Last modified 13 February 2026

Data Protection in China

Collection and processing in China

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in China

There is not a single comprehensive data protection law in the People's Republic of China (PRC). Instead, rules relating to personal information protection and data security are part of a complex framework and are found across various laws and regulations. That said, the three main pillars of the personal information protection framework in the PRC are the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Data Security Law (DSL).

On June 1, 2017, the CSL came into effect and became the first national-level law to address cybersecurity and data privacy protection. The first amendment to the CSL came into effect on 1 January 2026. The focus of the CSL is on the security of IT infrastructure and network systems hosted in the PRC, with the aim of ensuring that personal information is processed in a secure cyber environment. Core security requirements are implemented via the multi-level cybersecurity protection regime (MLPS).

The DSL came into force on September 1, 2021, and focuses on data security across a broad category of data (not just personal information).

Most significantly, the PIPL came into effect on November 1, 2021. The PIPL is the first comprehensive, national–level personal information protection law in the PRC. The PIPL does not replace – but instead enhances and clarifies – earlier personal information laws and regulations.

In addition to the PIPL, CSL and DSL, the following form the backbone of general personal information protection framework currently in the PRC:

The Measures for the Security Assessment of Outbound Data Transfers, effective from September 1, 2022;
The Measures for the Standard Contract for the Outbound Transfer of Personal Information, effective from 1 June 2023; and
The Regulations on Facilitating and Regulating the Cross–border Data Transfers, effective from 22 March 2024;
The Network Data Security Management Regulation, effective from 1 January 2025;
The Measures for the Administration of Personal Information Protection Compliance Audits, effective from 1 May, 2025;
The Measures for the Administration of the Reporting of Cybersecurity Incidents, effective from 1 November, 2025; and
The Measures for the Certification of the Outbound Transfer of Personal Information, effective from 1 January 2026.

In recent years, there has also been an abundance of implementing regulations and guidelines (herein referred to as Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the personal information protection framework. These include, non-exhaustively:

National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification), as amended and effective from October 1, 2020;
National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment, effective from June 1, 2021;
National Standard of Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing, effective from December 1, 2023;
Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong), effective from 10 December 2023;
Guidelines on the Filing of Standard Contracts for the Outbound Transfer of Personal Information (Second Edition), effective from 22 March 2024;
National Standard of Data Security Technology – Rules for Data Classification and Grading, effective from March 21, 2024;
Guidelines on Application of Security Assessment of Cross-border Data Transfers (Third Edition), effective from 27 June, 2025; and
Data Security Technology – Security Requirements for Processing of Sensitive Personal Information, effective from 1 November, 2025.

In addition to all of the above:

provisions found in laws such as the Tort Liability Law have generally been used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit. The PRC Civil Code, effective on January 1, 2021 further reinforces the statutory right of privacy for individuals and establishes data protection principles; and
provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal information collected by telecom or Internet service / content providers, healthcare and genetic information, etc.). Applicability of other laws or regulations (including provincial level laws), such as the PRC Criminal Law, PRC E-Commerce Law, PRC Consumer Rights Protection Law, PRC Anti-Money Laundering Law and the new local data laws at a provincial level will invariably depend on the factual context of each case and further independent analysis is recommended.

Given the personal information protection framework is still evolving, and further regulations accompanying the new PIPL and DSL are anticipated to be published in the coming months, it is recommended that organizations continue to monitor the developments of the PRC data protection regulatory framework.

Extra-territorial scope

The PIPL has extra–territorial effect, and applies both to:

data processing activities within the PRC; and
processing of PRC residents' data outside of PRC where:
- for the purposes of providing products or services to PRC residents;
- for analytics or evaluation of behavior of PRC residents; or
- for any other reasons as required by law or regulations.

The PIPL applies to both the public and private sectors.

Related resources

Definitions

Definitions in China

Definition of personal information

The PIPL defines personal information as any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, but excluding information that has been anonymized.

Definition of sensitive personal information

The PIPL defines sensitive personal information as information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including (but not limited to):

biometric data;
religion;
specific social status;
medical health information;
financial accounts;
tracking / location information; and
minors' data.

