TMT 2026 Comparisons

• Cybersecurity Law of China (2017): This law establishes the basic framework for network security protection. It requires network operators to fulfil security obligations such as real-name authentication for users, network security protection, and local data storage for critical information infrastructure operators. It also imposes liabilities for illegal network access, data leakage and other violations, with updated penalties of up to CNY10 million for severe cases.
• Data Security Law of China (2021): As a basic law in the data field, this law sets up a data classification protection system, classifying data into core, important and general data for differentiated protection. It establishes mechanisms for data security risk assessment, emergency response and security review, and mandates security assessments for data processing activities affecting national security. It also encourages legal and efficient data utilisation while ensuring data security.
• Personal Information Protection Law of the People’s Republic of China: This law regulates personal information processing based on the principles of legality, necessity and good faith. It requires informed consent from individuals for data collection, and imposes special protection on sensitive personal information. It specifies cross-border data transfer rules, such as security assessment, standard contracts or certification for cross-border transfers, and mandates appointment of data protection officers for large-scale processors.
• Anti-Monopoly Law of the People’s Republic of China: This law contains a clause prohibiting monopolistic acts by leveraging data, algorithms, technologies and platform rules. It refines the rules on monopoly agreements, abuse of dominant market position and concentration of business operators, imposing stricter supervision on digital platforms to maintain fair market competition.
• Anti-Unfair Competition Law of the People’s Republic of China: This law prohibits unauthorised access and use of other operators’ legally held data by circumventing technical measures, aiming to regulate unfair data-grabbing behaviours and maintain competitive order in the digital market.
• E-Commerce Law of the People’s Republic of China: This law regulates e-commerce operators’ behaviours, requiring them to protect user information, ensure transaction security and disclose product information truthfully. It supports cross-border e-commerce development and promotes the integration of e-commerce with various industries, while clarifying obligations on platform liability and consumer rights protection.
• Measures for Security Assessment of Cross-Border Data Transfer: These measures specify that cross-border transfer of important data and large-scale personal information must undergo security assessment by the Cyberspace Administration of China, and details the application procedures and assessment standards.
• Industry Codes of Conduct: Relevant authorities and industry associations have released guidelines. For example, guidelines for large online platforms require them to appoint data protection officers, and codes for platform pricing advocate transparent pricing and prohibit unreasonable restrictions on merchants, fostering a sound digital business ecosystem.

China faces several core legal challenges in the digital economy:

• First, data ownership lacks clear statutory definition; the current laws protect data via rules and provisions regarding personal information, trade secrets and unfair competition, but fail to clarify the allocation of rights for data circulation and transactions, which hinders healthy development of the data market.
• Second, algorithmic regulation is difficult. Algorithmic discrimination, price collusion and opaque decision-making by platforms are hard to identify and regulate, as existing laws lack detailed rules on algorithm transparency and accountability.
• Third, the regulation of cross-border data flow gives rise to conflicts. It is tough to balance national security and data protection with cross-border business needs, especially as inconsistent standards between domestic rules and international practices increase enterprise compliance costs.
• Fourth, the supervision of digital market competition faces dilemmas. Platforms’ dominant market positions lead to behaviours such as forced “either-or” choices, and integrating anti-monopoly with encouraging innovation remains a regulatory challenge.
• Fifth, content supervision struggles with new formats. Short-form videos, live streams and AI-generated content pose difficulties in defining liability for illegal content and ensuring regulatory efficiency without impeding innovation.
• Finally, law enforcement co-ordination is insufficient due to overlapping regulatory responsibilities among multiple authorities, causing inconsistent implementation of rules.

Taxation on China’s digital services and goods mainly relies on value-added tax (VAT) and corporate income tax (CIT), supplemented by relevant regulations. Domestic digital goods such as e-books and software are subject to 13% VAT as tangible goods; digital services such as cloud computing and online advertising fall under modern services, with a 6% VAT rate. Cross-border digital services and goods follow the consumption-based principle. Foreign entities selling to domestic buyers without a domestic establishment have their VAT withheld by the buyers. CIT applies to income generated from digital operations within China, with platform enterprises obligated to report tax-related information of merchants as per the relevant rules.

Companies face multiple compliance challenges:

• First, it is hard to define the nature of new digital business models, leading to tax-rate confusion and incorrect tax filing.
• Second, cross-border data flow conflicts with tax information reporting, increasing compliance costs amid strict data security rules.
• Third, monitoring scattered small-scale merchants on platforms is difficult, and incomplete transaction records may trigger tax risks.
• Fourth, frequent tax policy updates and the rollout of the Golden Tax Phase IV system require companies to continually adjust their compliance strategies, which raises operational burdens.

Digital advertising revenue in China bears multiple tax impacts. For VAT, general digital advertising services are subject to a 6% VAT rate, with eligible small-scale taxpayers enjoying preferential policies such as tax exemptions within a certain sales threshold. Enterprises must issue special VAT invoices to claim deductions, and non-compliant invoicing will lead to non-deductible costs. CIT applies at the standard 25% rate. According to the Implementation Regulations of the Enterprise Income Tax Law, advertising and promotional expenses of general enterprises can be deducted up to 15% of annual sales revenue, with the excess carried forward for subsequent deductions; the cosmetics, pharmaceutical manufacturing and beverage (excluding alcohol) industries have a 30% limit. Cultural construction fees are also levied at 3% of the taxable advertising revenue, with certain small-scale taxpayers eligible for a 50% reduction. Cross-border digital advertising involves permanent establishment identification and tax treaty application to avoid double taxation.

