China
International Regulations
Personal Information Protection Law of the People’s Republic of China 2021 (PIPL)
中华人民共和国个人信息保护法
Highlights
Territorial Scope:
The PIPL applies to activities of handling the personal information of natural persons within the borders of the People’s Republic of China (the “PRC”). It also applies when the handling activities occur outside the borders of the PRC:
- Where the purpose is to provide products or services to natural persons inside the PRC;
- To analyze or assess the activities of natural persons inside the PRC; or
- In other circumstances which may be provided in laws or administrative regulations.
Of note, the PIPL applies to PI handling related to natural persons within the borders of the PRC and, as a result, is not limited to citizens of the PRC. The PIPL also includes a catch-all provision that allows for laws and regulations to supplement the application of the PIPL to cover other PI handling activities not originally listed.
2021 PIPL Applicability:
The PIPL applies to Personal Information (“PI”) Handlers. This term refers to organizations and individuals that, in PI handling activities, autonomously decide handling purposes and handling methods. The PIPL does not apply to the handling of PI by natural persons for personal or family affairs. PI handling includes, without limitation, PI collection, storage, use, processing, transmission, provisions, disclosure and deletion.
PI is defined as all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.
Lawfulness of Processing:
PI Handlers may only handle PI where:
- The PI Handler has obtained the individual’s consent;
- Necessary to conclude or fulfill a contract in which the individual is a contracting party or as necessary to conduct human resources management according to applicable labor laws and regulations and the provisions of the applicable contract;
- Necessary to fulfill statutory duties or obligations;
- Necessary to respond to sudden public health incidents or to protect the lives and health of natural persons or the security of their property in emergency circumstances;
- The PI handling is within a reasonable scope to implement news reporting, public opinion supervision or polling, and other such activities for the public interest; or
- The PI handling relates to PI disclosed by the persons themselves or was otherwise already lawfully disclosed and the handling is within a reasonable scope in accordance with PIPL; and
- In other circumstances which may be provided in laws or administrative regulations.
Obligations:
Prior to handling PI, PI Handlers must explicitly notify individuals of:
- The organizational or personal name and contact method of the PI Handler;
- The purpose of the PI handling and handling methods, the categories of handled PI, and the retention period;
- The methods and procedures for individuals to exercise their rights provided in the PIPL; and
- Other items that laws and administrative regulations provide shall be notified.
If any above matter changes, inform the individuals of such change.
Additionally, PI Handlers have obligations related to:
- Retaining PI for the shortest period necessary to realize the purpose of the PI handling.
- Entering into agreements with entrusted parties that detail, among other things, the purpose of the entrusted handling, the time limit, the handling method, categories of PI, protection measures, and the rights and duties of both sides.
- The PI Handler is responsible for supervising the activities of the entrusted party who is obligated to handle the PI in accordance with the agreement.
- Where PI Handlers need to transfer PI due to a merger, division, dissolution, bankruptcy or other reasons, notifying the individuals of the organization or personal name and contact information of the recipient of the transferred PI, and obtaining individuals’ consent on any change of original handling purpose and method.
- When providing PI to any other persons, obtaining individuals' consent and notifying them about the name organizational or personal name and contact information of the PI recipient, the handling purpose and method, and the PI categories.
- Where PI Handlers use PI to conduct automated decision-making, guaranteeing the transparency of the decision-making as well as the fairness and justice of the handling results.
- Where PI Handlers conduct information push delivery or business marketing to individuals through automated decision-making processes, providing to the individuals an option to not target an individual’s personal characteristics, or a convenient means to refuse.
- For handling of PI of minors under the age of 14, obtaining the consent of the minor’s parent or guardian and must also formulate specialized PI hand ling rules.
Obligations for the Cross-Border Provision of PI:
Where PI Handlers truly need to provide PI outside the borders of the PRC for business or other requirements, they must meet one of the following conditions:
- Pass a security assessment organized by the Cyberspace Administration of China;
- Undergo PI protection certification conducted by a professional body pursuant to the regulations of the Cyberspace Administration of China;
- Enter into an agreement with the foreign recipient using standard contracts promulgated by the Cyberspace Administration of China; or
- Other conditions prescribed by law, administrative regulation, or the Cyberspace Administration of China.
Moreover, the PI Handler must adopt necessary measures to ensure that the foreign recipient’s handling activities reach the standard for PI protection provided in the PIPL. PI Handlers must obtain the separate consent of and notify individuals about the foreign recipient’s organizational name or personal name, contact method, handling purpose, handling methods, PI categories, and the procedures for the individual to exercise their rights provided in the PIPL against the foreign recipient.