That said, under the Data Security Technology – Security Requirements for Processing of Sensitive Personal Information (effective from 1 November, 2025), when assessing whether certain personal information constitutes sensitive personal information, data controllers must now focus more on the processing context, and the impact of the processing activities on data subjects, rather than referring to any prescribed lists of sensitive personal information. As such, going forward a case-by-case analysis may be required to identify sensitive personal information.

Definition of network data

The Network Data Regulation governs electronic data processed and generated via networks (“network data”) and applies to all processing of network data within the PRC. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).

Definition of data controller and data processor

Under the PIPL, a party that determines the purposes and means of processing personal information is referred to as the "personal information processor". It is equivalent to the concept of "data controller" as defined under the EU GDPR.

A party that processes personal information on behalf of a personal information processor is referred to as an "entrusted party". It is equivalent to the concept of "data processor" as defined under the EU GDPR.

For ease of reference, we will use "data controller" and "data processor" in the relevant discussion.

Related resources

Authority

National data protection authority in China

The PIPL clarified that the Cyberspace Administration of China (CAC) is primarily responsible for the overall planning and coordination of personal information protection and related supervision. In addition, various other legislative and administrative authorities have jurisdiction over certain aspects of personal information protection regulation or enforcement, such as:

Ministry of Public Security (with a focus on investigating and combating cyber crimes involving personal information breaches);
Ministry of Industry and Information Technology (with a focus on the regulation of online services in connection with which personal information is processed);
State Administration for Market Regulation (with a focus on handling complaints from data subjects); and
Ministry of Science and Technology (with a focus on the regulation of biometric data).

Sector-specific regulators, such as the People's Bank of China or the China Banking and Insurance Regulatory Commission, may also monitor and enforce data protection issues of regulated institutions within their sector.

Related resources

Registration

Registration in China

While generally there is not an overarching requirement for data controllers to register their processing activities with the data protection authority, there are mandatory CAC filings for some data controllers and some processing activities, for example:

a data controller who in total processes more than 10 million data subjects' personal information must appoint a DPO and register DPO related information with the CAC; and
If a data controller processes any personal information of minors, it must conduct an annual compliance audit and report the audit results to the CAC.

There are also some registration/ filing requirements in respect of cross-border transfers (see Cross Border Transfers) and for certain regulated data categories (such as human genetic resource data).

Related resources

Data protection officers

Data protection officers in China

A data controller who in total processes more than 10 million data subjects' personal information must appoint a Data Protection Officer (DPO), and register a series of information about the DPO (e.g. name, contact information, appointment letter, etc.) and the data controller's main processing activities to the CAC via an online portal.

If a data controller processes in a foreign jurisdiction the personal information of Chinese residents for the purposes of providing products or services to the data subjects or for assessing or analyzing their behaviors (i.e. where the data controller triggers the extra-territorial effect of the PIPL), the data controller must appoint a local representative in China and report information about the representative to the CAC. Details of how the representative information should be registered is awaited.

Related resources

Collection and processing

Collection and processing in China

Notice

A data controller must provide data subjects with a privacy notice, including at least the following information:

the name and contact information of the data controller;
the categories of personal information processed;
where sensitive personal information is processed, the specific categories of sensitive personal information must be highlighted and the data subjects must be informed of how the processing may affect their rights and interests;
the processing purposes;
the types of data processors engaged by the data controller;
the following details about each separate data controller and each overseas recipient: name, contact information, categories of personal information shared and the processing purposes;
measures implemented to protect personal information, storage location and retention period;
rights of the data subjects, and mechanisms via which data subjects may exercise their rights; and
other details as required by the PIPL.

There are additional notice and transparency requirements applicable to the processing conducted in mobile applications.

The information in the privacy notice must be true, accurate and complete. The contents of the privacy notice must be clear and easy to understand. The privacy notice should be made available to the data subjects before the processing occurs. Data subjects should be notified of changes to a privacy notice and (depending on the extent of changes made) further consent may need to be obtained.

Consent and other lawful bases

The primary lawful basis for processing personal information is explicit, opt-in consent.
There are alternative lawful bases available under the PIPL, including:

the processing is necessary for entering into or fulfilling a contract where the data subject is a named party;
the processing is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
the processing is necessary for fulfilling legal obligations;
the processing is necessary for protecting the interests of natural person during any public health emergency or otherwise responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
the processing is necessary for carrying out news reporting and public opinion monitoring for public interests;
the personal information being processed is already made public legally and the processing is within the reasonable scope and in accordance with the requirements of the PIPL; and
the processing is to comply with another PRC law.