To ensure tax compliance, companies should take systematic steps:

• First, clarify revenue categorisation. With the latest enforcement guidelines clarifying that stream-casting fees fall under advertising expenses, avoid misclassifying them as technical service fees to prevent tax evasion risks.
• Second, strengthen invoice management. Verify the qualification of co-operative parties such as MCN institutions and platforms, and ensure full retention of formal invoices, contracts and advertising release records for tax inspections.
• Third, optimise expense control. Set advertising budgets based on the deduction limits, and use inter-affiliated enterprise expense allocation agreements to reasonably distribute excess expenses among group members as per relevant tax announcements.
• Fourth, enhance tax filing management. Timely declare and pay taxes, and conduct regular internal tax audits. For cross-border businesses, comply with the Measures for the Administration of Tax Collection on Cross-Border Digital Service Income, complete filings for overseas income and apply for tax treaty benefits actively.
• Finally, track policy updates, as tax authorities now adopt data-driven supervision, and non-compliance may result in tax arrears, late fees and fines. This approach helps companies mitigate risks and maintain legal operations.

In China’s TMT sector, multiple consumer protection laws govern digital goods and services. The Consumer Rights Protection Law and its 2024 Implementing Regulations are foundational, safeguarding rights such as information access, fair trade and seven-day no-reason returns (except for specific digital products). The E-Commerce Law regulates platform obligations, such as information disclosure, transaction security, and liability for third-party violations. The Cybersecurity Law and Personal Information Protection Law (PIPL) protect data privacy, barring excessive collection of user information and requiring algorithmic transparency for services such as targeted advertisements. The Advertising Law prohibits false digital advertisements, while the Supreme People’s Court’s judicial interpretations on online consumption nullify unfair clauses such as arbitrary operator interpretation rights. The Network Transaction Supervision and Administration Measures further regulate live-streaming and automatic subscription services.

To safeguard consumer rights, TMT companies should integrate compliance into operations:

• First, standardise information disclosure, clearly stating terms for digital subscriptions, refunds and algorithm-based recommendations in plain language to avoid concealing key clauses.
• Second, strengthen data governance, conducting data impact assessments as required by PIPL and allowing users to opt out of non-essential data collection.
• Third, design user-friendly rights-exercising channels, simplifying processes for refunds and unsubscriptions from automatic renewal services.
• Fourth, establish pre-launch risk checks to ensure digital products meet safety standards and do not contain unfair clauses.

The legal framework for complaint resolution combines administrative, civil and alternative dispute resolution (ADR) mechanisms. Administratively, consumers file complaints via the 12315 hotline or 12345 government service platform, with market regulators investigating and imposing penalties for violations. Civilly, consumers can sue via courts, and judicial interpretations clarify platform liability for misleading self-operated labels. ADR includes mediation by consumer associations and platform-led dispute settlement, as mandated by the E-Commerce Law, which requires platforms to set up efficient complaint-handling systems.

Best practices for dispute resolution include four key steps:

• First, build a rapid-response system, acknowledging complaints within 24 hours and resolving common issues like payment errors within three working days.
• Second, use technology for traceability, applying blockchain to record transaction data and AI to classify complaints for targeted solutions.
• Third, ensure independent complaint-handling, setting up a dedicated team separate from business units to avoid conflicts of interest.
• Fourth, conduct regular data reviews, analysing complaint trends to optimise products – for example, adjusting automatic renewal reminders if related complaints surge.

Additionally, participating in industry-wide ADR mechanisms and providing consumer education on digital rights helps reduce disputes and build trust.

Cryptocurrencies have profoundly reshaped the legal environment of China’s TMT industry by triggering a dual regulatory stance – stringent bans on crypto-related financial activities but strong support for blockchain technology – thus reconstructing compliance norms for TMT firms, especially those engaged in fintech, digital content and cross-border services. Legally, they have expanded the scope of financial regulatory laws, with anti-money laundering rules, foreign exchange controls and criminal laws being frequently applied to crack down on illegal crypto transactions. Meanwhile, they have driven the improvement of laws relating to data security and digital assets, as seen in the judicial recognition of property rights in non-tokenised digital collectibles. This means TMT companies must strictly avoid any involvement in crypto trading while exploring blockchain-based applications within legal boundaries.

Cryptocurrencies bring distinct legal challenges and opportunities to China’s TMT sector. Challenges mainly lie in three aspects:

• First, compliance risks are prominent. Providing services like crypto exchange, wallet custody or OTC trading can lead to charges of illegal business operations, fund-raising fraud or money laundering, as specified in the 2021 circular jointly issued by ten government departments including the People’s Bank of China.
• Second, cross-border regulatory conflicts arise. Foreign crypto platforms targeting Chinese users via accessible IP addresses or domestic promotions will be held legally liable, and TMT firms face difficulties in handling cross-border data flows and asset tracing involving crypto.
• Third, judicial application ambiguities exist. Civil disputes over crypto holding or embezzlement often encounter inconsistencies in determining the legal nature of crypto-assets and applying civil laws.

Opportunities, however, are significant. Blockchain, separated from crypto, is supported by national strategies, enabling TMT companies to develop alliance-chain applications in supply-chain finance, digital copyright protection and judicial evidence preservation, which are in line with policies such as the 14th Five-Year Plan for Digital Economy Development. Additionally, the promotion of the e-CNY digital currency has opened up new business prospects for TMT firms in payment technology and scenario expansion.

In China, blockchain and cryptocurrencies are subject to differentiated and strict regulatory frameworks. For cryptocurrencies, the regulatory stance has been consistent and tough. The 2013 notice from five central departments defined Bitcoin as a virtual commodity and prohibited financial institutions from engaging in related businesses. The 2017 notice from seven departments banned initial coin offerings and shut down domestic crypto trading platforms. The 2021 ten-department circular further categorised all crypto-related business activities as illegal financial activities, and subsequent policies have intensified efforts to crack down on crypto mining and cross-border transactions. Stablecoins are also classified as virtual currencies and brought under strict supervision. In contrast, blockchain technology is actively supported and regulated. National standards for blockchain have been formulated, and the government encourages its application in alliance chains for public services, supply chain management and other fields. Judicial authorities have also promoted blockchain’s use in evidence preservation, with the Supreme People’s Court issuing guidelines to facilitate its judicial application.

