Data Protection & Privacy 2024

Last Updated February 13, 2024


Law and Practice


Zhong Lun Law Firm is one of the largest full-service law firms in China, with over 420 partners, over 2,500 professionals, and with offices in Beijing, Shanghai, Shenzhen and other major cities in China and around the world. The firm’s cybersecurity and data protection team was a pioneer in specialising in this field. The partners of Zhong Lun have been invited on many occasions to participate, as legal experts, in the legislative process relating to cybersecurity and data protection legislation. Actively practising in the technology and telecommunications industries in the past two decades, and providing professional legal services to a large number of multinational clients that embrace the challenges of digitalisation, Zhong Lun has accumulated profound experience and developed a unique system of project compliance processes to assist in solving domestic and cross-border data protection issues. Zhong Lun’s clients in this field include Microsoft, ZTE, Daimler, SAP, China Life, CITIC and Cisco.

Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. Data subjects’ rights to privacy and data protection are protected by the Civil Code (民法典), the Criminal Law (刑法), the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法), the E-commerce Law (电子商务法), Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), and most importantly, the “Three Fundamental Laws”: the Cybersecurity Law (CSL; 网络安全法), the Data Security Law (DSL; 数据安全法) and the Personal Information Protection Law (PIPL; 个人信息保护法). The Three Fundamental Laws have established the foundations of cybersecurity and data protection in China, which are supplemented by:

  • implementing regulations, measures and rules promulgated by the Cyberspace Administration of China (CAC);
  • relevant ministries, including the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS); and
  • national standards issued by the National Information Security Standardisation Technical Committee (TC260).

Since data protection is a topic that impinges upon all industries, there is a wide range of law enforcement departments related to it, many of which have intersecting duties and authorities. There is no centralised regulatory body. Among all these regulators, the three most important ones are the CAC, the MPS and the MIIT.

According to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR) and industry regulators are in charge of law enforcement in the respective industries. Moreover, it is noteworthy that the National Data Bureau, inaugurated in October 2023, is responsible for overseeing the integration, sharing and development of data resources, co-ordinating the construction of data infrastructure systems, and co-ordinating the planning and construction of digital China, the digital economy and digital society.

With regard to artificial intelligence, relevant regulators include the CAC (key regulator for AI security and data compliance), the MIIT (focusing on industry development), the Ministry of Science and Technology (focusing on technological ethics), as well as other sectoral regulators such as the MPS, press and publication administration, etc.

Network operators and data handlers are obliged to co-operate with cyberspace administrators and any other regulators in their inspections and supervisions (Article 49 of the CSL, also Article 63 of the PIPL). Law enforcement activities are triggered in different ways, including:

  • reporting – where users may report to the above-mentioned regulators and consumer protection organisations and investigations are launched accordingly;
  • regular and irregular inspections – where special projects that last several months are launched to target specific industries or pain points in cyberspace; and
  • inquiries into data leakage events.

The Law on Administrative Penalty

The competent authorities, when imposing administrative punishment and enforcing the Three Fundamental Laws and other relevant laws and regulations (including for AI), must abide by the Law on Administrative Penalty. The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 36). The penalised parties should be given opportunities to state their case and defend themselves (Article 6). The penalised party is entitled to a hearing in cases where the administrative punishment involves suspension of business, rescission of a business permit or licence, or a large penalty (Article 42).

According to Article 6 of the Law on Administrative Penalty, where the penalised party refuses to accept the administrative punishment, they may first apply to the relevant administrative organ for reconsideration and, if they refuse to accept the reconsideration decision, they may initiate an action before the people’s courts. Unless required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, they may also initiate an action before the people’s courts directly.

Other Applicable Rules

Additionally, public security departments must abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs. For example, there must be at least two police officers in the event of an on-site inspection, and such law enforcement officers must keep any personal and private information that becomes known to them during an inspection, confidential.

To oversee the administrative action initiated by the CAC, the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments, setting the rules on jurisdiction, evidence, enforcement, etc, came into effect in June 2023. In addition, the Provisions on Administrative Penalty Procedures for Industry and Information Technology Authorities, emphasising the transparency of enforcement activities and protection of the penalised/inspected parties’ lawful rights and interests, became effective in September 2023.