Security Obligations:
PI Handlers must:
- Establish internal policies and procedures;
- Establish practices for the classification of PI;
- Adopt technical security measures such as encryption and de-identification;
- Determine the reasonable operational limits for PI handling;
- Conduct regular security education and training for employees;
- Establish PI security incident response plans;
- Adopt other measures as required in other laws and administrative regulations;
- If handling PI reaches quantities as set forth by the Cyberspace Administration of China, appoint PI protection officers responsible for supervising PI handling activities and protection measures;
- For PI Handlers outside the borders of the PRC, establish a dedicated entity or appoint a representative within the borders of the PRC responsible for matters related to the PI they handle;
- Regularly engage in compliance audits of their PI handling with applicable laws and administrative regulations;
- Conduct a PI Protection impact assessment1 if:
- Handling sensitive PI;
- Using PI to conduct automated decision-making;
- Entrusting PI handling, providing PI to other PI Handlers, or disclosing PI;
- Transferring PI to overseas; or
- Otherwise handling PI in a way that will have a major impact on rights and interests of individuals.
- If a PI leak, distortion, or loss occurs or might have occurred, immediately adopt remedial measures, notify the government authorities fulfilling PI protection duties and responsibilities, and notify the individuals affected including about:
- The PI categories that are or may be impacted;
- The causes and possible harm;
- The remedial measures taken by the PI Handler as well as measures the individuals can adopt; and
- The contact method of the PI Handler.
- Notification is not required where the PI Handler has adopted measures that are able to effectively avoid harm created by information leaks, distortion, or loss.
Individuals’ Rights2:
An individual has the following rights with respect to the handling of own PI:
- The right to be informed;
- The right to decide;
- The right to restrict or deny another person from handling their PI
- The right to access and copy;
- The right to transfer PI to specified PI Handler;
- The right to correct and supplement inaccurate or incomplete PI;
- The right to request deletion of PI; and
- The right to an explanation of the PI Handling rules.
- Where PI Handler’s use of automated decision-making may have a major impact on the rights and interests of an individual, right to require the PI Handler to explain the matter and the right to refuse that the PI Handler to make decisions solely through automated decision-making methods.
Potential Penalties:
Government authorities may order the correction of PI handling deficiencies, confiscate unlawful gains, and order the suspension or termination of service provided by the programs unlawfully handling PI.
Where the PI Handler refuses to make corrections, the government authorities may issue a fine of not more than one (1) million Yuan and persons directly in charge and other directly liable persons are to be fined between 10,000 and 100,000 Yuan.
Where the above unlawful acts give rise to grave circumstances, the government authorities may also impose a fine of not more than fifty (50) million Yuan or 5% of previous year's turnover. The government authorities may also order the suspension of related business activities or the cessation of business for rectification and to revoke relevant business permits or licenses.
In such grave circumstances, the persons directly in charge and other directly liable persons are to be fined between 100,000 and one (1) million Yuan and such persons may be prohibited from holding positions as a director, supervisor, high-level manager, or PI protection officer for a particular period of time.
Where unlawful acts occur under the PIPL, the record of such acts shall be entered into credit files and be publicized. If the handling of PI infringes on an individual’s PI rights and interests resulting in harm and the PI Handler is unable to prove no fault on its part, the PI Handler will be liable for, among others, tort liabilities including damages, and the damages will be determined by the resulting loss to the impacted individual, or the gains derived by the PI Handler from the violation, or actual circumstances. Violations of the PIPL may also be investigated and sued by the relevant government authorities, statutorily designated consumer organizations, and organizations designated by the Cyberspace Administration of China. Where a violation constitutes a violation of public security administration or a crime, it may give rise to public security administration penalty or criminal liability under the relevant laws and regulations.
Effective Date:
November 1, 2021
1 The PI Protection Impact Assessment must include (i) whether or not the PI handling purpose, method, and other factors are lawful, legitimate, and necessary; (ii) the influence on individuals’ rights and interests as well as the security risks; and (iii) whether protective measures undertaken are legal, effective, and suitable to the degree of risk.
2 If the PI subject is deceased, their next of kin may exercise these rights.
Cybersecurity Law of the People’s Republic of China 2017 (CSL)
Cybersecurity Law of the People’s Republic of China 2017 (CSL)
Cybersecurity Law of the People's Republic of China 2017 (2017 CSL) (中华人民共和国网络安全法)
Highlights
Territorial Scope:
The CSL regulates the construction, operation, maintenance and use of networks as well as the supervision and administration of cybersecurity within the territory of the PRC. The CSL also applies extraterritorially to overseas organization, institution or individual if it attacks, invades, interferes or destructs any critical information infrastructure of the PRC and causes serious consequences.
2017 CSL Applicability:
The CSL applies to network operators, critical information infrastructure operators, cyber-related industry organizations, and generally any individual or organization using networks. Cybersecurity is the ability to prevent network attacks and intrusions, and to make networks stable and reliable.
Potential Penalties:
The CSL provides a spectrum of penalties on different violations of the CSL targeting different parties such as network operators, network product or service providers, critical information infrastructure operators and other related individuals or organizations. Different violations carry fines at varying levels depending on who the offender is, and whether there are serious circumstances involved.
Government authorities may order correction actions, issue fines, issue warnings, confiscate unlawful gains, order the suspension or termination of operations, close down offender’s websites or revoke business permits or licenses.
Those who violate the provisions of CSL and cause harm to others shall bear civil liabilities in accordance with law. If any violations constitute a violation of public order administration or a crime, public order administrative penalties or criminal liabilities may be imposed.