TMT companies can seize opportunities by focusing on permitted blockchain development, complying with data protection laws like the Personal Information Protection Law, and participating in the e-CNY ecosystem, while strictly avoiding any form of crypto-related illegal activities to maintain legal compliance.

China has established a comprehensive legal and regulatory framework for cloud and edge computing, centred on foundational laws such as the Cybersecurity Law, Data Security Law and Personal Information Protection Law (PIPL). Core regulations include the Measures for the Security Assessment of Cloud Computing Services, which mandate security assessments for cloud services involving critical information infrastructure and large-scale personal data processing. Industry standards such as GB/T 31167-2014 and GB/T 31168-2014 specify cloud service security guidelines and capability requirements, while GB/T 39460-2020 sets security norms for edge computing. The Ministry of Industry and Information Technology has issued technical specifications for cloud computing and edge data centres, and self-regulatory codes from industry associations guide fair competition and data protection practices.

Regulated industries such as banking and insurance face far stricter restrictions on cloud and edge computing than ordinary sectors. Regulators such as the China Banking and Insurance Regulatory Commission and the People’s Bank of China have formulated specialised norms, such as the Specifications for Financial Application of Cloud Computing Technology, requiring financial cloud services to meet grade-four cybersecurity classification protection standards, which are higher than the grade-three standard for general industries. Financial institutions must use filed financial cloud products, ensure core transaction data localisation, and build “two-site, three-centre” disaster recovery systems. Edge computing applications in finance, such as mobile payment and risk control, need to comply with real-time monitoring and audit requirements for fund flows, and any outsourcing of cloud services must be reported to regulators and subject to special audits. In contrast, general TMT enterprises only need to meet basic regulatory requirements such as grade-three cybersecurity classification protection and common data security rules.

Processing personal data in cloud computing involves multiple specific legal and practical issues:

• First, data ownership and liability allocation are ambiguous. It is difficult to clarify responsibilities in cases of data leakage due to the shared-responsibility model between cloud service providers and users, which also brings challenges to judicial identification.
• Second, data localisation and cross-border transmission compliance are complex. Critical information infrastructure operators must store personal information and important data domestically, and cross-border transfer of personal data requires security assessments, user explicit consent, and compliance with the Measures for the Security Assessment of Outbound Data Provision.
• Third, the right to data portability is hard to realise. Due to inconsistent technical interfaces and data formats among different cloud platforms, users often face obstacles when migrating personal data, which conflicts with the right to data portability stipulated in PIPL.
• Fourth, de-identification and anonymisation are difficult to implement effectively. Cloud-based batch data processing makes it challenging to ensure that de-identified data cannot be re-identified, and improper operations may lead to violations of personal information protection regulations.

Cloud service providers and users must strengthen contract management to clarify liability boundaries, adopt encryption and access control technologies, and conduct regular compliance audits to mitigate these risks and ensure compliance with relevant laws and regulations.

China has built a comprehensive regulatory framework for AI use, along with targeted measures against deepfakes to protect personal rights, complemented by ethical norms.

Core laws governing AI include the Cybersecurity Law, Data Security Law and Personal Information Protection Law (PIPL), which lay the foundation for data and privacy protection in AI applications. Specific AI-focused rules are critical. The Internet Information Service Algorithm Recommendation Management Provisions (effective from 1 March 2022) require providers to register algorithms, notify users of recommendation mechanisms, and offer opt-out options. The Interim Measures for the Management of Generative Artificial Intelligence Services (effective from 15 August 2023) mandate legal training data sources, intellectual property respect, and user consent for personal information use. The Internet Information Service Deep Synthesis Management Provisions (effective from 10 January 2023) regulate deepfake-related technologies, demanding identity verification of users and content labelling. The Measures for the Administration of AI-Generated Synthetic Content Labelling (effective from 1 September 2025) enforce dual explicit and implicit labelling for AI-generated content. Industry norms include the Code of Conduct for the Responsible Use of Generative AI, guiding fair and ethical AI development.

For deepfakes, multiple legal and technical measures safeguard personal rights. The Civil Code protects portrait rights by requiring consent for commercial use and prohibiting unauthorised deepfake creation that damages reputation. The Deep Synthesis Provisions mandate explicit user consent for using others’ portraits, voices or biometrics in deep synthesis. The AI-Generated Synthetic Content Labelling Measures require visible watermarks and metadata-embedded implicit labels to trace content and prevent misrepresentation. PIPL imposes strict rules on processing biometric data such as facial features, requiring explicit consent and minimising data scope. The Cyberspace Administration of China leads supervision, with penalties for non-compliance ranging from fines to service suspensions. Service providers must set up content review systems and take down infringing deepfake content promptly. These measures form a multi-layered shield for personal portrait, reputation and related rights against deepfake abuses, balancing AI innovation with rights protection, all based on existing legal texts without fabrication.

China has established a multi-layered regulatory and normative framework for the Internet of Things (IoT), centred on general laws, supplemented by sector-specific regulations, national standards and industry codes, focusing on security, data governance and rights protection without specialised standalone IoT legislation.

The Cybersecurity Law, Data Security Law and Personal Information Protection Law (PIPL) form the foundational legal pillars. The Cybersecurity Law imposes obligations on IoT network operators to adopt technical defences, conduct security assessments and meet mandatory certification for key network products. The Data Security Law mandates classified-graded protection for IoT data throughout its lifecycle and requires filing for core data processing. PIPL enforces explicit user consent for collecting biometric and other personal data via IoT devices, along with data minimisation and purpose limitation principles.