However, in practice, it is unclear how the "necessity" element in these alternative lawful bases should be assessed. Thus, consent remains the primary lawful basis, and it is anticipated this will continue in practice.
Where a data controller relies on consent as the lawful basis, it must obtain:

the express and informed consent from the data subject before personal information can be collected, used, transferred or otherwise processed. Implied consent is invalid; and
the separate consent of the data subject (e.g. by using separate consent tick boxes) before conducting certain processing activities, namely:

- processing sensitive personal information;
- overseas transfers of personal information;
- public disclosure of personal information;
- providing personal information to a separate data controller for processing; and
- use of image or identification data collected in public through image or identification device for purposes other than maintaining public security.

Processing

Collection and processing of personal information must be directly related to the purpose of processing specified in the privacy notice. Excessive data collection must be avoided.

Appropriate technical (e.g. encryption and de-identification) and organizational (e.g. access control) measures must be implemented to protect the security and confidentiality of personal information.

Before personal information is provided to any third party, the data controller must assess the role of the third party (a controller or a processor), and sign an appropriate data processing agreement with the third party.

Personal information must be deleted or anonymized after the processing purposes are achieved or cannot be achieved, unless a longer retention period is permitted or required by law.

Impact assessment and record-keeping

The PIPL requires data controllers to undertake personal information protection impact assessments (PIPIA), and to retain the results and processing records (for at least three years), in the following circumstances:

processing of sensitive personal information;
using personal information to conduct automated decision-making;
appointing a data processor;
providing personal information to any third party (likely to include sharing with group companies);
public disclosure of personal information;
overseas transfer of personal information; and
any other processing activities that may have "significant impact to an individual".

Details on the requirements for undertaking a PIPIA are set out in the National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment (effective from June 1 2021).

Compliance audit

A data controller processing personal information of more than 10 million data subjects must conduct a self-initiated compliance audit of its processing activities at least once every two years. Data controllers below this volume threshold should still conduct self-initiated audits on a regular basis, although the frequency is not prescribed by law. It is not mandatory to submit the reports of such self-initiated audits to the CAC.

The CAC may instruct any data controller to engage a qualified third party to conduct an audit, if the processing activities are found to involve significant risks or infringe upon the rights and interests of a large number of individuals, or if significant data incidents have occurred. The reports of such CAC-ordered audits will be reviewed by the CAC.

The Measures for the Administration of Personal Information Protection Compliance Audits (effective from 1 May, 2025) set out more than one hundred audit points that data controllers should refer to when carrying out compliance audits.

Related resources

Transfer of personal data

Transfer of personal data in China

If a data controller wishes to share, disclose or otherwise transfer any personal information to a third party (including group companies), the data controller must:

if the third party is a separate data controller, inform the data subject of the purposes of the sharing, disclosure or transfer of the personal information the types of data shared, the name and contact information of the recipient, and obtain prior separate consent from the data subject;
perform a personal information protection impact assessment (PIPIA), and take effective measures to protect the data subjects according to the assessment results (e.g. putting in place a data transfer agreement or similar contractual protections) (see Collection & Processing)
record accurately and keep the information in relation to the sharing, disclosure or transfer of the personal information, including the date, scale, purpose and basic information of the data recipient of the sharing or assigning;
ensure personal information is only transferred where required for processing purposes; not share or transfer any personal biometric information or other types of particularly sensitive personal information where prohibited under relevant laws or regulations; and
ensure contractual measures are entered into to require the data processor to comply or assist the data controller in complying with obligations under data protection laws.

Cross-border transfers

Most personal information can be transferred or accessed outside of the PRC providing the following compliance steps are taken:

the data controller has completed one of the following mechanisms to legitimize overseas data transfer, unless the transfer is exempted from such requirement - for details please see below:
- the data controller has passed a CAC security assessment;
- the data controller has obtained certification from a CAC-accredited agency; or
- the data controller has put in place CAC standard contractual clauses (SCCs) with the data recipient and filed the signed SCCs with the local CAC together with a cross-border transfer specific PIPIA report;
the data controller has adopted necessary measures to ensure the data recipient's data processing activities comply with standards comparable to those set out in the PIPL. In practice this means initial due diligence, sufficient contractual protections and ongoing monitoring etc.;
notice and separate, explicit consent has been given / obtained from the data subjects (see Collection & Processing); and
a PIPIA has been conducted (see Collection & Processing).