China signed the Regional Comprehensive Economic Partnership (RCEP) on 15 November 2020, which came into effect on 1 January 2022, and is one of 15 member countries. An emphasis on personal information (PI) protection is made under chapters on trade in services (financial services, Annex 8A) and electronic commerce (Chapter 12). In principle, the orderly cross-border transfer of information for the purpose of conducting business must be protected by the member countries. In the interim, RCEP member countries are allowed to regulate the cross-border data transfer to safeguard public interest and national security.

The National Computer Virus Emergency Response Centre (CVERC; 国家计算机病毒应急处理中心) is a public institution in charge of tackling computer viruses. During the special project “Clearing the Network 2023”, the CVERC conducted security checks on the internet and detected multiple apps that violated privacy protection regulations. Such apps are required to be removed from app stores.

The China Consumers Association is a social organisation established in accordance with Article 36 of the Consumer Protection Law to supervise the provision of goods and services for the purpose of protecting consumers’ legitimate rights.

With regard to AI security governance, on 12 October 2023 the Special Committee on Artificial Intelligence Security Governance of the Cyberspace Security Association of China was established in Beijing, with the aim of organising industry and academia in the AI field to carry out technological innovation, industrial collaboration and industry self-regulation.

Privacy and data protection provisions in China share the same goals as those of various other jurisdictions, which are to safeguard the rights of PI subjects and to punish acts of infringement. Compared with the CSL, there are far more similarities between the PIPL and the GDPR.

Similarities Between the PIPL and the GDPR

Similar to the GDPR, the PIPL has an extraterritorial effect on overseas PI processing activities, when the processing is for the purpose of providing products or services to, or analysing individuals within, China.

Also similar to the GDPR, the PIPL provides for several legal bases including:

  • the data subject’s consent;
  • execution and performance of a contract, to which the data subject is a party;
  • implementation of human resources management in accordance with the labour rules and regulations formulated according to law and the collective contract signed according to law;
  • performance of legal duties or obligations;
  • dealing with a public health emergency or to protect a natural persons’ life, health or asset security in an emergency;
  • conducting reasonable news reporting and oversight of public opinion for the protection of public interest; and
  • others, as required by laws and administrative regulations.

Another big similarity between the PIPL and GDPR is the restriction on PI cross-border transfer. Under the PIPL, while the PI handler intends to transfer PI collected within China to a recipient outside China due to business necessity, it has to meet certain conditions prescribed by the PIPL. Among the conditions, the certification and standard contractual clauses mechanism are quite like those under the GDPR. Other similarities include the principles for processing PI, PI subject rights, obligations of the PI handlers, restrictions on automated decisions, and restrictions on processing activities by government authorities.

Differences Between the PIPL and the GDPR

A noticeable difference is between the definition of sensitive PI under the PIPL and the definition of special categories of personal data under the GDPR, where the former covers a much wider range. Sensitive PI under the PIPL refers, broadly, to PI that may give rise to discriminatory treatment, or cause harm to personal or property security, once it is leaked or unlawfully provided, while the types of special categories of personal data are listed exhaustively under the GDPR. The requirements for processing sensitive PI under the PIPL follow the same framework as that for PI where separate consent is required, while under the GDPR, the default rule is not to process special categories of personal data except in certain circumstances.

“Separate consent” is a new requirement introduced by the PIPL, which is not yet clearly defined and might raise the requirement on the type of consent needed.

Other notable differences between the PIPL and the GDPR include: the PIPL has no lawful basis of legitimate interest; the PIPL has a post-mortem right for PI; the PIPL restricts personnel violating the PIPL from holding the position of high-level management or data protection officer (DPO); and there is no centralised regulatory body under the Chinese privacy protection regime. In China, the three most important regulators are the CAC, the MPS and the MIIT (see 1.2 Regulators).