Specific regulations refine IoT governance. The Interim Provisions on the Administration of Deep Synthesis of Internet Information Services cover IoT-enabled synthetic content with identity verification and labelling rules. The Measures for the Administration of Security Vulnerabilities in Network Products demand IoT device makers report vulnerabilities to authorities and avoid unauthorised disclosure. The rules of the Ministry of Industry and Information Technology (MIIT) govern radio frequency use for IoT and mandate real-name registration for relevant services. National standards like GB/T 42453-2024 IoT Security General Requirements set technical benchmarks for device security, data encryption and access control. The 14th Five-Year Plan for IoT Development guides industry development with a focus on security and innovation.

Industry codes complement legal rules. The Code of Conduct for IoT Data Security promotes transparent data processing and responsible data sharing among enterprises. The Guidelines for Responsible Use of IoT emphasise supply chain security and post-sale vulnerability management for manufacturers. Sector-specific norms, such as those for smart connected vehicles, detail safety and data governance for IoT-integrated industries.

Regulatory enforcement is led by the Cyberspace Administration of China, MIIT and market regulators. Penalties for non-compliance range from fines and rectification orders to service suspension and criminal liability for severe violations. IoT service providers must build content review and security management systems, while manufacturers are held accountable for secure design and timely vulnerability fixes. This framework balances IoT innovation with risk control, all rooted in existing legal texts and authentic norms.

Core Compliance Challenges

Companies deploying IoT solutions in China face prominent compliance challenges rooted in multi-layered regulations and technical complexity:

• First, data governance risks stand out. The Personal Information Protection Law (PIPL) requires explicit consent for collecting biometric data such as facial information, and the Data Security Law mandates classified-graded management for IoT data. Yet, static consent mechanisms often fail to adapt to dynamic IoT scenarios, and cross-verification of multi-source data undermines the effectiveness of anonymisation efforts. Cross-border data transmission is another hurdle; core and important data usually demand localised storage, and outbound transfers need security assessments from the Cyberspace Administration of China (CAC), which raises operational costs.
• Second, device and security compliance is tough. IoT edge devices often lack sufficient resources for full-fledged security protection, and vulnerability remediation cycles are lengthy. The Cybersecurity Law requires mandatory certification for key network products, while the Measures for the Administration of Security Vulnerabilities in Network Products force manufacturers to report vulnerabilities promptly, a burden for small and medium-sized enterprises with limited technical capacity.
• Third, regulatory co-ordination and standard fragmentation add complexity. IoT regulation involves CAC, the Ministry of Industry and Information Technology and market regulators, leading to overlapping oversight. Diverse technical standards across industries complicate inter-device compatibility and compliance verification. Additionally, liability attribution is ambiguous in IoT supply chains, making it hard to trace responsibilities for security incidents or data breaches.

Recommended Governance Frameworks

Companies should adopt a systematic governance framework aligned with Chinese laws to mitigate these risks:

• First, establish a compliance-by-design system. Embed security features during device R&D, and conduct pre-deployment network security assessments and data protection impact assessments as required by the Cybersecurity Law and PIPL. Implement data minimisation and purpose limitation principles, and build dynamic user consent management mechanisms to avoid invalid bundled consent.
• Second, implement a full-lifecycle data governance mechanism. Comply with the Data Security Law to classify data, set access controls, and encrypt data during transmission and storage. Follow the Measures for the Administration of IoT Security and related national standards such as GB/T 42453-2024 to set up data traceability systems, including explicit and implicit labelling for AI-generated content as per the relevant rules. Appoint data protection officers to supervise data processing and ensure timely reporting of data breaches.
• Third, build a multi-tiered security management system. Adhere to the Multi-Level Protection Scheme 2.0 to upgrade security capabilities by conducting regular penetration tests and vulnerability scans. Establish a rapid response mechanism for security incidents, with protocols to remove infringing content and report violations to authorities. Align with industry norms such as the Code of Conduct for IoT Data Security to standardise data sharing practices.
• Fourth, strengthen organisational and operational governance. Set up a dedicated compliance team to co-ordinate with regulators, conduct regular staff training on laws such as the Cybersecurity Law and PIPL, and maintain detailed records of compliance efforts. Co-operate with third-party auditors to conduct regular compliance reviews and ensure alignment with the latest regulatory updates.

This framework balances innovation and compliance, effectively reducing legal risks while supporting sustainable IoT development, all grounded in existing Chinese laws and norms.

Main Legal Requirements for IoT Data Sharing

IoT companies in China must comply with core legal requirements centred on consent, data classification, contractual governance and security accountability. Under the Personal Information Protection Law (PIPL), sharing personal information needs users’ explicit and informed consent, with separate consent for sensitive personal information. The Data Security Law mandates classified-graded management; data sharers must define purposes, scopes and security obligations via contracts and supervise recipients, keeping records for at least three years as per the Regulations on Network Data Security Management. Cross-border sharing requires security assessments for important and core data, and must meet conditions such as standard contracts or certifications for personal information. The Cybersecurity Law demands security protection for shared data and mandatory certification for key products involved in data transmission.

Thresholds and Applicable Entities

Consent thresholds require non-bundled, revocable consent, and dynamic scenarios need updated consent mechanisms. Cross-border thresholds include mandatory security assessment for critical information infrastructure operators’ data outbound transfer, and for non-critical information infrastructure operators, thresholds involve cumulative sharing of 100,000-plus sensitive personal information or 100 million-plus general personal information requiring assessment. All data processors engaged in IoT data collection and sharing must directly comply, including IoT device manufacturers, platform operators and service providers. Indirectly bound entities cover upstream chip suppliers, cloud service providers and third-party data analytics firms, as they affect data security in the sharing chain.

Strict Rules for Specific Data Categories

Special data categories face tighter rules. National core data, critical to national security, is strictly prohibited from unapproved cross-border sharing and requires the highest-level security protection. Important data, such as IoT industrial operational data and public service data, must be locally stored, with outbound sharing subject to security assessment by the Cyberspace Administration of China. Sensitive personal information such as biometrics and medical data needs separate, explicit consent, and sharing requires enhanced encryption and access control. Children’s personal information has extra protections, demanding verifiable parental consent and dedicated data protection mechanisms, aligning with the PIPL and related guidelines.