1. Exempted Transfers

According to the Regulations on Facilitating and Regulating the Cross–border Data Transfers, the following cross-border data transfers are exempted from having to follow any one of the legitimising mechanisms above ("Exempted Transfers”):

Collection outside of PRC the personal information being transferred outside of PRC was originally collected and generated outside of PRC and thereafter imported back into PRC, and the processing of such personal information within PRC does not involve any personal information or important data that is collected from or generated in PRC;
Cross-border HR management: the transfer is necessary for implementing cross-border human resource management in accordance with legally formulated employment policies and procedures or legally executed collective contracts;
Cross-border contract: the transfer is necessary for concluding or performing a contract between the data subject and the data controller (e.g. those contracts that relate to cross-border shipping, logistics, remittance, payments, bank account opening, flight and hotel booking, visa applications, examination services etc.); or
Emergency situation: the transfer is necessary for protecting the life, health or property security of any natural person under emergency circumstances.

Exempted Transfers 2 (cross-border HR management) and 3 (cross-border contracts) above rely on a “necessity” test. This means the data controller must prove that the cross-border data transfer is necessary in order for the exemption to apply. However, it remains unclear as to what would constitute a necessary basis for the cross-border transfer of personal information.

After carving out all the Exempted Transfers, the data controller shall determine the applicable mechanisms to legitimise the remainder of the personal information to be transferred (i.e. excluding the exempted personal information) as follows:

2. CAC security assessment

According to the Regulations on Facilitating and Regulating the Cross–border Data Transfers, a CAC security assessment is required for data controllers who meet any of the following thresholds:

a data controller intends to transfer any "important data" overseas;
a critical information infrastructure operator (CIIO) intends to transfer any personal information overseas;
a data controller intends to transfer non-sensitive personal information of more than 1,000,000 data subjects overseas since 1 January of the year when the calculation is conducted; or
a data controller intends to transfer sensitive personal information of more than 10,000 data subjects overseas since 1 January of the year when the calculation is conducted.

The CAC security assessment involves the data controller completing a self–assessment of its cross-border data transfers, which must then be submitted for approval by both the local and national CAC. It primarily assesses the impact of overseas transfers on national security, public interest, and the legitimate rights and interests of individuals or organisations. The Guidelines on Application of Security Assessment of Cross-border Data Transfers (Third Edition) (effective from 27 June, 2025) provide detailed guidance on how to prepare the application materials.

If the CAC security assessment is passed, the data controller will be granted a written approval. Such approval will be valid for 3 years and could be extended for another 3 years upon approval by both the local and national CAC, provided the data controller has made no change to its previously approved cross-border transfers.

3. China SCCs

According to the Regulations on Facilitating and Regulating the Cross–border Data Transfers, a China SCCs filing with the CAC is required for data controllers who meet any of the following thresholds:

a data controller intends to transfer non-sensitive personal information of between 100,000 and 1,000,000 data subjects overseas since 1 January of the year when the calculation is conducted; or
a data controller intends to transfer sensitive personal information of fewer than 10,000 data subjects overseas since 1 January of the year when the calculation is conducted.

For PRC data controllers that must follow the China SCCs filing route, they must put in place the China SCCs with the overseas data recipient, and then within 10 working days after the effectiveness of the China SCCs file a copy of the signed SCCs together with the corresponding PIPIA with the local CAC.

The Measures for the Standard Contract for the Outbound Transfer of Personal Information and the Guidelines on the Filing of Standard Contracts for the Outbound Transfer of Personal Information (Second Edition) provide clarification on how the SCCs may be implemented by data controllers as one of the mechanisms for overseas data transfer under the PIPL, how to prepare the corresponding PIPIA by using the standard template formulated by the CAC and the procedures for filing the signed SCCs and the PIPIA report.

