Data Protection & Privacy 2023

Last Updated February 06, 2023


Law and Practice


Zhong Lun Law Firm is one of the largest full-service law firms in China, with over 400 partners, over 2,500 professionals, and with offices in Beijing, Shanghai, Shenzhen and other major cities in China and around the world. The firm’s cybersecurity and data protection team was the first to specialise in the field. The partners of Zhong Lun have been invited to participate, as industry experts, in the legislative process relating to cybersecurity and data protection legislation many times. Actively practising in the technology and telecommunications industries in the past two decades, and providing professional legal services to a large number of multinational clients that embrace the challenges of digitalisation, Zhong Lun has accumulated abundant experience and developed a unique system of project compliance processes to assist in solving domestic and cross-border data protection issues. Zhong Lun’s clients in this field include Microsoft, ZTE, Daimler, SAP, China Life, CITIC and Cisco.

Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. Data subjects’ rights to privacy and data protection are protected by the Civil Code (民法典), the Criminal Law (刑法), the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法), the E-commerce Law (电子商务法), Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), and most importantly, the three fundamental laws (Three Fundamental Laws): the Cybersecurity Law (CSL; 网络安全法), the Data Security Law (DSL; 数据安全法) and the Personal Information Protection Law (PIPL; 个人信息保护法) . The Three Fundamental Laws have established the foundations of cybersecurity and data protection in China, which are supplemented by:

  • implementing regulations, measures and rules promulgated by the Cyberspace Administration of China (CAC);
  • relevant ministries, including the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS); and
  • national standards issued by the National Information Security Standardisation Technical Committee (TC260).

Since data protection is a topic that impinges upon all industries, there are a wide range of law enforcement departments related to it and their duties and authorities intersect with each other. There is no centralised regulatory body. Among all these regulators, the three most important ones are the CAC, the MPS and the MIIT.

According to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR), and industry regulators are in charge of law enforcement in the respective industries.

Network operators and data handlers are obligated to co-operate with cyberspace administrators and any other regulators in their inspections and supervisions (Article 49 of the CSL, also Article 63 of the PIPL). Law enforcement activities are triggered in different ways, including:

  • reporting – where users may report to the above-mentioned regulators and consumer protection organisations and investigations are launched accordingly;
  • regular and irregular inspections – where special projects that last several months are launched to target specific industries or pain points in cyberspace; and
  • inquiries into data leakage events.

The competent authorities, when imposing administrative punishment and enforcing the Three Fundamental Laws and relevant laws and regulations, shall abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 36). The penalised parties should be given opportunities to state their case and defend themselves (Article 6). The penalised party is entitled to a hearing where the administrative punishment involves suspension of business, rescission of business permit or licence, or a large penalty (Article 42).

According to Article 6 of the Law on Administrative Penalty, where the penalised party refuses to accept the administrative punishment, they may first apply to the relevant administrative organ for reconsideration and, if refusing to accept the reconsideration decision, may initiate an action before the people’s courts. Unless it is required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, they may also initiate an action before the people’s courts directly.

Additionally, public security departments shall abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). For example, there shall be at least two police officers in the event of an on-site inspection. Law enforcement officers shall keep the personal and private information, that becomes known to them during the inspection, confidential.

Moreover, to oversee the administrative action initiated by the CAC, a Draft Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments (Draft Procedures; 网信部门行政执法程序规定征求意见稿) was published to seek public comments. The Draft Procedures set the rules on jurisdiction, evidence, enforcement, etc.

China signed the Regional Comprehensive Economic Partnership (RCEP) on 15 November 2020, which came into effect on 1 January 2022, and is one of 15 member countries. An emphasis on personal information (PI) protection is made under chapters on trade in services (financial services, Annex 8A) and electronic commerce (Chapter 12). In principle, the orderly cross-border transfer of information for the purpose of conducting business shall be protected by the member countries. In the interim, RCEP member countries are allowed to regulate the cross-border data transfer to safeguard public interest and national security.

The National Computer Virus Emergency Response Centre (CVERC; 国家计算机病毒应急处理中心) is a public institution in charge of tackling computer viruses. During the special project “Clearing the Network 2021” (for further details of which, please refer to 1.7 Key Developments), the CVERC conducted security checks on the internet and detected multiple apps that violated privacy protection regulations. The CVERC published the names, versions and acts of violation of the apps and required removal of such apps from the app stores.

The China Consumers Association is a social organisation established by Article 36 of the Consumer Protection Law to supervise the provision of goods and services for the purpose of protecting consumers’ legitimate rights.

Privacy and data protection provisions in China share the same goals as those of various other jurisdictions, which are to safeguard the rights of PI subjects and to punish acts of infringement. Compared with the CSL, there are far more similarities between the PIPL and the GDPR.

Similarities Between the PIPL and the GDPR

Similar to the GDPR, the PIPL has an extraterritorial effect on overseas PI processing activities, when the processing is for the purpose of providing products or services to, or analysing individuals within, China.

Also similar to the GDPR, the PIPL provides for several legal bases including:

  • the data subject’s consent;
  • execution and performance of a contract, to which the data subject is a party;
  • implementation of human resources management in accordance with the labour rules and regulations formulated according to law and the collective contract signed according to law;
  • performance of legal duties or obligations;
  • dealing with a public health emergency or to protect natural persons’ life, health or asset security in an emergency;
  • conducting reasonable news reporting and oversight of public opinion for the protection of public interest; and
  • others, as required by laws and administrative regulations.

Another big similarity between PIPL and GDPR is the restriction on PI cross-border transfer. Under the PIPL, while the PI handler intends to transfer PI collected within China to a recipient outside China due to business necessity, it has to meet certain conditions prescribed by the PIPL. Among the conditions, the certification and standard contractual clauses mechanism are quite like those under the GDPR. Other similarities include the principles for processing PI, PI subject rights, obligations of the PI handlers, restrictions on automated decisions, and restrictions on processing activities by government authorities.

Differences Between the PIPL and the GDPR

A noticeable difference is between the definition of sensitive PI under the PIPL and the definition of special categories of personal data, where the former covers a much wider range. Sensitive PI under the PIPL refers, broadly, to the PI that may give rise to discriminatory treatment, or cause harm to personal or property security, once it is leaked or unlawfully provided, while the types of special categories of personal data are listed exhaustively under the GDPR. The requirements for processing sensitive PI under the PIPL follow the same framework as that for PI where separate consent is required, while under the GDPR, the default rule is not to process special categories of personal data except for certain circumstances.

“Separate consent” is a new requirement introduced by the PIPL, which is not yet clearly defined and might raise the requirement on the form of consent needed.

Other notable differences between the PIPL and the GDPR include: the PIPL has no lawful basis of legitimate interest; the PIPL has a post-mortem right for PI; the PIPL restricts personnel violating the PIPL from holding the position of high-level management or DPO; and there is no centralised regulatory body under the Chinese privacy protection regime. In China, the three most important regulators are the CAC, the MPS and the MIIT. (See 1.2 Regulators for further detail.)