Key Developments in Legislation in the Past 12 Months

  • The Regulations on the Protection of Minors Online (未成年人网络保护条例) were promulgated on 16 October 2023 and took effect on 1 January 2024.
  • The Measures for the Standard Contracts for Outbound Transfer of Personal Information (“Chinese SCCs”; 个人信息出境标准合同办法) were promulgated on 22 February 2023 and took effect on 1 June 2023.
  • The Implementation Guidelines on the Standard Contract for Cross-Boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引) were announced and were immediately effective on 10 December 2023.
  • The Interim Measures for the Administration of Generative Artificial Intelligence Services (“AIGC Measures”; 生成式人工智能服务管理暂行办法) took effect on 15 August 2023.
  • The Circular on Releasing the Measures for Review of Scientific and Technological Ethics (Trial) (科技伦理审查办法(试行)) took effect on 1 December 2023.
  • The Regulations on the Administration of Commercial Cryptography (商用密码管理条例) were amended and took effect on 1 July 2023.
  • The Counterespionage Law (反间谍法) was amended and took effect on 1 July 2023.
  • The Notice of the Ministry of Industry and Information Technology on the Record-Filing of Mobile Internets (工业和信息化部关于开展移动互联网应用程序备案工作的通知) was announced and was immediately effective on 4 August 2023.
  • The Interim Provisions on Accounting Treatment Related to Enterprise Data Resources (企业数据资源相关会计处理暂行规定) was promulgated on 1 August 2023 and took effect on 1 January 2024.
  • The Provisions on Facilitating and Regulating Cross-border Data Flows ("CBDT Provisions"; 促进和规范数据跨境流动规定) were announced were immediately effective on 22 March 2024.

Major Regulatory and Enforcement Activities in the Past 12 Months That Have Attracted Public Attention

  • The CAC conducted cybersecurity reviews on several enterprises. It fined a well-known Chinese online platform CNY50 million on 1 September 2023 for its violations of the CSL and the PIPL, and issued a decision on 21 May 2023 that the products sold in China by a multinational chip manufacturer failed the cybersecurity review and, as a result, Critical Information Infrastructure Operators (CIIOs) are prohibited from purchasing such products.
  • The CAC publicly issued three batches of domestic deep synthesis service algorithm filing information respectively in June 2023, September 2023 and January 2024, including algorithms from technology companies such as Baidu, Alibaba, Tencent, etc.
  • The CAC launched a special project “Brightening the Network 2023” (清朗 2023) targeting network environment regulations.
  • The MIIT and CAC publicly criticised apps that infringe customers’ rights and interests, and required the removal of such apps from app stores.

In the next 12 months, it is expected that the following will take place.

  • The Draft Revised CSL will most likely be finalised in 2024.
  • The Regulations on the Administration of Network Data Security (Draft) (网络数据安全管理条例(征求意见稿)) are likely to be finalised in 2024.
  • The Draft Administrative Measures for the Reporting of Cybersecurity Incidents (网络安全事件报告管理办法(征求意见稿)) were published for comments on 8 December 2023 and are likely to be finalised in 2024.
  • The Draft Measures for the Compliance Audit of Personal Information Protection (个人信息保护合规审计管理办法(征求意见稿)) were published for comments on 3 August 2023 and are likely to be finalised in 2024.
  • The certification of PI protection is likely to be more widely implemented in 2024.
  • The identification guideline on important data is likely to be released.
  • The number of litigation cases on PI protection will increase.
  • The scale and volume of data asset trading is expected to increase.

The Three Fundamental Laws form the basic legal framework of China’s data protection and privacy framework. In addition, the following regulations and national standards are crucial to understanding the legal framework in China on data protection and privacy:

  • the Provisions on the Cyber Protection of Children’s PI;
  • the Measures for Cybersecurity Review;
  • the Security Protection Regulations for Critical Information Infrastructure;
  • the Measures for the Security Assessment of Data Cross-Border Transfer (“Outbound Measures”);
  • the Chinese SCCs;
  • the CBDT Provisions;
  • the Administrative Provisions on Algorithm Recommendation for Internet Information Services (“Algorithm Provisions”);
  • the Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ PI (“Supreme People’s Court and the Supreme People’s Procuratorate Interpretations”);
  • the Technical Specification for Certification of Cross-Border Transfers of Personal Information V2.0 (“Certification Specification”); and
  • the PI Specification.

The following draft measures and national standards are important indicators of future legislation:

  • the Regulations on the Administration of Network Data Security (Draft);
  • the GB/T-Information Security Technology – Important Data Identification Guidelines (Draft).

The CSL applies to network operators which cover virtually all companies involved in any kind of internet-based services. The PIPL applies to PI handlers, which refers to the person or entity that is in the position to decide the purpose and means of PI processing. The DSL applies to handlers conducting data-processing activities in mainland China. For most entities that process PI, the Three Fundamental Laws would apply.