4. CAC certification

According to the Measures for the Certification of the Outbound Transfer of Personal Information, from 1 January 2026, data controllers who should go through the China SCCs to legitimise their cross-border transfers will have the option of obtaining certification instead. However, as the certification requirements and standards are not yet fully established, and there is uncertainty about how a certification institution's approach may affect the certification results, many data controllers are still adopting a relatively cautious attitude towards this option.

5. Transfer of personal information within the Greater Bay Area

Given the close integration of cities within the Guangdong–Hong Kong–Macao Greater Bay Area (GBA), and that data flows between Hong Kong and other cities within the GBA are becoming increasingly frequent, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) and Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) together formulated the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong– Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SCCs).

In addition to complying with other general data protection requirements (e.g. notice, consent and impact assessment, etc.) if the data controller and the data recipient are registered in Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing or Hong Kong SAR, they may consider signing the GBA SCCs to legitimize the transfer and file the signed GBA SCCs with the Guangdong CAC and PCPD.

6. Free Trade Zone rules

The Regulations on Facilitating and Regulating the Cross–border Data Transfers provides that Free Trade Zones (FTZs) have the authority to create their own lists of data, the cross-border transfer of which may require CAC security assessment, China SCCs or CAC certification.

Between 2024 and 2025, FTZs in Tianjin, Beijing, Fujian, Shanghai, Jiansu, Chongqing, Zhejiang, and Hainan each published its own "positive data list" or "negative data list" and also set out rules for handling cross-border transfers of data falling into or outside of the lists. In general, FTZs have relatively large discretion when implementing the rules, which may make case by case negotiations with the FTZs necessary.

Transfers to overseas judicial or law enforcement authorities

If an individual or organization wants to provide any data stored in the PRC to an overseas judicial or enforcement authority, it must obtain the approval of the Ministry of Justice in advance.

Related resources

Security

Security in China

According to the CSL, DSL and PIPL, organizations must keep personal information confidential and establish a data security management system. This includes taking appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorized or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data. Security measures must be deployed, as prescribed by the CSL and DSL and their underlying measures, guidelines and technical standards. The PIPL includes a specific obligation on data controllers to adopt corresponding encryption or deidentification technologies, and to adopt access controls and training.

Systems should also be established to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received. Organizations must conduct mandatory data / cyber security training.

Additional security safeguards must be applied to processing of sensitive personal information and organizations deemed CIIOs. Under the current regulatory approach, industry regulators will identify which organisations within their industry are CIIOs.

The CSL implemented a multi-level protection scheme (MPLS) for cybersecurity protection of information systems hosted in the PRC. Information systems are classified into 5 tiers and the security standard goes higher from tier 1 to tier 5. Organizations should conduct a self-evaluation and determine the tier(s) to which their information systems belong, based on relevant laws, regulations and guidelines. Filing to the Public Security Bureau is required and, in certain circumstances, assessment by accredited third party may also be required, depending on the determined tier level of a respective information system. Further national standards and guidelines have been published to provide further details and requirements on the process and technical aspect of the tiered system.

The DSL proposes introducing a similar tiered-security scheme for classification of data in due course.

The National Standard of Data Security Technology - Rules for Data Classification and Grading, effective from March 21, 2024, provides the principles and methods for data classification and grading. It classifies data into three grades: general data, important data, and core data.

Additionally, industrial regulators in each sector are working on issuing the data classification and grading scheme in the relevant sectors. In particular:

the Ministry of Industry and Information Technology recently issued the Measures for Data Security Management in the Industrial and Information Technology Sector (for Trial Implementation) (MIIT Measures) which came into force on January 1, 2023.
the Ministry of Natural Resources issued the Administrative Measures for Data Security in the Field of Natural Resources which came into effect on March 22, 2024.
the Ministry of Finance and the Cyberspace Administration of China issued the Interim Measures for the Administration of Data Security for Accounting Firms which came into effect on October 1, 2024.
the Civil Aviation Administration of China published the Requirements for Classification and Grading of Civil Aviation Data, which came into effect on 1 August, 2025.
the CAC published the Guidelines for the Classification and Grading of Financial Information Service Data to solicit public opinions until 23 February, 2026.
the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition), which came into effect on 3 February, 2026.