Key developments in legislation in the past 12 months include:

  • the amended Cybersecurity Review Measures (网络安全审查办法), came into effect on 15 February 2022;
  • the Administrative Provisions on Algorithm Recommendation for Internet Information Services (互联网信息服务算法推荐管理规定) took effect on 1 March 2022;
  • the Draft Regulations on the Protection of Minors Online (未成年人网络保护条例征求意见稿) was revised and published for comments on 14 March 2022;
  • the Draft Implementation Rules for the Administrative Regulation on Human Genetic Resources (人类遗传资源管理条例实施细则征求意见稿) was published for comments on 21 March 2022;
  • the Rules for the Implementation of Data Security Management Certification (数据安全管理认证实施规则) was announced and immediately effective on 5 June 2022;
  • the Administrative Provisions on Mobile Internet Applications Information Services (移动互联网应用程序信息服务管理规定) was promulgated on 14 June 2022;
  • the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (“Chinese SCCs”,个人信息出境标准合同规定征求意见稿) was published for comments on 30 June 2022;
  • the Measures for the Security Assessment of Data Cross-border Transfer (“Outbound Measures”, 数据出境安全评估办法), was published in July and came into effect on 1 September 2022;
  • the Anti-telecom and Online Fraud Law of the People’s Republic of China (中华人民共和国反电信网络诈骗法) was promulgated on 2 September 2022 and took effect on 1 December, 2022;
  • the Draft Revised CSL was published for comments on 12 September 2022;
  • the Rules for the Implementation of Personal Information Protection Certification (个人信息保护认证实施规则) was announced and immediately effective on 4 November 2022;
  • the Draft Revised Anti-unfair Competition Law of the People’s Republic of China (中华人民共和国反不正当竞争法修订草案征求意见稿) was published for comments on 22 November 2022;
  • the Administrative Provisions on Deep Synthesis in Internet-based Information Services (互联网信息服务深度合成管理规定) was promulgated on 25 November 2022 and became effect on 10 January 2023;
  • the Administrative Measures on Data Security in the Field of Industry and Information Technology (for Trial Implementation) (工业和信息化领域数据安全管理办法(试行)) was promulgated on 8 December 2022 and became effective on 1 January 2023; and
  • the Technical Specification for Certification of Cross-Border Transfers of Personal Information V2.0 (“Certification Specification”,网络安全标准实践指南 个人信息跨境处理活动安全认证规范V2.0) was published and effective on 16 December 2022.

Major regulatory and enforcement activities that drive public attention include:

  • the CAC imposing an administrative fine of USD1.2 billion against Chinese ride-hailing company Didi over alleged data security violations;
  • the CAC launching a special project “Brightening the Network 2022” (清朗 2022) targeting algorithm for internet information services;
  • the MIIT and CAC publicly criticising apps that infringed customers’ rights and interests and requiring removal of such apps from app stores; and
  • the CAC launching cybersecurity reviews on several enterprises to prevent national data security risks and protect public interests.

In the next 12 months, it is expected that the following will take place.

  • The Draft Revised CSL will be reviewed and the official version is likely to be published in 2023.
  • The Regulations on the Administration of Network Data Security (Draft) will be reviewed by the CAC and the official version is likely to be published in 2023.
  • The Draft Regulations on the Protection of Minors Online will be reviewed and the official version is likely to be published in 2023.
  • The Chinese SCCs will most likely be finalised.
  • The identification guideline on the important data is likely to be released.
  • The Draft Anti-unfair Competition Law will be reviewed and the official version is likely to be published in 2023.
  • Series of national standards on the cybersecurity and data protection of Internet of Vehicles will likely be developed and released in 2023.
  • The number of litigation cases on PI protection will increase.

The Three Fundamental Laws form the basic legal framework of China’s data protection and privacy framework. In addition, the following regulations and national standards are crucial to understand the legal framework in China on data protection and privacy:

  • the Provisions on the Cyber Protection of Children’s PI;
  • the Measures for Cybersecurity Review (amended);
  • the Security Protection Regulations for Critical Information Infrastructure;
  • the Outbound Measures;
  • the Administrative Provisions on Algorithm Recommendation for Internet Information Services;
  • the Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ PI (Supreme People’s Court and the Supreme People’s Procuratorate Interpretations; 最高人民法院最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释);
  • the Certification Specification; and
  • the PI Specification.

The following draft measures and national standards are important indicators of future legislation:

  • the Regulations on the Administration of Network Data Security (Draft);
  • the Chinese SCCs; and
  • the GB/T-Information Security Technology – Important Data Identification Guidelines (Draft) (重要数据识别指南(征求意见稿)).

The CSL applies to network operators, which encompass virtually all companies involved in any kind of internet-based services. The PIPL applies to PI handlers, which refers to the person or entity that is in the position to decide the purpose and means of PI processing. The DSL applies to handlers conducting data processing activities in mainland China. For most entities that process personal data, the Three Fundamental Laws would apply.

Data Protection Officers (DPOs)

The CSL requires network operators to appoint personnel responsible for cybersecurity. When the amount of PI processed by an entity reaches a certain level, the entity shall, according to the PIPL, appoint an officer in charge of PI protection. According to the PI Specification, if there are more than 200 personnel in an organisation and its main business involves processing PI, or if the organisation handles the PI of more than one million people (or the personal sensitive information of more than 100,000 people), it should establish a department with designated full-time staff in charge of PI security.

The person in charge of PI protection shall be responsible for the overall planning and implementation of the internal PI protection system, stipulating and keeping up to date the PI policy and process, organising internal training, etc.


Under the CSL, consent from the data subjects is required prior to the collection and processing of PI. According to the PIPL, there are other legal bases where no consent is needed (please refer to 1.6 System Characteristics).

Privacy by Design or Default

Currently, there is no specific provision imposing any requirements of privacy by design/default, albeit they are helpful for fulfilling the obligations imposed by the CSL and PIPL. A similar system was indicated in the PI Specification where PI controllers are recommended to comply with national standards and to consider PI protection requirements when information systems are designed, developed, tested and released.

Privacy Impact Analysis

According to the PIPL, a risk assessment should be conducted before the following PI processing activities take place:

  • processing of sensitive PI;
  • use of PI for automated decision;
  • entrusted processing, sharing and public disclosure of PI;
  • cross-border transfer of PI; and
  • other processing activities that may have a significant impact on individuals.

The PISIA Guidance would serve as guidelines for conducting such a risk assessment. For cross-border transfer of PI, the Outbound Measures  would also provide reference for risk assessment.

Internal or External Privacy Policies

The CSL requires network operators to keep user information in strict confidence and to establish and improve the system for user information protection (Article 40). Network operators shall adopt technical measures and other necessary measures to guarantee the security of the collected PI and prevent the same from leakage, damage or loss (Article 42). In addition, the PIPL requires a management system that offers matching protection levels to data of different categories and of different levels of importance (Article 51).

External privacy policies that face PI subjects often serve as an approach for network operators to notify PI subjects as required under Article 41 of the CSL and Articles 17 of the PIPL. The internal policies shall be consistent with such external policies. What is promised to the users shall be implemented by the internal management measures and technical measures. The PI Specification also recommends that a PI controller adopt a privacy policy, as well as internal management and technical measures, to safeguard PI.

Data Subject Rights

Article 43 of the CSL entitles individuals to require a network operator to delete their PI if they find that any operator collects or uses such information in violation of the laws, administrative regulations or the agreement by and between that operator and them. PI subjects are also entitled to require any network operator to make corrections if they find errors in the information collected and stored by an operator. Operators shall take measures to delete the information or correct the error.

The PIPL provides the PI subjects with the rights, in relation to their data, to know, decide, restrict, object to its processing, access, copy, make portable, rectify, delete, withdraw their consent and account cancellation. In addition, PI subjects are also provided with related rights on automated decision-making (Article 24).

The right to data portability states that where PI subjects request to transfer their PI to another designated PI handler, such request shall be fulfilled by PI handlers when conditions stipulated by the CAC are met.

As for the right to withdrawal, the withdrawal of consent does not affect the lawfulness of processing based on that consent before its withdrawal. The right to withdrawal does not apply to PI processing activities based on a legal basis other than consent.