The main requirements for providing audiovisual media services in China are rooted in the Administrative Measures for Internet Audiovisual Programme Services and related regulations. Providers must obtain an Internet Audiovisual Programme Service Permit, with eligibility restricted to state-owned or state-controlled enterprises. They are required to establish content review systems to ensure programmes comply with content guidelines, prohibit illegal and harmful content, and retain user logs and programme records for at least 60 days. Data security and personal information protection obligations under the Personal Information Protection Law and Data Security Law must also be fulfilled.

These requirements apply to video-sharing platforms with user-generated content and streaming platforms. For video-sharing platforms, additional obligations include real-name registration for users, prior review or real-time supervision of user-uploaded content, and timely removal of non-compliant content. Streaming platforms offering imported audiovisual content must obtain import approval from the relevant authorities.

The approval procedure starts with submitting an application to the National Radio and Television Administration (NRTA) or local counterparts, including documents such as business licences, technical plans and content review rules. The NRTA conducts a comprehensive review of the applicant’s qualifications, technical capabilities and content management system. No explicit statutory fees are specified for the permit application, but providers may incur costs for technical system construction and compliance management. Unapproved operation of audiovisual media services may result in penalties including fines, service suspension and revocation of business qualifications.

Technologies and services under local telecom regulations cover basic telecom services including fixed and mobile voice communications, broadband internet access, virtual private networks and satellite communications, as well as value-added telecom services such as internet data centre services, cloud computing services, online data processing and transaction processing services. Emerging integrated offerings combining 5G, IoT and AI, such as smart connected vehicle telecom services and industrial IoT connectivity solutions, also fall within the regulatory scope. Before launching products or services integrating these technologies, entities must obtain corresponding telecom business licences from the Ministry of Industry and Information Technology or local competent authorities. Foreign-invested enterprises are subject to equity restrictions as prescribed by law, with limited or prohibited access to certain basic telecom services. Applicants need to submit business plans, technical feasibility reports and security management schemes for review. They must also comply with national technical standards, complete network access certification for telecom equipment and ensure interoperability with existing public networks.

Telecom service-related security requirements are stipulated in the Cybersecurity Law, Data Security Law and Measures for the Administration of Telecom Network Security. Operators must establish a sound network security management system, implement the multi-level protection scheme for network security, and conduct regular security assessments and vulnerability scans. They are required to store user data and business records in accordance with statutory time limits, adopt encryption and access control measures to protect personal information and sensitive data, and report network security incidents to regulatory authorities in a timely manner. For critical information infrastructure in the telecom sector, operators must implement enhanced security protection measures, conduct cybersecurity reviews and ensure data localisation storage where required by law. Additionally, telecom service providers must co-operate with relevant authorities in network security supervision and law enforcement work, and assume corresponding liabilities for security breaches.

China has no standalone network neutrality legislation, but relevant rules are embedded in laws such as the Telecommunications Regulations, Cybersecurity Law, Data Security Law and Personal Information Protection Law. The Telecommunications Regulations mandate non-discriminatory and transparent interconnection, prohibiting operators with dominant market positions from abusive practices. The Cybersecurity Law and related rules require fair treatment of data traffic, except for legitimate traffic management for network security and public interests. These rules push telecom operators to avoid discriminatory pricing, enhance network transparency and strengthen user rights protection, while balancing public interest and network efficiency. They apply to all telecom service providers, including video-sharing and streaming platforms, which must also comply with content review and user real-name registration rules.

Emerging technologies such as 5G, IoT and AI have profoundly affected China’s telecom legal environment. 5G’s network slicing demands updated rules on traffic management and service quality supervision. IoT’s massive terminal connections require stricter data classification and security safeguards under the Data Security Law. AI, especially algorithm recommendation and generative AI, has spurred regulations such as the Provisions on the Administration of Algorithm-Recommended Services and the Interim Measures for the Administration of Generative Artificial Intelligence Services, imposing obligations such as algorithm filing and ethical review. These technologies have driven more detailed classification-based regulation and accelerated updates to telecom licensing and security assessment mechanisms.

TMT companies integrating these technologies must focus on key legal aspects. They need to obtain proper telecom, value-added telecom or internet audiovisual service licences based on business scope. Data compliance involves adhering to rules regarding data classification, user consent for personal information processing and cross-border data transfer. Algorithm compliance requires completing filings for recommended and generative AI algorithms and preventing algorithm discrimination. TMT companies must also conduct security assessments for 5G-IoT infrastructure, clarify intellectual property ownership of AI-generated content, and ensure compliance with antitrust rules to avoid anti-competitive behaviours via algorithms or network resources.

The main challenges for organisations signing technology agreements in China include aligning contract terms with mandatory legal provisions, navigating regulatory compliance across multi-sector oversight, and addressing ambiguity in liability allocation for intellectual property infringement and data breaches. Contract parties often face conflicts between cross-border technology transfer clauses and domestic rules on data and IP protection. Additionally, disputes may arise over the ownership of AI-generated intellectual property and the enforceability of penalty clauses that exceed statutory limits.

Under China’s legal framework, several mandatory provisions must be considered and cannot be excluded by contract terms. The Data Security Law and Personal Information Protection Law mandate localised storage for core and important data, with cross-border transfer subject to security assessment or standard contract verification. The Anti-Monopoly Law prohibits technology agreements that eliminate or restrict competition, such as horizontal price-fixing or vertical market division. The Cybersecurity Law requires network operators to adopt mandatory security measures for critical information infrastructure. Moreover, the Contract Law stipulates that clauses violating public interests or mandatory regulations are deemed invalid.

