handler
You have the right to:
- Be notified – The handler must tell you: what data was leaked, why, how serious it is, and what they are doing about it.
- Stop the breach – They must shut down the vulnerability (e.g., patch the system, revoke unauthorized access).
- Delete your data – Under PIPL Article 47, you can demand deletion if the processing purpose is fulfilled or if the handler violates the law. A data leak is a clear violation.
- Rectify or erase – If your data is inaccurate or incomplete because of the leak, you can demand correction.
- The Cyberspace Administration of China (CAC) – The main regulator. File a complaint online at www.12377.cn.
- Local Public Security Bureau (PSB) – If the leak involves a crime (e.g., hacking, identity theft), file a police report.
- Consumer Protection Commission – If the leak happened through a product or service you paid for.
- Direct financial losses – e.g., money stolen from your bank account because your password was leaked.
- Emotional distress damages – The 2026 update explicitly allows compensation for anxiety, fear, or reputational harm. Courts now consider factors like the sensitivity of the data leaked (e.g., health records vs. browsing history).
- Punitive damages – If the handler acted maliciously or with gross negligence, the court can award up to 3 times the actual damages.
- File a complaint with the CAC (they often respond within 30 days).
- Sue directly in court. Under the 2026 interpretation, you can ask the court to order them to delete your data and pay damages. You don’t need to prove the leak caused actual harm – just that it happened.
- The data was sensitive (e.g., medical records, financial info, location history).
- You suffered genuine anxiety or disruption (e.g., you had to change bank accounts, lost sleep).
- The handler’s negligence was severe.
- Under the Labor Contract Law (Article 39), you can terminate your contract without notice if the employer seriously violates your personal rights.
- Under the Civil Code (Article 1039), you can sue for damages. The 2026 update says employers cannot use “work necessity” as an excuse to avoid liability if they failed to secure the data.
- You must act quickly. The statute of limitations for data breach claims under the Civil Code is 3 years from the date you knew or should have known about the leak. After that, you lose the right to sue.
- Proof is critical. Save screenshots, emails, or any evidence of the leak and your communications with the handler. If you can’t prove the leak happened, the court may dismiss your case.
- Not all leaks are compensable. If the handler can prove they had reasonable security measures and the leak was caused by a third party’s criminal act (e.g., a hacker), they may avoid liability. But they still must notify you.
- Small leaks may not be actionable. If only your name and email were leaked, and no harm occurred, courts may award only nominal damages (e.g., 1 RMB). But you can still demand deletion.
Practical step: Send a written request (email or letter) to the company’s data protection officer. Keep proof of delivery. If you don’t get a response within 15 days, escalate.
Step 3: File a Complaint with Authorities
You can report the leak to:
Legal basis: PIPL Article 64 gives regulators power to investigate, fine violators (up to 5% of annual revenue), and order corrective actions.
Step 4: Sue for Compensation
Under the 2026 interpretation of the PIPL, you can sue the data handler for:
How to sue: You don’t need a lawyer in small claims court (under 50,000 RMB), but for larger amounts, hire one. The court will consider whether the handler had proper security measures (e.g., encryption, access controls). If they didn’t, they are presumed at fault.
3. Common Questions (FAQ)
Q1: Does the PIPL apply to foreign companies that leak my data?
Yes. PIPL Article 3 says it applies to any organization that processes personal data of people in China, even if the company is outside China. For example, if a US social media platform leaks your data while you’re in China, you can sue in a Chinese court. The 2026 update clarified that “processing” includes collecting data through cookies or tracking while you browse from China.
Q2: What if the data handler doesn’t respond to my demand?
If they ignore your request for 15 days, you can:
Q3: Can I get compensation for emotional distress?
Yes, but it’s not automatic. Courts award emotional damages (usually 1,000–50,000 RMB) if you prove:
Example: In a 2025 Beijing case, a woman whose facial recognition data was leaked by a shopping mall received 10,000 RMB in emotional damages.
Q4: What if the leak happened through my employer?
Your employer is a “data handler” under PIPL. They must protect your data (e.g., salary, address, health info). If they leak it:
4. Important Caveats
5. Your Next Step
If you suspect your personal data has been leaked in China, don’t wait. Start by contacting the data handler in writing. If they don’t respond, file a complaint with the CAC or sue in court. For specific advice tailored to your situation – like whether you have a strong case, how to calculate damages, or how to navigate the complaint process – use our online legal assistant. It can guide you through the steps and help you draft the necessary documents.
Laws and regulations are subject to change and local interpretation. For authoritative answers, consult a licensed lawyer or call 12348 China Legal Services.
Have a specific question? Ask Fa Xiao An for free.