According to Article 42 of the CSL, there shall be no disclosure of PI without the consent of the PI subject unless such information has been processed to prevent that specific person from being identified and that information from being restored. Such methods to process information include anonymisation and de-identification of PI, which are stipulated under the PI Specification. Similar regulation can be found under Article 4 of the PIPL.

Specifically, anonymisation refers to the process whereby PI is technologically processed to make PI subjects unidentifiable, and such PI cannot be restored to its previous state once processed. Once anonymised, the information is no longer considered as PI.

On the other hand, de-identification refers to the process whereby PI is technologically processed to make it impossible to identify PI subjects without the aid of additional information. In other words, it is still possible to identify an individual with the help of de-identified information and other information. Thus, de-identified information is still considered as PI.

Big Data Analysis, AI, Algorithms, etc


The PI Specification recommends limited direct-user profiling. Direct-user profiling is when the PI of a specific natural person is directly used to create a unique model of that natural person’s characteristics. PI controllers engaging in direct profiling activities are required by the PI Specification to disclose the existence and the purposes of the direct profiling.


There are no laws or regulations directly regulating microtargeting in China. The effect of microtargeting is very similar to personalised recommendation (please refer to Automated decision-making immediately below).

Automated decision-making

According to Article 24 of the PIPL, an automated decision should be transparent and fair. The PI subject is entitled to request explanation and to refuse the decision if the automated decision has a significant impact on its rights and interests. In addition, when automated decision-making is used for commercial advertising or pushing notices, an option to receive a non-personalised message or a method to refuse such messages shall be given to the PI subject.

Online monitoring or tracking

Under the CSL and PIPL regime, tracking technologies such as cookies are not prohibited; cookies are usually regarded as PI, the collection of which shall comply with PI requirements.

Big data analysis

In the event of big data analysis, it is inevitable that data collected from various resources would be aggregated and used for a purpose that is normally different from the one that the data was originally collected for. Pursuant to the PI Specification, such data merging shall be subject to the purpose that the data is collected for. In other words, the use of the aggregated or merged data in big data analysis shall be consistent with the purpose that has been consented to by the data subject prior to the use of the same. Furthermore, big data analysis shall not be used to discriminate against customers (please refer to Algorithms (explanations, logic, code) below).

Artificial intelligence

So far, there has been no law or regulation systematically regulating data and privacy protection when artificial intelligence (AI) is involved. Yet, there are regulations focusing on the specific application of AI technology. For example, as stipulated by the Administrative Provisions on Deep Synthesis in Internet-based Information Services, audio and video that are generated by deep learning or other new technologies shall be identified in a noticeable way. The National New Generation AI Governance Professional Committee issued the New Generation AI Ethics Code (新一代人工智能伦理规范) on 25 September 2021. According to the work plan for building the framework of national standards on AI that was published by the Standardisation Committee of China, CAC, MIIT and other ministries in July 2020, a primary system of national standards on artificial intelligence will be completed by 2023.

Algorithms (explanations, logic, code)

Algorithm recommendation technologies have become the focus of the regulatory department. According to the Administrative Provisions on Algorithm Recommendation for Internet Information Services, “application of algorithm recommendation technologies” refers to the use of algorithmic technologies such as generation and synthesis, personalised push, sorting and selection, retrieval and filtering, scheduling decision-making, etc, to provide information to users. Algorithm recommendation service providers with public opinion attributes or social mobilisation ability shall go through the filing procedures.

In addition to algorithm recommendation technologies, misuse and monopoly of data and algorithms has also drawn the attention of government authorities. In February 2021, the Anti-monopoly Commission of the State Council published the Anti-monopoly Guide for the Platform Economy Sector (国务院反垄断委员会关于平台经济领域的反垄断指南) to address platform operators’ malpractice in eliminating or restricting market competition, such as using data and algorithms to form monopoly agreements or to provide differentiated treatment, etc.

Injury or Harm

In the event of an infringement of their privacy or legitimate rights, PI subjects may resort to the legal remedies provided by the Civil Code and the PIPL. In addition, injury or harm related to privacy and data rights could also lead to criminal liabilities where there is a serious circumstance of illegal sale or provision of PI.

A serious circumstance will have occurred where there is an illegal sale or provision of:

  • 50 pieces or more of location information, communication information or property information;
  • 500 pieces or more of accommodation information, health information or other information that may have an impact on citizens’ health or property security; or
  • 5,000 pieces or more of other PI (Article 5 of the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations).

Data that is subject to special regulations under the Chinese legal framework includes, without limitation, sensitive PI, important data, national core data and business data from certain industry sectors.

The definition of sensitive PI is discussed in 1.6 System Characteristics. Financial data, health data, communications data, voice telephony and text messaging, the content of electronic communications and a person’s sexual orientation are categorised as sensitive PI. More stringent restrictions and higher protection standards are applicable to sensitive PI.

The PI of children under 14 years old is also sensitive PI and is subject to special protection under the Provisions on the Cyber Protection of Children’s PI. Student data is not necessarily personal sensitive data. It depends on which specific data type it is.

Employment-related data will not be deemed as sensitive PI merely because it is employment related. But if it falls into the category of sensitive PI because, for example, it contains the identity card number or bank account number of an employee, relevant regulations on sensitive PI would apply.

Specific identity and political or philosophical beliefs are deemed to be sensitive PI under the PIPL regime.

Internet, Streaming and Video Issues

Browsing data, viewing data, cookies, beacons and location data are all regarded as sensitive PI. Tracking technology is not prohibited under Chinese law. Yet, if PI is collected and used for behavioural or targeted advertising which has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of PI would be deemed illegal. There have been some discussions regarding privacy and data protection with major internet platforms such as WeChat or TikTok. Yet, there has been no significant law enforcement activity or administrative punishment imposed on those companies, as there has been on Google or Facebook.

According to the CSL and the Administrative Measures on Internet-based Information Services (互联网信息服务管理办法), the network service provider will be liable for any erroneous, illegal or prohibited information published on a website or other medium it provides, whether intentionally or negligently. If the provider immediately takes action to stop the wrongdoing or blocks access to such inaccurate information after receipt of notice from the affected party, its liability might be limited. Besides, the Opinions on Further Compacting the Responsibility of the Information Content Management Subject of the Website Platform (关于进一步压实网站平台信息内容管理主体责任的意见) was published in September 2021 by CAC.

Please refer to 2.3 Online Marketing for discussion of behavioural or targeted advertising.

Please refer to 2.1 Omnibus Laws and General Requirements for discussion of data subject rights, the right to be forgotten, data access and portability, the right of rectification or correction and rights to object to sale of data.

The Advertising Law (广告法) is the fundamental law that regulates advertising. The Interim Measures for Administration of Internet Advertising (互联网广告管理暂行办法) apply to online marketing. The sender shall obtain from the recipients their consent to, or request for, advertising and the sender shall also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.

Since online marketing, particularly behavioural and targeted advertising, is normally based on analysis of PI collected from the users, regulations on PI collection and use shall be observed. To begin with, PI shall not be collected or used for behavioural advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, shall be provided to the individual. In addition, according to the PI Specification, it is recommended to use indirect user profiling which is generated from PI that is not from particular persons instead of direct user profiling for online marketing. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.

Special Laws

Currently, there is no special law or regulation regulating workplace privacy. It is governed by the Employment Law (劳动法), the Employment Contract Law (劳动合同法), the CSL, the PIPL, and relevant laws and regulations governing PI. The PI of an employee is subject to the same PI protection regime as that of any other regular person.