Regulated industries such as banking and insurance face more stringent restrictions. Financial regulators require these sectors to ensure technology agreements do not compromise financial data security or systemic stability; for example, outsourcing technology services must undergo strict regulatory approval. They are subject to stricter data localisation rules for customer financial information and must comply with specific standards for encryption and access control. Compared with general industries, financial institutions also face more rigorous post-signing supervision, including regular compliance audits and mandatory reporting of technology co-operation projects to regulatory authorities.

Telecom service agreements must include several key elements aligned with Chinese laws:

• First, clear definitions of service scope, technical standards and quality indicators such as network availability and latency.
• Second, explicit terms on service fees, payment schedules and adjustment mechanisms to comply with pricing regulations.
• Third, data security and personal information protection clauses specifying obligations for data collection, storage and cross-border transfer in line with the Cybersecurity Law and Personal Information Protection Law.
• Fourth, liability allocation for service disruptions, breaches of confidentiality and intellectual property infringement.
• Fifth, dispute resolution clauses, termination conditions and post-termination obligations including data deletion and asset return.

Enterprises can negotiate favourable terms by conducting comprehensive due diligence on the counterparty’s licence validity, technical capabilities and compliance records. They should push for flexible adjustment mechanisms for service fees tied to objective performance metrics rather than unilateral price changes by the telecom provider. Enterprises may also negotiate caps on liability for indirect losses and require the provider to indemnify third-party claims arising from the provider’s negligence. Additionally, they can seek clauses ensuring priority access to network maintenance and upgrades, as well as the right to audit the provider’s compliance with service level agreements.

For TMT companies signing interconnection agreements, core considerations include compliance with the Telecommunications Regulations requiring non-discriminatory interconnection terms and transparent pricing. They must clarify technical parameters such as interconnection points, bandwidth allocation and network synchronisation standards to avoid service bottlenecks. Data security clauses should address data transmission encryption and incident response protocols. TMT companies also need to define dispute resolution procedures for interconnection disputes to minimise service downtime. Furthermore, they should ensure the agreement aligns with antitrust rules to avoid practices that may be deemed as eliminating or restricting competition.

Trust services in China are mainly regulated by the Trust Law, which defines trust establishment, property transfer, trustee obligations and beneficiary rights. The China Banking and Insurance Regulatory Commission issues regulatory rules on trust companies’ licensing, capital adequacy and business scope. For electronic signatures, the Electronic Signature Law establishes that reliable electronic signatures have equal legal effect to handwritten signatures and sets four criteria for reliable ones. The Electronic Authentication Service Administration Measures require certification authorities to obtain MIIT licences. Digital identity systems are governed by the Cybersecurity Law, Data Security Law and Personal Information Protection Law, with industry norms such as the Electronic Authentication Business Rules Specifications guiding practice.

Key related elements include liability allocation: trustees bear fiduciary liability for improper management, while electronic authentication service providers are liable for errors in certificate issuance. Insurance coverage for operational and data breach risks is recommended. Data protection rules mandate personal information consent, data localisation for key data and cross-border transfer security assessments. Intellectual property of digital identity technologies belongs to developers, with no rights abuse allowed. Jurisdiction is generally determined by the parties’ agreement or the place of contract performance, and basic rights such as personal information privacy are protected by mandatory laws that cannot be waived by contract.

China’s game industry is regulated by a combination of laws and industry guidelines. The Cybersecurity Law, Data Security Law and Personal Information Protection Law govern data collection, storage and user privacy protection. The Administrative Measures for Online Game Publication mandate that all online games must obtain an Online Game Publication Licence before commercial operation. The National Press and Publication Administration also issues rules on game content review, prohibiting content that endangers national security, violates public morality or involves violence and obscenity. Industry self-regulatory norms include guidelines on minor protection and fair competition issued by game industry associations.

The main legal challenges facing the industry include frequent regulatory updates that require developers to continually adjust their products and operations. Compliance with cross-regional data governance rules poses difficulties for game companies with cross-border businesses. Another challenge is balancing creative freedom with strict content review requirements, as ambiguous regulatory boundaries may lead to delayed approval or sudden removal of games from the market. Additionally, disputes over intellectual property rights such as game characters, storylines and code are common and require complex legal proceedings to resolve.

For in-game purchases, lucky boxes and gambling-related elements, regulations prohibit random prize systems that cannot disclose winning probabilities and odds clearly. Lucky boxes must set upper limits on spending and avoid direct exchange of virtual items for cash. Gambling-like features such as cash betting are strictly banned. Regarding age grading and content restrictions, games are classified into age-appropriate categories, with minors restricted from accessing adult-oriented content. Developers must implement real-name registration and anti-addiction systems, limiting minors’ daily game time and in-game consumption amounts.

The main regulatory bodies include the National Press and Publication Administration (NPPA), responsible for game publication licensing and content review; the Cyberspace Administration of China (CAC) overseeing cyberspace order and data security; the Ministry of Industry and Information Technology (MIIT) managing internet access and electronic authentication services; the Ministry of Culture and Tourism regulating cultural content and market operations; the Ministry of Public Security (MPS) combating cybercrimes; the State Administration for Market Regulation (SAMR) safeguarding market competition; and the National Financial Regulatory Administration monitoring in-game payment risks.

Their enforcement powers cover issuing and revoking licences, conducting compliance inspections, imposing administrative penalties such as fines and suspensions, ordering product removal or rectification, and investigating illegal acts such as unlicensed operation, content violations and data breaches. They can also summon personnel, demand document submission and take mandatory measures to stop violations.

Recent enforcement actions include the “Jianwang 2025” campaign by the National Copyright Administration, MIIT, MPS and CAC, cracking down on game piracy, private servers and plug-ins, with cases such as the arrest of 11 suspects in the private server case of Original Journey involving nearly CNY1 million in damages. In 2025, NPPA also rejected games failing content review and required stricter real-name registration for minors, while SAMR penalised several game companies for false advertising and unfair in-game purchase rules.

