As China’s data governance framework continues to develop, privacy officers working with Chinese personal data often raise questions about individual liability. In particular, organisations want to know whether Data Protection Officers (DPOs), who are functionally equivalent to the role required under China’s Personal Information Protection Law (PIPL), face a direct risk of criminal liability when managing compliance obligations. In response to growing questions about criminal exposure, we explore how Chinese data protection laws apply to DPOs in practice and what privacy professionals should know when operating in the Chinese market. 

No direct criminal liability for DPOs 

China’s core data laws, including the PIPL, Data Security Law (DSL) and Cybersecurity Law, place responsibility on organisations to establish internal accountability, including appointing a Personal Information Protection Officer. These laws do not assign criminal liability to DPOs acting in their professional capacity. While Article 52 of the DSL references criminal liability where violations constitute a crime, it does not create new offences that target privacy professionals. 

Rather, enforcement trends in China tend to focus on organisational accountability. Administrative penalties such as rectification orders and fines are typically applied to entities rather than individuals. Personal criminal exposure remains rare and is limited to exceptional cases involving gross misconduct or clear violation of national interests. 

Criminal risk applies only in exceptional circumstances 

Although academic commentary has proposed new criminal provisions for serious data protection failures, no such measures have been adopted. Existing criminal law provisions, such as Articles 285, 286 and 253 of the Criminal Law, apply primarily to unauthorised intrusions, sabotage or the unlawful sale of personal information. These offences are designed to address deliberate harm rather than professional oversight. 

Criminal liability may arise only where an individual intentionally enables data transfers that violate cross-border rules, or where a data incident causes significant harm to national security or public order. Even in these cases, enforcement typically targets corporate officers with clear decision-making power or intent. To date, there is no record of a DPO being criminally prosecuted in China for failures within the scope of their role. 

What this means for privacy officers and compliance teams 

For DPOs and other privacy professionals, the current legal environment presents a low risk of direct criminal liability. Acting in good faith, maintainingrecords and implementing appropriate safeguards are generally sufficient to avoid scrutiny. However, expectations around accountability remain high, and to minimise risk,DPOs should: 

  • Remain alert to regulatory changes and be ready to escalate significant issues internally as required 

  • Maintain clear documentation, including DPIAs, risk assessments and internal escalation records, to demonstrate compliance throughout 

While enforcement remains organisation-focused, individuals may still face internal review or reputational impact if serious non-compliance occurs on their watch. 

Outlook 

As China’s regulatory landscape continues to evolve, DPOs and privacy teams should remain prepared for shifts in enforcement focus and legal interpretation. Emerging guidance, cross-border data restrictions and national security considerations may introduce new compliance expectations, even in the absence of changes to the core legal framework. Proactive engagement, regular internal training and early escalation of emerging risks will help organisations build resilience and maintain accountability as legal obligations develop over time. 

HewardMills supports organisations navigating data protection requirements in China and other high-risk jurisdictions through practical compliance design, internal training, and ongoing risk monitoring that enable privacy teams to respond confidently to regulatory scrutiny.