Workplace Communications

Even though employees’ PI is protected in the same way as regular PI, it is a fact that the employment relationship between employees and employers has its own features. It is commonly understood that employers shall duly notify their employees that activities in the workplace, during working hours, and conducted with working facilities, are supervised and monitored by the employers. Employment contracts or the employee handbook usually contain clauses in this regard. Normally, the voluntary provision of PI by the employees under the employment contract would be deemed as giving authorisation to the employers to collect and use their information in accordance with the purpose of employee management.


In China, labour unions do not play the same role as those in the western world. Where there is infringement of an employees’ PI rights, instead of appealing to a labour union, the employees may report this to the competent authorities in charge of cybersecurity and PI protection.


Normally, corporations would adopt internal supervisory and reporting mechanisms, including whistle-blower hotlines and anonymous reporting channels. It is always an option to report malfeasance to the competent government authorities. There is no unified standard rule. It varies between corporations and industries.


E-discovery shall follow relevant litigation and arbitration rules. Access to employees’ PI for the purpose of e-discovery would be deemed as used in direct relation to a court trial, and thus no consent is required for the collection and use of such information. Yet, there might be situations where it is not necessarily directly related to court trials. Thus, it is advisable to plan ahead by establishing an archive system and incorporating clauses on access to an employee’s PI for the purposes of e-discovery and other reasons into the employment contract or employee handbook.

Other Issues

Network operators are required to implement technical measures and other necessary measures to guarantee the security of the collected PI and prevent it from leakage, damage or loss. This may include the use of digital loss-prevention technologies. There is no law or regulation prohibiting employers from blocking websites to secure the productivity of their employees and it is advisable to publish such measures in the employment contract, employee handbook or relevant company policies.

Legal Standards for Regulators

The CSL, the DSL, the PIPL and the Consumer Protection Law are the four most fundamental standards used by law enforcement to regulate and punish violations of privacy or data protection laws. The PI Specification is heavily relied on as well. For data processing activities that may endanger national security, the Cybersecurity Review Measures (amended) will also be referred to. For law enforcement against violations by mobile applications, the Standards for Determining Unlawful Collection of Person Information by Apps (App 违法违规收集使用个人信息行为认定方法) were released in November 2019. These Standards are summaries of specific violations observed in business practice and will be used as tools for app operators to conduct self-inspection as well as for law enforcement departments to determine unlawful acts.

Potential Enforcement Penalties

Depending on the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the PI-protection-related provisions in the CSL may result in orders to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination thereof. The fine should be more than the illegal earnings but less than ten times of the same. In the event that there is no illegal earning, the fine shall not be more than CNY1 million. The directly responsible person may face a fine ranging from CNY10,000–100,000. In the case of a severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and the revocation of the business licence of the operator or provider.

What is worth noting is that the Draft Revised CSL has increased the amount of the fine which may be imposed upon the violator. For severe violation, the amount of the fine may range from CNY1 million to CNY50 million or not more than 5% of the turnover of the previous year of the violator. The person directly in charge may be fined ranging from CNY100,000 to CNY1 million.

Where there is a severe violation that could lead to criminal prosecution, the prosecution standards are stipulated by the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations (see the discussion in 2.1 Omnibus Laws and General Requirements).

Under the PIPL, the penalties for violations are much higher than that under the CSL (see the discussion in 1.6 System Characteristics).

Leading Enforcement Cases

Among the law enforcement activities pursued in 2022, violations punished by the administrative authorities include failure to file for a cybersecurity review before listing abroad, failure to obtain data subjects’ consent before PI collection, failure to implement a cybersecurity or PI protection system, and failure to detect a security vulnerability in network services. For example, the CAC fined the Chinese ride-hailing company DiDi Chuxing USD1.2 billion, for it had violated the CSL, the DSL and the PIPL significantly.

Private Litigation

In general, most cases or proceedings take the form of administrative investigation and punishment initiated and imposed by government authorities. Legal bases for an individual to initiate private litigation include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.

One civil case worth noting involved an individual suing one of China’s famous e-commerce platforms, Vipshop. The individual plaintiff sued Vipshop for failure to exercise his right to access and copy. In this case, the court ruled out that exercising the right to access is not conditioned on real-name authentication so long as there is a reasonable way to authenticate the individual. In addition, the court decided that the disclosure shall include the information the platform confirms to collect in its privacy notice and the information shared with any third party. As to the PIPL’s “in time” requirement imposed on the platform to fulfil its obligation, the court set the date to 30 days. As the case is the first case on the right to access, it is expected that there will be more cases on individuals exercising their information rights in the coming year.

Since the Civil Code came into effect on 1 January 2021, there have been many public interest lawsuits initiated. It is expected that there will be more private litigation on PI protection in the coming year.

For the purpose of criminal prosecution, the people’s courts, the people’s procuratorates and public security bureaus are empowered by the Criminal Procedure Law (刑事诉讼法) to collect or obtain evidence from the entities and individuals concerned. Relevant parties are obliged to co-operate and provide truthful evidence (Article 54). Evidence involving any state secret, trade secret or private PI shall be kept confidential (Article 152). Collection of evidence by judges, prosecutors and investigators from public security bureaus shall follow legal procedure. When a search is to be conducted, a search warrant must be presented to the person to be searched (Article 138). A search warrant could be issued by the People’s Procuratorate and public security bureaus. Any staff members of the authorities performing PI protection duties who neglect their duty, abuse their authority or commit malpractice for personal gain, without those actions constituting a crime, shall be subject to disciplinary action pursuant to the laws (Article 68 of the PIPL).

The Constitution Law (宪法) provides for the fundamental protection of privacy. The state respects and protects human rights (Article 33). The personal dignity of citizens of the People’s Republic of China is inviolable (Article 38). The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law (Article 40). According to Article 77 of the National Security Law (国家安全法), citizens and organisations are under the general obligation to provide support and assistance for work relating to national security.

According to the Counterespionage Law (反间谍法), a national security authority may, as needed for counterespionage work, legally inspect the electronic communication tools and instruments and other equipment or facility of a relevant organisation or individual. If the national security authority discovers any circumstances compromising national security during inspection, it shall order the organisation or individual to make rectification; and may take seizure or impoundment measures if the organisation or individual in question refuses to make rectification or still fails to satisfy the relevant requirements after rectification (Article 13).

The power of the national security authorities is not unrestricted. According to Article 37 of the Counterespionage Law, where any staff member of a national security authority divulges any state secret, trade secret or piece of private individual information, in violation of the relevant provisions, which constitutes a crime, the staff member will be subject to criminal liability in accordance with the law. In addition, according to Article 35 of the DSL, where a public security organ or state security organ needs to retrieve data for the purpose of safeguarding national security or investigating crimes, it shall go through strict approval formalities in accordance with relevant provisions. The procedural requirement and protection provided by the Criminal Procedure Law, as mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, is also applicable here.

Organisations in China cannot invoke foreign government access requests as a legitimate basis to collect and transfer personal data. On the contrary, according to Article 36 of the DSL, organisations shall not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority.

Industry leaders, such as Huawei and ZTE, were accused of being manipulated by the Chinese government and secretly providing personal data to the government. There are some media voices alleging that the Counterespionage Law authorises the government to take or confiscate any property that might endanger national security. Yet, as discussed in 3.2 Laws and Standards for Access to Data for National Security Purposes, the laws and regulations do not allow the government to access personal data under any circumstances. Only for specific purposes such as criminal investigation, investigation of activities compromising national security and counterespionage work shall the government conduct investigations that may involve access to personal data. During the course of investigations, authorities must abide by strict procedures prescribed under relevant legislation. Besides, infringement of individual privacy by government authorities is regulated by both the Counterespionage Law and the Criminal Procedure Law. The PIPL also stipulates restrictions on the personal data processing activities of government authorities.