Common intellectual property challenges for Chinese game developers include frequent copyright infringement such as “reskinning” games and unauthorised use of characters, music and code. Distinguishing between protectable specific expressions and unprotectable abstract game mechanics under the Copyright Law is a key judicial difficulty. Trade mark squatting of game titles, character names and logos is rampant, especially in cross-border markets. Misappropriation of trade secrets such as unreleased game content and source code, along with difficulties in evidence collection and high litigation costs, also plagues developers. Infringement by plug-ins and private servers further undermines their legitimate rights and interests.

Creators in virtual environments hold copyrights over original works such as character designs, maps and music as per the Copyright Law. They have the right to reproduce, distribute and license their works, and can claim damages for unauthorised use. For software, they enjoy protection under the Computer Software Protection Regulation. They may also register trade marks for core elements to prevent infringement. Additionally, they can use technical measures such as digital watermarks and rely on blockchain for evidence preservation, while claiming liability from infringers and platforms that fail to fulfil their supervision obligations.

Key factors for copyright of digital and virtual assets include originality, which is a prerequisite for protection. Copyright ownership should be clearly defined in contracts, as virtual asset transactions usually do not transfer copyright by default. Evidence preservation via blockchain helps in proving rights but does not directly confirm ownership. Cross-border transmission of copyrighted digital assets must comply with data security and personal information protection laws, and technical protection measures should be used to prevent unauthorised reproduction and dissemination.

Trade mark law applies to virtual goods and services by protecting registered trade marks from unauthorised use that may cause consumer confusion. Game developers should register trade marks in relevant classes such as Class 9 (downloadable virtual goods) and Class 41 (online game services). Unauthorised use of real-world brand logos on virtual items such as in-game vehicles can constitute infringement if it leads to confusion about commercial affiliation. Trade mark rights extend to virtual scenarios when the use serves the same distinguishing function as in the real world.

User-generated content (UGC) has complex impacts. UGC meeting originality standards is protected, but unauthorised adaptation or commercial use of copyrighted game content constitutes infringement. Platforms need to establish mechanisms to review UGC and remove infringing content. Developers often clarify ownership and licensing rules in user agreements, but must not exclude users’ legitimate rights. The boundary between fair use and infringement of UGC remains a judicial focus, requiring a balance between creative freedom and IP protection.

China has a comprehensive legal system governing social media. Core laws include the Cybersecurity Law, Personal Information Protection Law (PIPL), Data Security Law, Copyright Law and Advertising Law. Specific regulations include the Administration of Internet Information Services, Administration of Internet News Information Services, Governance of Online Information Content Ecology, and Administration of Internet User Account Information. These rules mandate real-name authentication, content review, data protection and licensing for news-related services. Industry self-regulatory norms are formulated by bodies such as the Cyberspace Administration of China and industry associations, requiring platforms to regulate user-generated content (UGC), mark paid promotions clearly and protect minors, while platforms also establish internal codes for content review and data management.

Data protection is a primary challenge. PIPL requires explicit user consent for data collection, but platforms struggle with balancing personalised services and privacy protection, and face risks of data leakage during cross-border transmission and data monetisation. Data monetisation often involves issues like unauthorised secondary use of user data and unclear profit-sharing mechanisms, leading to disputes over data rights ownership. Intellectual property issues are prevalent, such as rampant UGC copyright infringement, difficulty in identifying infringing content, and unclear boundaries between fair use and commercial infringement, with platforms bearing the burden of removing infringing content promptly. Cybersecurity threats such as hacking and phishing attacks compel platforms to invest heavily in technical safeguards. Age-related regulations stipulate that minors under 16 must use social media with guardian approval and under youth mode, but verifying user age and enforcing the mode effectively remain problematic. Additionally, defining platform liability for harmful content, balancing freedom of expression and content supervision, and regulating influencer marketing without proper qualifications are also key judicial and compliance challenges.

Key Regulatory Authorities

The primary regulators overseeing social media in China include the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS), the State Administration for Market Regulation (SAMR), and the Cyberspace Administration of local governments. CAC takes the leading role in overall internet content governance and social media supervision. MIIT regulates internet access and service providers. MPS handles cybersecurity crimes and enforces public security rules. SAMR supervises commercial violations such as false advertising on social media. Additionally, the State Copyright Bureau oversees copyright-related issues in social media content.

Enforcement Powers of These Authorities

CAC can conduct inspections, issue warnings, impose fines, order suspension of services, demand removal of illegal content, close non-compliant accounts and revoke relevant permits. It also has the power to summon platform operators for interviews and order rectification. MIIT may revoke internet access licences, suspend network services, and impose penalties for violations of internet service management rules. MPS can investigate and handle cybercrimes such as data theft, network fraud and cyberbullying, impose administrative detentions and initiate criminal proceedings. SAMR has the authority to investigate false promotions and unfair competition, and impose fines or order compensation for losses. The State Copyright Bureau can investigate copyright infringements, and order cessation of infringements and compensation. All authorities can collaborate on joint law enforcement and share investigation data.

Recent Enforcement Actions

In September 2025, CAC guided Beijing Cyberspace Administration to penalise Weibo and Kuaishou. The platforms received regulatory interviews, rectification orders and warnings for failing to fulfil their main responsibilities, as they featured excessive celebrity gossip on their trending lists, violating the Provisions on the Governance of Online Information Content Ecology. In December 2025, CAC shut down accounts like “Huchenfeng” that incited group conflicts by spreading divisive remarks, and punished accounts for vulgar live-streaming and leaking pornographic content. In June 2025, CAC and public security authorities launched a campaign against AI-generated fake information, disposing of over 3,500 illegal AI products, deleting 960,000-plus illegal posts and handling 3,700-plus accounts, effectively curbing the dissemination of AI-related disinformation.