If a data controller appoints a data processor to process personal information on its behalf, the data controller should ensure sufficient measures are adopted by the data processor to protect the personal information: for example, to conduct due diligence and regular audits on data processor to ensure the data processor adopts sufficient and adequate security measures; and put in place an appropriate data processing agreement with the data processor.

Related resources

Breach notification

Breach notification in China

Breach notification requirements are contained in the CSL, DSL and PIPL, and should be read together. "Network security incidents" that are notifiable are defined by reference to seven categories of different incident types, in particular:

Malicious program incidents;
Network attack incidents;
Data security incidents;
Information content security incidents;
Equipment and facility failure incidents;
Operational violation incidents;
Security risk incidents;
Abnormal behavior incidents;
Force majeure incidents; and
Other cyber incidents.

Guidelines set out other factors that should be considered whether a network security incident is potentially reportable.

The requirements for reporting incidents are complex. For example, under the PIPL, the data controller has the obligation to report an incident to the local CAC and the affected data subjects. The only exemption is that, if the controller believes that sufficient measures have been implemented to effectively avoid any harm to data subjects and public interests, it may decide not to notify the data subjects. However, the CAC may veto this decision and request that the controller notify the data subjects. In practice, there are complicated factors that data controllers should consider before submitting any formal reports to the CAC or the data subjects.

The Administrative Measures for Network Security Incident Reporting (“Measures“), which provide further guidance on when and how to report network security incidents under existing laws such as the CSL, the DSL and the PIPL. The Measures took effect on 1 November 2025.

The Measures for the Administration of the Reporting of Cybersecurity Incidents (effective from 1 November, 2025) further classify incidents as particularly significant incidents, significant incidents, major incidents or general incidents. Different reporting requirements are set out for different categories of incidents, with the shortest reporting deadline set as within four hours of becoming aware of it.

Related resources

Enforcement

Enforcement in China

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached. Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.
Taking the PIPL by way of example, it provides a range of sanctions, including (inter alia):

enforcement notices and warnings;
administrative fines of up to (for the most serious offences) 5% of the previous year's annual revenue (unclear if local or global revenue) or up to RMB million, and confiscation of unlawful income. Note the PIPL imposes much higher fines than under other existing data privacy regulations);
cessation of processing;
suspension of apps and / or services;
suspension of business;
suspension of management / officials' role;
criminal sanctions (for certain offences, and under relevant criminal laws);
civil claims; and
social credit score or equivalent business credit files may be affected.

While the PIPL has now introduced higher fines, we anticipate that in practice the operational and contractual risks faced by organisations not complying with the PRC's data privacy framework - alongside increasing reputational risks - remain very significant and should be managed very carefully.

Related resources

Electronic marketing

Electronic marketing in China

Direct marketing by electronic means is only possible if the targeted consumers have explicitly consented to receiving such messages either at the time their electronic address / mobile phone number was collected or at a later time.

Specific information must be stated in each electronic message: for example, the identity of the entity sending the message, and a mark identifying "Guang gao" (which means advertisement in Chinese) or "AD" on a direct marketing message.

There are also specific rules applicable to direct marketing by text messages (SMS), and certain specific prescribed information must be provided to data subjects at the time their mobile phone number was collected or prior to sending direct marketing text messages.

Related resources

Online privacy

Online privacy in China

The general compliance obligations applicable to processing of personal information under the PIPL apply to the online (and offline) environments. In addition, the PIPL imposes additional compliance obligations on organisations that fall into one of the following categories:

"important internet platform providers";
data controllers processing data of a "large volume of users"; or
"complex businesses".

It is still unclear which organisations would fall within these categories, but these organisations must comply with additional measures when processing personal information, namely:

set up personal information protection compliance mechanisms;
set up external independent data protection organisations to supervise data protection mechanisms;
establish platform regulations;
establish and publish processing obligations and processing rules that regulate products and service providers in an open and fair manner;
stop the provision of products or service providers if they violate the law or regulations as regards processing of personal information; and
publish from time to time social responsibility reports as regards processing of personal information.

In terms of automated–decision making and profiling:

analytics or evaluation based on computer programme around behavior, interests, hobbies, credit information, health or decision making activities, must be transparent, open and fair, and should not apply any differential treatment between individuals; and
any push information or business marketing should not be directed to an individual's character and should provide individuals with a convenient way to opt out.