According to the CSL, PI collected by critical information infrastructure operators (CIIOs) during their operation in China shall be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment shall be conducted. The PIPL expands the obligation to CIIOs and entities that process PI to a certain extent. A security assessment shall be passed before PI can be transferred overseas. So far, data import from overseas to China has not been the focus of the administration.

The PIPL provides for three routes for cross-border data transfer compliance: (i) security assessment organised by the authority, (ii) certification by the approved agencies, and (iii) standard contracts signed with the receiving party. According to the Outbound Measures, the security assessment mainly includes the following matters.

  • Legality, legitimacy and necessity of the purpose, scope and method of transmitting the data abroad.
  • The impact of the policies and regulations on data security protection, and the network security environment of the country or region where the overseas recipient is located, on the security of the outbound data; and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and the mandatory national standards.
  • The quantity, scope, type and sensitivity of the outbound data, and the risks of leakage, tampering, loss, damage, transfer, or of illegal acquisition or illegal use of such data when leaving the country or thereafter.
  • Whether the data security and the rights and interests of the PI can be adequately and effectively protected.
  • Whether the legal documents to be concluded by the data handler and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection.
  • Compliance with Chinese laws, administrative regulations and departmental rules.
  • Other matters that the CAC considers necessary to be assessed.

The certification mechanism mentioned in the PIPL is finalised by the Certification Specification. As to the standard contractual clauses, the Draft Chinese SCCs has been published for comments, the official version of which is highly likely to be released in 2023.

As to derogations, unlike the GDPR, the PIPL does not have leeway for situations that do not meet the three routes. However, Article 38 allows the provision of PI according to international treaties or agreements concluded or acceded to by China.

Cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct security assessment prior to the cross-border transfer of PI and important data (please refer to the discussion in 5.7 Other Significant Issues on the definition of important data). For non-CIIOs to transfer PI, please refer to 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

With respect to important data, data handlers are required by the DSL to abide by regulations or measures issued by a certain authority, which refers to the Outbound Measures.

The first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically and a security assessment is required for cross-border data transfer. For data handlers that are not CIIOs, but process PI that reaches a certain volume threshold or collect important data, a security assessment is also required. Additionally, there are localisation requirements for special business data, including, without limitation, (i) credit investigation data, (ii) personal financial information, (iii) map data, (iv) essential tech equipment required for online publication services, (v) data and information related to car hailing services, (vi) health information of the population and (vii) insurance data and fiscal data.

In principle, such data shall be stored within the Chinese territory (excluding Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements on each type of information shall be applied.

There is no law or regulation requiring technical details, such as software code or algorithms, to be shared with the government. The cybersecurity examination on the online products and services relevant to national security does not aim at acquiring technical details (Article 35 of the CSL). The purpose of this examination is to evaluate whether there will be a risk of massive data leakage, loss or cross-border movement; interruption of services or a risk of a CIIO being controlled by foreign entities. The purpose of the examination is not to acquire code or algorithms from market participants, sharing technical details should be a voluntary decision on the part of the relevant entities.

According to Article 36 of the DSL, organisations shall not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and cross-border data transfer mentioned above shall apply.

In addition to Article 36 of the DSL discussed in 4.6 Limitations and Considerations, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (the Rules) was released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021, with immediate effect. According to Article 36 of the DSL, companies or individuals shall not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by competent authorities. The Rules are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with long-arm jurisdictions of certain countries and regions.

Big Data

When it comes to emerging digital and technology issues, it is hard to ignore the fact that the inherent biases of algorithms may lead to the infringement of individual rights and discrimination. Until the technologies are mature, and the error rates manageable, network operators and data handlers will continue to take a cautious attitude towards the application of such technologies.

For a discussion of big data analytics, automated decision-making, profiling and artificial intelligence (including machine learning), please refer to 2.1 Omnibus Laws and General Requirements.

Network operators in the business of the internet of things (IoT) and big data analytics shall pay special attention to implementing the MLPS. According to the national standards constituting MLPS 2.0, IoT and big data applications are expressly included in the protected objects of the MLPS. Specific security requirements can be found in the corresponding national standards. Network operators of IoT and big data applications are advised to commence the grading and classification at their earliest convenience.

Automated Decision-Making

For the purpose of automated decision-making, a vast amount of data will be collected and aggregated. Taking autonomous vehicles as an example, the vehicles would be continuously collecting all location data of the users which would be used to, among other things, generate direct user profiles. The MIIT issued some regulations regarding intelligent connected vehicles and provided requirements for collecting and processing data. The CSL, the PIPL, the PI Specification, and relevant national standards would apply to the collection and processing of PI, including automated decision-making, as well as the protection of data security.

Biometric Data

The application of biometric data, including facial recognition, is increasing. Biometric data is highly sensitive personal data. It is unique to each individual and it is impossible to change one’s biometric data. Processing of biometric data shall be conducted with much higher and more stringent standards. Requirements for collecting and processing sensitive PI are found under Section 2, Chapter 2 of the PIPL. Additionally, the GB/T 40660-2021 Information Security Technology – Basic Requirements of Biometric Data (GB/T 40660-2021 信息安全技术-生物特征识别信息保护基本要求) also provides guidance for the processing of such data.

Other Areas

Geolocation data is sensitive PI, the collection and processing of which shall be in accordance with the applicable rules as discussed in 2.2 Sectoral and Special Issues.

Drones, which are being used for recreational purposes as well as for law enforcement, are getting smaller and cheaper while the images a drone can get are clearer and more accurate than ever. So far, only general rules on privacy and data protection are applicable to the use of drones.

Disinformation, deepfakes, and other illegal content such as inflammatory speech or erroneous content on the internet are regulated by the ecological governance of internet information content (please see discussion under 2.2 Sectoral and Special Issues). Should an individual suffer from online harm, they can resort to the Civil Code and other applicable regulations and claim damages against the wrongdoer and or platform operator (if applicable).

“Dark patterns” or online manipulation is regulated under Consumer Protection Law and the PIPL. According to Article 8 of the Consumer Protection Law, consumers shall be entitled to autonomous selection of goods or services and have the right to make comparison, identification and selection. Besides, pursuant to Article 5 of the PIPL, it is forbidden to process PI through deception, fraud and coercion.

Fiduciary duties for privacy or data protection have not been expressly defined under the current legal framework. Similar obligations might be the duties of the data protection officers (please see discussion under 2.1 Omnibus Laws and General Requirements).

To address the problems and concerns brought about by emerging technologies, TC260 is actively conducting research and has released industry study reports and, most importantly, recommended national standards to guide the application of various cutting-edge technologies. For example, TC260 published the Practice Guide to Cybersecurity Standards – Guidelines on the Code of Ethics for Artificial Intelligence (网络安全标准实践指南—人工智能伦理道德规范指引) in January 2021 to address ethics topics regarding artificial intelligence. Besides, The National New Generation AI Governance Professional Committee issued the New Generation AI Ethics Code (新一代人工智能伦理规范) in September 2021.

There are lots of special enforcement projects, such as “Clearing the Network 2022” (净网2022), launched by the MPS and implemented by provincial public security departments across the country throughout the year. This is a comprehensive investigation into violations in internet-related industries. The CSL and the PIPL has been the major legal basis for investigations and punishment. Please refer to 2.5 Enforcement and Litigation for more details. There has been no civil case with a large settlement or joint action with respect to privacy and data protection. Please refer to 2.5 Enforcement and Litigation for discussion of a remarkable civil case.