Core Data Privacy Laws, Industry Requirements and Codes

China’s telecom data privacy framework centres on the Cybersecurity Law, Data Security Law, Personal Information Protection Law (PIPL) and Telecommunications Regulations. Specific rules include the Provisions on the Protection of Telecommunications and Internet User Personal Information, Measures for Data Outbound Security Assessment, and Provisions on the Governance of Online Information Content Ecology. The Ministry of Industry and Information Technology (MIIT) formulates technical standards like the Information Security Technology – Personal Information Security Specification. Industry codes from associations such as the China Communications Standards Association require carriers to implement strict data classification, access control and breach notification mechanisms. Carriers must obtain MIIT licences and comply with real-name authentication rules, while self-regulatory norms demand transparent privacy policies and regular security audits.

Main Challenges in Customer Data Privacy Management

User consent is a key challenge. Carriers often struggle to obtain explicit and specific consent for complex service packages, with bundled services making it hard for users to understand and withdraw consent. Data minimisation conflicts with service optimisation, as carriers need user data for network maintenance and personalised services but risk over-collection. Protecting user rights such as access, correction and deletion is difficult due to fragmented data across multiple systems, while ensuring timely responses to user requests strains operational resources. Disputes frequently arise when users exercise right to data portability, given incompatible data formats between different carriers.

Cross-Border Data Transfer and Data Localisation Compliance

Critical information infrastructure operators must store personal and important data collected domestically within China. Cross-border transfers require passing security assessments, signing standard contracts, or obtaining privacy protection certifications per PIPL and related measures. Carriers conduct data classification and security impact assessments before transfer, obtain user consent and record transfer details. For necessary cross-border data flows, they rely on international judicial assistance or bilateral agreements to meet both domestic compliance and foreign data access demands, avoiding illegal data transmission.

Balancing Lawful Interception, Monitoring Obligations and Data Privacy

Carriers must comply with legal requirements for interception under the Criminal Procedure Law and Telecommunications Regulations. They balance obligations by implementing targeted interception systems that only access data specified in judicial orders, encrypt intercepted data and maintain strict access logs. They separate monitoring systems from user data storage to prevent abuse, conduct regular compliance reviews of interception activities, and ensure interception only occurs for public security or criminal investigation purposes, while notifying users of interception in accordance with laws where permitted.

Role of Third-Party and Cloud Service Providers

Third-party vendors and cloud providers are considered joint data processors under PIPL, bearing co-responsibility for data security. Carriers must sign data processing agreements clarifying data usage scope, security measures and liability allocation. They conduct due diligence on vendors’ security capabilities, require compliance with data localisation rules, and audit vendor data processing activities regularly. Cloud providers must ensure domestic data storage for critical services, provide real-time access for regulatory inspections, and assist carriers with data breach notifications and remediation.

Impact of Evolving Data Laws on Infrastructure and Innovation

Changing rules drive carriers to upgrade infrastructure with encryption and access control technologies, increasing investment in data centres and security systems. Compliance costs for data classification and cross-border transfer processes affect the rollout of new services like 5G-based IoT and edge computing. However, regulations also promote innovation in privacy-enhancing technologies such as federated learning and differential privacy. Carriers adjust service models to align with privacy by design principles, while regulatory clarity encourages development of compliant data-driven services, balancing privacy protection with digital transformation.

Legal and Operational Challenges in Data Protection, Consent Management and Security

Legally, digital media providers face overlapping compliance requirements under the Cybersecurity Law, Data Security Law, Personal Information Protection Law (PIPL) and regulations issued by the Ministry of Industry and Information Technology. They must handle conflicting rules on consent, data minimisation and breach notification across these laws. Operationally, obtaining explicit, specific consent is tough with bundled services that blur consent boundaries, while users often ignore complex privacy policies, leading to formalistic consent. Data minimisation clashes with personalised services, as providers risk over-collection when balancing service optimisation and legal limits. Securing data is challenging due to frequent cyberattacks, fragmented data systems and high costs of full-cycle security measures. Complying with diverse regional regulatory standards adds further operational pressure.

Implementing Privacy by Design and Security by Design

Providers embed these principles into the entire product lifecycle. In the design phase, they conduct data protection impact assessments, set default privacy-friendly settings and avoid unnecessary data collection. They adopt data classification, access control and end-to-end encryption to prevent unauthorised access. Security by design involves regular vulnerability scanning, penetration testing and real-time threat monitoring. Privacy policies are simplified and presented in plain language to improve user understanding. Providers also integrate mechanisms for easy consent withdrawal and exercise of user rights, while building data breach response plans to meet PIPL’s 72-hour notification rule.

Third-Party Data Sharing Challenges and Management

Third-party data sharing risks include unclear liability, data leakage and non-compliant processing. Providers and partners often struggle to define joint liability under PIPL. To address this, providers conduct thorough due diligence on partners’ security capabilities, and sign detailed data processing agreements specifying usage scope and security obligations. They anonymise or pseudonymise shared data, implement data usage audits and set up breach alert systems. Regular compliance reviews of partners and inclusion of indemnification clauses in contracts also help mitigate risks, ensuring shared data aligns with purpose limitation and user consent requirements.

Impact of Emerging Cybersecurity Regulations on Infrastructure and Innovation

New regulations drive providers to upgrade infrastructure with data localisation-compliant storage systems and cross-border data transfer security mechanisms, increasing investment costs. They must integrate legal interception capabilities while enhancing privacy protection, requiring separated monitoring systems and encrypted data access. For innovation, regulations push the adoption of privacy-enhancing technologies such as federated learning and differential privacy. However, compliance burdens may delay the rollout of new services such as AI-driven content recommendation. Providers need to balance regulatory compliance with innovation by establishing agile compliance teams and participating in industry standard-setting to shape regulatory requirements.