There are also additional requirements for the following types of operators:

“Large Scale” Personal Information Handlers

The Network Data Regulation requires a network data handler who processes personal information of more than 10 million data subjects to:

appoint a network data security officer (who shall be a member of senior management) and establish a network data security management department; and
if the security of network data may be affected by a network data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.

Online Platform Operators

The Network Data Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Network Data Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Network Data Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

As well as the PIPL, the CSL, Consumer Protection Law and E–Commerce Law offer protection to consumer / user personal information. As well as personal information protection, under these rules data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities. Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information. Further obligations are imposed on mobile apps providers including but not limited to conducting real–name identification, undertaking information content review.

In recent years, the regulators have also issued a range of guidelines targeting mobile app providers. These guidelines introduce specific data protection and privacy obligations aiming to regulate the data collection practices and processing activities of mobile app providers. There has also been a crackdown against (suspected) non–compliant mobile apps. Organisations are advised to review their app compliance as a matter of priority.

Data subject rights (under the PIPL and other laws within the personal information framework), include rights to access and obtain information about their data held and processed, to correct their data, to request deletion of data in the event of a data breach, to object to automated decision–making and to de–register their account etc. Most importantly is the right to withdraw consent to personal information processing.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC. However, the use of cookies and / or similar tracking technologies, to the extent they constitute processing of personal information, should be notified to data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use.

Related resources

Key contacts

Data protection lawyers in China

Carolyn Bigg

Partner

Global Co-Chair Data, Privacy and Cybersecurity Group

DLA Piper

Hong Kong

Email Full bio

Amanda Ge

Of Counsel

DLA Piper

Beijing

Email Full bio

Notice

A data controller must provide data subjects with a privacy notice, including at least the following information:

the name and contact information of the data controller;
the categories of personal information processed;
where sensitive personal information is processed, the specific categories of sensitive personal information must be highlighted and the data subjects must be informed of how the processing may affect their rights and interests;
the processing purposes;
the types of data processors engaged by the data controller;
the following details about each separate data controller and each overseas recipient: name, contact information, categories of personal information shared and the processing purposes;
measures implemented to protect personal information, storage location and retention period;
rights of the data subjects, and mechanisms via which data subjects may exercise their rights; and
other details as required by the PIPL.

There are additional notice and transparency requirements applicable to the processing conducted in mobile applications.

Consent and other lawful bases

The primary lawful basis for processing personal information is explicit, opt-in consent.
There are alternative lawful bases available under the PIPL, including:

the processing is necessary for entering into or fulfilling a contract where the data subject is a named party;
the processing is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
the processing is necessary for fulfilling legal obligations;
the processing is necessary for protecting the interests of natural person during any public health emergency or otherwise responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
the processing is necessary for carrying out news reporting and public opinion monitoring for public interests;
the personal information being processed is already made public legally and the processing is within the reasonable scope and in accordance with the requirements of the PIPL; and
the processing is to comply with another PRC law.

the express and informed consent from the data subject before personal information can be collected, used, transferred or otherwise processed. Implied consent is invalid; and
the separate consent of the data subject (e.g. by using separate consent tick boxes) before conducting certain processing activities, namely:

- processing sensitive personal information;
- overseas transfers of personal information;
- public disclosure of personal information;
- providing personal information to a separate data controller for processing; and
- use of image or identification data collected in public through image or identification device for purposes other than maintaining public security.

Processing

Collection and processing of personal information must be directly related to the purpose of processing specified in the privacy notice. Excessive data collection must be avoided.

Personal information must be deleted or anonymized after the processing purposes are achieved or cannot be achieved, unless a longer retention period is permitted or required by law.

Impact assessment and record-keeping

processing of sensitive personal information;
using personal information to conduct automated decision-making;
appointing a data processor;
providing personal information to any third party (likely to include sharing with group companies);
public disclosure of personal information;
overseas transfer of personal information; and
any other processing activities that may have "significant impact to an individual".

Quick links

Data Protection in China

Collection and processing in China

Notice

Consent and other lawful bases

Processing

Impact assessment and record-keeping

Compliance audit

Continue reading