Due diligence on privacy and data protection in corporate transactions would normally start with interviews to gain an understanding of the existing situation in terms of cybersecurity protection measures and data processing at the relevant company. Then a gap analysis would be conducted to evaluate the deviation between compliance requirements and the actual situation. The last step would be offering compliance suggestions. The focus of the due diligence would usually be on the following aspects:

  • management systems of the network operation security;
  • information on the network products and services purchased by the company;
  • collection and processing of data;
  • data storage and internal management;
  • data output; and
  • cross-border data transfer.

According to the disclosure requirements for listed companies, investigations, criminal punishment or major administrative punishment must be disclosed.

Unlike the legislation moves in the EU, there is no national level single law or regulation to regulate the tech companies and digital technology, such as the Digital Markets Act, the Digital Services Act, or the Data Act. However, as the above laws focus on promoting fairness and competition in the digital sector and better protection of individuals’ fundamental rights, there are several provisions scattered in laws or regulations of different legislative levels in China.

For the facilitation of fairer competition, the Draft Revised Anti-unfair Competition Law of the People’s Republic of China was published for comments in 2022.

For the governing of large online platforms, Article 58 of the PIPL requires the important internet platform service provider to establish a sound PI protection compliance system and accept supervision from the public. To ensure fair service to the individuals, the Anti-monopoly Guidelines of the Anti-monopoly Commission of the State Council on Platform Economy became effective in 2021. In addition, the Cybersecurity Review Measures was amended and effective in 2022 to ensure the platforms that process large amounts of PI from endangering national security.

For the protection of individuals from false information, the Anti-telecom and Online Fraud Law, the Administrative Provisions on Algorithm Recommendation for Internet Information Services, and the Administrative Provisions on Deep Synthesis in Internet-based Information Services were promulgated in 2022 and have already become effective. Also, regulations in the financial sector may impose certain obligations.

The terms of important data and critical information infrastructure are unique concepts under the CSL, the PIPL and the DSL regime.

Important Data

According to the Important Data Identification Guidelines (Draft), important data refers to the kind of data that, if tampered, damaged, divulged, or illegally obtained or utilised, may affect national security and public interest. So far, no regulation on implementing methods of important data identification and their scope have been officially published. Yet, according to the Important Data Identification Guidelines (Draft), important data shall usually not include state secrets or PI, but statistical data and derived data based on massive amounts of PI may belong to important data. Even though such guidelines have not entered into force, there have been indications that modification of legislation regarding important data, and the law enforcement trends in the same area, are to be expected. Cross-border transfer of important data is subject to special procedures which are discussed in detail in 4.3 Government Notifications and Approvals.

Critical Information Structure (CII)

The CSL, the PIPL and the DSL provide for a special protection scheme in China on CII and the corresponding protection principles. The Security Protection Regulations for Critical Information Infrastructure came into effect in September 2021. Other regulations and national standards on CII are also at the stage of soliciting opinions. Information infrastructure – in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service, e-government and the national defence science and technology industry – might fall within the scope of such regulation. The purpose of offering extra protection for critical information infrastructure is to protect national security, the national economy, people’s livelihoods and the public interest.

Zhong Lun Law Firm

22-31/F, South Tower of CP Center
20 Jin He East Avenue
Chaoyang District
Beijing 100020

+86 010 5957 2003

+86 010 6568 1022
Author Business Card

Trends and Developments


Global Law Office (GLO) dates back to the establishment of the Legal Consultant Office of China Council for the Promotion of International Trade (CCPIT) in 1979. By the approval of Ministry of Justice of the People’s Republic of China, the firm was renamed as China Global Law Office in 1984 to take an international perspective on its business, fully embracing the outside world. After over 40 years of persistent efforts and development, it has become one of the prominent large comprehensive law firms in China. GLO has been committed to the mission of serving domestic and foreign clients with globalised vision, globalised team and globalised quality since its inception, allowing it to consistently maintain a leading position in the industry in the midst of an ever-changing global economic environment. All GLO lawyers are graduates from first-tier domestic and/or international law schools, most of whom hold LLM or higher degrees. Many partners are qualified to practise in the USA, UK, Australia, Switzerland, New Zealand and Hong Kong, among others.


Compliance, as a long-term theme in the data world, received higher visibility in data practice in China in 2022. However, in the same year, data trading and utilisation, as another long-term theme, also slowly moved to the spotlight. It is expected that data trading and utilisation will attract more attention in 2023, although compliance efforts will continue. 


In 2021, China introduced the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) and completed a puzzle on China’s cyber and data security regulatory framework. In 2022, Chinese regulators were zealously fleshing out the data regulatory details by drafting implementation rules under the newly established data security regulatory framework and creating landmark cases to show off the iron hand in enforcement of the framework. It is expected, and it is the hope of many private businesses, that the passion on compliance will be stabilised in 2023.

Trading and utilisation

While the Chinese regulators are busy with compliance enhancement, the decision-makers of the Chinese government are preparing for different things. Foreseeing the end of the strict control of everything, decision-makers are thinking of rebooting the economy, advancing competition in the global battlefields, and winning the heart and faith of the market. It is hoped that digital economy and data rights are given the opportunity to fulfil the goals in those areas, and thus governmental policies favouring data trading and pervasive use are unleashed. It is expected that the attention to data trading and utilisation will continue rising in 2023. 

Why are we looking back at the beginning of the new year? 

Data Cross-Border Transfer

For clarity, the data referred to in this article includes personal information and data of non-personal information. 

In general, data processors in China can freely transfer data out of China, unless there is a specific legal requirement providing otherwise. Before 2022, the “otherwise” legal requirements mainly included separate consent for personal information under PIPL, the absolute localisation requirement on core data and the administrative approval on important data under DSL, restrictions imposed by industry-specific regulations on specified types of industrial data on a project basis (eg, human genetic data or geographic location information) and data subject to export control law and regulations.

In 2022, the Cyberspace Administration of China (CAC) took its efforts substantiating three mechanisms under the PIPL and DSL, which would be in addition to the additional legal requirements mentioned above. Those three mechanisms are the CAC security assessment, the China standard contractual clause (CN SCC) and the privacy protection certification. However, it is worth mentioning that the CAC security assessment is not a governmental process for personal information outbound transfer, but also the outbound transfer of important data.

CAC’s security assessment

On 7 July 2022, CAC released the Rules on Data Outbound Transfer Security Assessment (“Data Security Assessment Rules”). The Data Security Assessment Rules intend to consolidate the administrative approvals on outbound transfer of important data under DSL and of personal information under PIPL, into one process. They establish the threshold for the security assessment, and data processors meeting such a threshold must pass the security assessment in order to continue the outbound transfer of the data.  Considering that this is a new mechanism that both the CAC and the data processors need to be familiar with, the Data Security Assessment Rules thoughtfully offer a six-month grace period from their effectiveness to allow the data processors to file for the process. The six-month grace period ends on 1 March 2023. As of 31 January 2023, according to CAC, its local offices in Beijing and Shanghai had only received 83 applications. Not until 28 January 2023 did CAC’s Beijing office announce the first approval of data outbound transfer since the effect of the Data Security Assessment Rules.  Although no one is speaking about it, based upon the data above, it seems that a de facto extension of the grace period is inevitable. However, since there is no official word of the extension, everyone is rushing to file.

After the Data Security Assessment Rules, to facilitate the security assessment preparation efforts, CAC and its local offices further released the Guidelines for Data Outbound Security Assessment Declaration (First Edition) and its local adapted versions, and they also published telephone hotlines. 