Effective Date:
June 1, 2017
Data Security Law of the People’s Republic of China 2021 (DSL)
Data Security Law of the People’s Republic of China 2021 (DSL)
Data Security Law of the People's Republic of China 2021 (2021 DSL) (中华人民共和国数据安全法)
Highlights
Territorial Scope:
The DSL regulates data handling activities and the security supervision and regulation of such activities within the territory of the PRC. It also applies extraterritorially to any overseas data handling if it harms national security, public interests or legitimate rights and interests of individuals or organisations of the PRC.
2021 DSL Applicability:
The DSL applies to individuals and organizations which carry out data handling, which refers to the collection, storage, use, processing, transmission, provision, and disclosure of data.
Data broadly include any record of information in electronic or any other form. Therefore, DSL captures not only PI, but also non-PI. Data security refers to the ability to ensure data is effectively protected and lawfully used through adopting necessary measures.
Potential Penalties:
The DSL provides a spectrum of penalties on different violations of the DSL targeting different parties such as data handlers, data transaction intermediaries and other related individuals and organizations. Different violations carry fines at varying levels depending on who the offender is, and whether there are serious circumstances involved.
Government authorities may order correction actions, issue fines, issue warnings, confiscate unlawful gains, order the suspension or termination of operations, or revoke offender’s business permits or licenses.
If any major security risks in data processing and data security are discovered by competent government authorities, they may conduct interviews with relevant parties and require them to adopt measures to make rectifications.
Those who violate the provisions of DSL and cause harm to others shall bear civil liabilities in accordance with law. If any violations constitute a violation of public order administration or a crime, public order administrative penalties or criminal liabilities may be imposed.
Effective Date:
September 1, 2021
List of Key Cyber- and Data-Related Regulations and Measures in the PRC
List of Key Cyber- and Data-Related Regulations and Measures in the PRC
Below is a list of key regulations and measures in relation to data and cyber which came into effect since the implementation of PIPL, CSL and DSL:
|
Name of Instrument |
Effective Date |
|---|---|
|
Regulations for critical information infrastructure commercial password management 关键信息基础设施商用密码使用管理规定 |
August 1, 2025 |
|
Measures for the Administration of National Public Services for Online Identity Authentication 国家网络身份认证公共服务管理办法 |
July 15, 2025 |
|
Measures for Artificial Intelligence Meteorological Application Services 人工智能气象应用服务办法 |
June 1, 2025 |
|
Security Management Measures for the Application of Facial Recognition Technology 人脸识别技术应用安全管理办法 |
June 1, 2025 |
|
Measures for the Personal Information Protection Compliance Audit |
May 1, 2025 |
|
Network Data Security Management Regulations 网络数据安全管理条例 |
January 1, 2025 |
|
Provisions on Governance of Cyberviolence Information 网络暴力信息治理规定 |
August 1, 2024 |
|
Regulations on the Protection of Minors Online 未成年人网络保护条例 |
January 1, 2024 |
|
Provisions on Facilitating and Regulating Cross-border Data Flow 促进和规范数据跨境流动规定 |
November 28, 2023 |
|
Interim Measures for the Management of Generative Artificial Intelligence Services 生成式人工智能服务管理暂行办法 |
August 15, 2023 |
|
Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information 个人信息出境标准合同办法 |
June 1, 2023 |
|
Provisions on the Administrative Law Enforcement Procedures of Cyberspace Authorities 网信部门行政执法程序规定 |
June 1, 2023 |
|
Administrative Provisions on Deep Synthesis in Internet-based Information Services 互联网信息服务深度合成管理规定 |
January 10, 2023 |
|
Measures for Security Assessment for Cross-Border Data Transfers 数据出境安全评估办法 |
September 1, 2022 |
|
Administrative Provisions for Internet User Account Information 互联网用户账号信息管理规定 |
August 1, 2022 |
|
Administrative Provisions on Recommendation Algorithms in Internet-based Information Services 互联网信息服务算法推荐管理规定 |
March 1, 2022 |
|
Measures for Cybersecurity Review 网络安全审查办法 |
February 15, 2022 |
|
Several Provisions on Vehicle Data Security Management (for Trial Implementation) 汽车数据安全管理若干规定(试行) |
October 1, 2021 |
|
Regulations on the Security Protection of Critical Information Infrastructure 关键信息基础设施安全保护条例 |
September 1, 2021 |
|
Provisions on the Governance of Network Information Content Ecology 网络信息内容生态治理规定 |
March 1, 2020 |
|
Provisions on the Cyber Protection of Personal Information of Children 儿童个人信息网络保护规定 |
October 1, 2019 |
|
Administrative Provisions on Block Chain Information Services 区块链信息服务管理规定 |
February 15, 2019 |
|
Administrative Measures for Internet Domain Names 互联网域名管理办法 |
November 1, 2017 |
|
Administrative Provisions for Internet News Information Services 互联网新闻信息服务管理规定 |
June 1, 2017 |
|
Provisions on the Administrative Law Enforcement Procedures for Management of Internet Information Content 互联网信息内容管理行政执法程序规定 |
June 1, 2017 |