Notwithstanding the above efforts, there is still a catch in the threshold definition, which is that there is neither an explicit list nor a mechanism to determine the important data or the CIIO. The first application that has passed the security assessment was filed by a Beijing hospital which outbound transfers certain important data to a university in Holland. Because the healthcare authority has not released its list or guidance to determine the important data, rumours say that the important data determination in this application is made on a specific case-analysis basis. Although the CAC and its local offices have released more than two rounds of Q&As for the security assessment preparation, there seem always more inquiries on details. 

To make the security assessment a smooth and hassle-free process, (i) an easy way to allow data processors to determine important data, (ii) more transparency of the assessment standards, and (iii) more guidance covering application details in various industries and the business scenarios need to become reality. CAC is said to be aware of the above wish-list of the data processors; it is currently working on solutions while working on an astonishing volume of security assessment applications rushing its way. We all hope that this could become a reality in 2023.

CN SCC and the privacy protection certification

Personal information processors can opt to use the CN SCC. When they are not subject to the above security assessment for the outbound transfer of personal information, using the CN SCC will make it easier to pass the scrutiny to file for record of its personal information outbound transfer with CAC. When they are subject to the above security assessment, using the CN SCC will also make the assessment simple. 2022 only saw a draft of the CN SCC draft and its filing rules. Based upon the current draft, although using the CN SCC may save efforts for the personal information processor in the China domestic governmental process, it will require more of their efforts to persuade the sophisticated foreign personal information recipients to accept the CN SCC. It is expected that CN SCC and its filing rules will get finalised, and we all hope that the final version can be one that will save everyone’s energy. 

It is very interesting that two versions of the Practical Guidelines – Technical Specification for Certification of Cross-Border Transfers of Personal Information (the Privacy Protection Certification Guidance) have been released by China’s National Information Security Standardisation Technical Committee (NISSTC) within six months. As an official guideline, the Privacy Protection Certification should be well thought out before being released. With V2.0 with patches to V1.0 within only six months, it is unclear whether there will soon be V3.0 or V4.0 in 2023. In addition to the frequent changes, another important factor in the implementation of the privacy protection certification is that no competent certification institution had been appointed as of 31 January 2023. Rumours say that the China Cybersecurity Review Technology and Certification Centre (CCRC) is close to being appointed, but appointing only one certification institution apparently may cause doubts when there are other similarly competent and government background competitors around. It is also expected, in 2023, to see a list of certification institutions and how the privacy protection certification will be implemented.

V2.0 of the Privacy Protection Certification Guidance is applicable for certifying outbound transfer of personal information within or beyond a corporate group, but obtaining the certification will not waive the security assessment when being triggered and the CN SCC filing. The privacy protection certification is a voluntary process for personal information outbound transferers. It is better to wait and see the real value of such a process, and compare the convenience in the consequence and the inconvenience in the certification process which is ongoing during the term of the certification.

Cybersecurity Review Against Didi is Closed

In 2022, Cybersecurity Review, a process originally created in 2020, got an update in law in February and closed its first enforcement case in July. 

In the update to the Rules on Cybersecurity Review, CAC requires that network operators which process more than one million individuals’ personal information must pass the cybersecurity review before they can go for IPO in the securities exchanges in foreign countries. It is worthwhile mentioning that Hong Kong SAR, although being deemed as “foreign” from a foreign investment regulation perspective, is not deemed as foreign for IPOs by CAC for the purpose of cybersecurity review. Therefore, PRC companies having IPOs in HKSE will not need to go through the full process of the cybersecurity review.

After more than one year of investigation, the first cybersecurity review case was closed in 2022. It ended up that CAC imposed a USD1.2 billion fine on Didi, and CNY1 million fine on each of the two executives responsible for the violation. According to the summary report published by CAC, Didi was found to have violated several data protection and cybersecurity requirements, including unnecessary collection of users’ personal information since June 2015, and improper processing of sensitive personal information. CAC’s conclusion is that Didi’s non-compliant processing of data has posed a serious threat to national security. Didi’s case served as an important achievement in CAC’s cybersecurity and data protection law enforcement showing off the muscle against violations and deterring violations by other data processors in China. It showcased significant implications of the cybersecurity review for the internet and hi-tech companies in their foreign IPO plans.

Important Data Determination Mechanism

Important data determination has been progressing slowly since its debut in 2017 under CSL. In 2021, DSL provided a general principle that the industrial regulatory authorities and the governments should bear the responsibility to determine the important data in their industries and their regions. Without specific guidance, the industrial regulators and local governments are at a pause. 

Slowly, in January 2022, the NISSTC released adraft Guidelines for the Identification of Important Data which offer high-level guidance and considerations for purposes of important data determination. In December 2022, the Ministry of Industry and Information Technology (MIIT) released the Provisional Rules on Data Security in the Field of Industry and Information Technology (the “Provisional Rules”) which define five core factors for determining important data in the industries that are subject to the MIIT regulation; eg, telecoms, electronic, and industrial manufacture. The Provisional Rules identify the approaches to determine the important data in the above industries, but the final list will be subject to the local government, the provincial MIIT office and the businesses in those industries. In addition, some provincial offices of the CAC (such as Jiangsu province and Hainan Province) also provide, as references in their working guidelines, clues to determine what constitutes important data, but such references are only applicable to the Data Security Assessment purpose and are not authoritative at all. A fair statement to summarise the position in 2022 on important data determination is that there has not been any break-through yet. We hope that there will be substantial progress we can share in 2023.

Bold Move on Algorithms and Deepfake

Popularity of ChatGPT proves how algorithms can increase the productivity of data and how critical a role an algorithm can play in data exploitation. It requires both imagination and courage to regulate algorithms if anyone wants to ensure the regulation will not improperly interrupt the development of the technology which is still in its early stage. For this reason, the authorities in many countries hesitate in rolling out their regulations on algorithms. 2022 saw two bold attempts in China to regulate algorithms, which focused on content or presentation respectively, in respect of content recommendation and deepfake. 

Content recommendation

The Provisions on the Administration of Algorithm Based Recommendation for Internet Information Services (the “Algorithm Recommendation Rules”), which came into effect on 1 March 2022, are the first legislation in China to regulate algorithm-based recommendation businesses. The Algorithm Recommendation Rules were enacted mainly to prohibit anyone from using the algorithm-based recommendation to disseminate illegal or improper information. They also impose regulatory measures against legal issues frequently associated with algorithm-based recommendation businesses, such as information cocoons, big data discrimination and infringement of data subject’s privacy. The service providers using algorithm-based recommendations are required to protect the rights and interests of their users, including the right to know and the right to decide. They are also required to file for record with CAC and publicly announce the basic information of the algorithms used if the algorithms they use have the nature of opinion and social advocacy. As of 31 January 2023, a total of 223 algorithms had been filed by 101 internet companies in China, including by internet giants such as Alibaba, Tencent and Baidu.

To inspect the implementation of the Algorithm Recommendation Rules, CAC further launched a special enforcement campaign on algorithm compliance in April 2022, targeting large-scale websites and platforms for inspection. 


In November 2022, the CAC, the MIIT and the Ministry of Public Security (the “Police”) jointly issued new rules on the Administration of Deepfake Used in Internet Information Services (the “Deepfake Rules”), which came into effect on 10 January 2023. The Deepfake Rules reflect the Chinese authorities’ concern primarily on traceability in content regulation and also on potential abuse of the technology in harming individual rights and interests (because the technology can make people appear to say and do things they do not). 

Because deepfake is only a use case of the algorithm, most of the requirements under the Algorithm Recommendation Rules also apply to deepfake use in internet information services. The Deepfake Rules highlight the regulatory requirements unique to the technology. The Deepfake Rules hold the internet information service providers and their technical vendors accountable and impose heavy content surveillance burdens. For example, where deepfake service providers or their technical vendors provide the function to edit facial or vocal information or other biological information, in addition to running the security assessment of the function, they should further inform their service users to obtain the separate consents of the data subjects whose facial or vocal information is edited. 

It is expected that in 2023, regulatory measures on algorithms and deepfake technologies used by internet information service providers will go deep, and regulators will conduct regular enforcement patrol on content generated by algorithms and the information service providers using such technologies.

Data 20

After more than three-years’ strong compliance enforcement, release of the Opinions on Building the Fundamental Data Policies to Better Leverage Data as a Production Element (the “Data 20”) eventually gives the heavy-data use players on the market some breath. Data 20 mainly (i) seeks to create a brand-new legal concept of data property rights that promotes compliant exploitation and trading of data, (ii) calls for a compliant and efficient data trading and transaction mechanism that accommodates transaction on exchange and curb exchange, (iii) requests effective and fair data revenue allocation among all the parties participating in the data value creation, and (iv) maintains secure, tolerant and elastic data governance. Although it was released at the year-end, it evokes the most positive reaction and most vibrant discussion in the market. Data 20 is the first government policy that presents the most open attitude with the clear direction to allow data use and trading, which almost disappeared during the heavy compliance initiative in the pandemic period. 

In business practice, as of November 2022, 48 data exchanges had been established in different regions in China, according to a latest report published by a research institution affiliated with the MIIT. Four cities; ie, Beijing, Shanghai, Guangzhou and Shenzhen, show the strongest enthusiasm in this wave. Taking Shanghai as an example, the Shanghai Data Exchange researched and implemented a new concept, Data Merchant (that is, data product/service providers and data agencies) in its data exchange business. The Shanghai Data Exchange has signed up with more than 500 Data Merchants, as of January 2023. Data Merchants are not only providers of data-related products, but also third-party service providers which provide, among others, compliance consulting, quality assessment, asset evolution, business brokerage and technical support. They become an ecosystem to promote data exchange and data transactions. 

In 2023, to implement Data 20, the government is expected to release policies with more details and administrative regulations defining the data trading, data transaction and data value allocation mechanisms. Data exchanges, data trading and data transactions are all expected to grow substantially. 

Judicial Actions

Waiver of indictment

Waiver of indictment in the area of data compliance refers to the situation where an agreement is entered into between the prosecutor and the company which violates the data protection-related laws and, under the agreement, the violating company commits to correct its current violation and prevent its future violation by establishing a qualified compliance mechanism and policies according to a plan approved by the prosecutor’s office after the prosecutor’s office satisfies itself with the compliance efforts. In May 2022, Putuo District Procuratorate in Shanghai released details of the first case of waiver of indictment in a data-related criminal case where a company illegally used crawlers technology. The procuratorate initiated the compliance procedures upon the company’s application. The company engaged outside legal counsel teams to provide advice and make a plan of compliance, and the company corrected its violation within the time period set by the procuratorate. 

Data protection and liabilities resulting from the violation have become a burden to many small and middle-sized companies. When the violation is not severe and the violating company sincerely recognises its wrongdoing and shows good faith to comply with the law, the waiver of indictment provides such a company and the society a balanced solution for the common benefit. 2022 saw the debut of such a practice, and the procuratorates are expected to look for more opportunities to test the practice and make it more effective. 

Civil lawsuits

In 2022, we were pleased to see that the courts were more active in trial of personal information protection disputes. Many courts shared their sample cases in this area to the public. For example, Hangzhou Internet Court published ten sample cases on personal information protection disputes in 2022, and Guangdong Province Superior Court also published several sample cases. Through the judgments, data processors can understand the court’s position in solving personal information protection disputes and can better organise their personal information protection work to align with the compliance requirements from the CAC and the judicial interpretation from the courts in this area. 

A Glimpse of Data Work in the Auto Industry

Triggered by Didi’s Cybersecurity Review, the Chinese authorities began to pay more attention to the huge amount of data that is processed by smart and connected auto vehicles and possessed by auto manufacturers and service providers. On the basis of the regulatory framework rolled out in 2021, more detailed rules were released and implemented in 2022 as follows.

  • Geographic mapping data – the Department of Natural Resources released the Notice on Promoting the Development of Intelligent Connected Vehicles and Maintaining the Security of Surveying, Mapping and Geoinformation, effective in August 2022. The Notice concluded that the activities of smart and connected vehicle manufacturers and/or their service vendors, which collect and process data through the camera, laser radar and other sensors on the vehicles are surveying and mapping business operation and must be subject to the relevant surveying and mapping regulation under the law.
  • OTA upgrade–MIIT circulated the Notice on the Filing of Online Automobile Software Upgrading, effective in April 2022, requiring the smart and connected automotive companies to complete the filing with MIIT prior to pushing any OTA upgrades to users. 
  • Local laws – Shenzhen promulgatedOrdinance of the Shenzhen Special Economic Zone on Intelligent and Connected Vehicles in 2022 that comprehensively addresses all major issues from road tests, onboarding registration, use and management of connected vehicles within Shenzhen.

The smart and connected auto industry is the first industry to implement cyber and data security regulation. Determination of important data, specific security regulatory requirements in different processes, from manufacture to commercial operation, and joint regulatory work conducted together or separately presents a model of the security work other industries can follow. That is the why we take a specific look at the security work in this industry at the end of this article. We expect that, from 2023, the focus of security work will soon be shifted to the healthcare industry and the industries regulated by the MIIT.

Final Words

Why are we looking back at 2022? Knowing what happened last year, knowing where and what data regulatory work was left, we can foresee what existing work will continue and what new work will start, and what we, as business and professional advisers, can expect in 2023.

Global Law Office

36th Floor, Shanghai One ICC
No. 999 Middle Huaihai Road
Xuhui District
Shanghai 200031

+86 21 2310 8288

+86 21 2310 8299
Author Business Card

Law and Practice


Zhong Lun Law Firm is one of the largest full-service law firms in China, with over 400 partners, over 2,500 professionals, and with offices in Beijing, Shanghai, Shenzhen and other major cities in China and around the world. The firm’s cybersecurity and data protection team was the first to specialise in the field. The partners of Zhong Lun have been invited to participate, as industry experts, in the legislative process relating to cybersecurity and data protection legislation many times. Actively practising in the technology and telecommunications industries in the past two decades, and providing professional legal services to a large number of multinational clients that embrace the challenges of digitalisation, Zhong Lun has accumulated abundant experience and developed a unique system of project compliance processes to assist in solving domestic and cross-border data protection issues. Zhong Lun’s clients in this field include Microsoft, ZTE, Daimler, SAP, China Life, CITIC and Cisco.

Trends and Development


Global Law Office (GLO) dates back to the establishment of the Legal Consultant Office of China Council for the Promotion of International Trade (CCPIT) in 1979. By the approval of Ministry of Justice of the People’s Republic of China, the firm was renamed as China Global Law Office in 1984 to take an international perspective on its business, fully embracing the outside world. After over 40 years of persistent efforts and development, it has become one of the prominent large comprehensive law firms in China. GLO has been committed to the mission of serving domestic and foreign clients with globalised vision, globalised team and globalised quality since its inception, allowing it to consistently maintain a leading position in the industry in the midst of an ever-changing global economic environment. All GLO lawyers are graduates from first-tier domestic and/or international law schools, most of whom hold LLM or higher degrees. Many partners are qualified to practise in the USA, UK, Australia, Switzerland, New Zealand and Hong Kong, among others.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.