Data Protection Officers (DPOs)

The CSL requires network operators to appoint personnel responsible for cybersecurity. When the amount of PI processed by an entity reaches a certain level, the entity must, according to the PIPL, appoint an officer in charge of PI protection. According to the PI Specification, if there are more than 200 personnel in an organisation and its main business involves processing PI, or if the organisation handles the PI of more than one million people (or the sensitive PI of more than 100,000 people), it should establish a department with designated full-time staff in charge of PI security.

The person in charge of PI protection is responsible for the overall planning and implementation of the internal PI protection system, stipulating and keeping the PI policy and process up to date, and organising internal training, etc.


Under the CSL, consent from the data subjects is required prior to the collection and processing of PI. According to the PIPL, there are other legal bases where no consent is needed (see 1.6 System Characteristics).

Privacy by Design or Default

Currently, there is no specific provision imposing any requirements of privacy by design/default, albeit they are helpful for fulfilling the obligations imposed by the CSL and PIPL. A similar system was indicated in the PI Specification where PI controllers are recommended to comply with national standards and to consider PI protection requirements when information systems are designed, developed, tested and released.

Privacy Impact Analysis

According to the PIPL, a risk assessment should be conducted before the following PI processing activities take place:

  • processing of sensitive PI;
  • use of PI for automated decisions;
  • entrusted processing, sharing and public disclosure of PI;
  • cross-border transfer of PI; and
  • other processing activities that may have a significant impact on individuals.

The GB/T 39335-2020 Guidelines for Personal Information Security Impact Assessment of Information Security Technologies would serve as guidelines for conducting such a risk assessment. For cross-border transfer of PI, the Outbound Measures would also provide reference for risk assessment.

Internal or External Privacy Policies

The CSL requires network operators to keep user information in strict confidence and to establish and improve the system for user information protection (Article 40). Network operators must adopt technical measures and other necessary measures to guarantee the security of the collected PI and protect the same from leakage, damage or loss (Article 42). In addition, the PIPL requires a management system that offers matching protection levels to data of different categories and of different levels of importance (Article 51).

External privacy policies that face PI subjects often serve as an approach for network operators to notify PI subjects as required under Article 41 of the CSL and Article 17 of the PIPL. The internal policies must be consistent with such external policies. What is promised to the users must be implemented by the internal management measures and technical measures. The PI Specification also recommends that a PI controller adopts a privacy policy, as well as internal management and technical measures, to safeguard PI.

Data Subject Rights

Article 43 of the CSL entitles individuals to require a network operator to delete their PI if they find that any operator collects or uses such information in violation of the laws, administrative regulations or the agreement by and between that operator and them. PI subjects are also entitled to require any network operator to make corrections if they find errors in the information collected and stored by an operator. Operators must take measures to delete the information or correct the error.

The PIPL provides PI subjects with the right, in relation to their data, to know, decide, restrict, object to its processing, access, copy, make portable, rectify, delete, withdraw their consent and cancel their account. In addition, PI subjects are also provided with related rights on automated decision-making (Article 24).

The right to data portability states that where PI subjects request to transfer their PI to another designated PI handler, such request will be fulfilled by PI handlers when the conditions stipulated by the CAC are met.

As for the right to withdrawal, the withdrawal of consent does not affect the lawfulness of processing based on that consent before its withdrawal. The right to withdraw does not apply to PI processing activities based on a legal basis other than consent.


According to Article 42 of the CSL, there will be no disclosure of PI without the consent of the PI subject, unless such information has been processed to prevent that specific person from being identified, and that information from being restored. Such methods to process information include anonymisation and de-identification of PI, which are stipulated under the PI Specification. A similar regulation can be found under Article 4 of the PIPL.

Specifically, anonymisation refers to the process whereby PI is technologically processed to make PI subjects unidentifiable, and such PI cannot be restored to its previous state once processed. Once anonymised, the information is no longer considered as PI.

On the other hand, de-identification refers to the process whereby PI is technologically processed to make it impossible to identify PI subjects without the aid of additional information. In other words, it is still possible to identify an individual with the help of de-identified information and other information. Thus, de-identified information is still considered as PI.

Big Data Analysis, AI, Algorithms, etc


The PI Specification recommends limited direct-user profiling. Direct-user profiling is when the PI of a specific natural person is directly used to create a unique model of that natural person’s characteristics. PI controllers engaging in direct-profiling activities are required by the PI Specification to disclose the existence and purposes of the direct profiling.


There are no laws or regulations directly regulating microtargeting in China. The effect of microtargeting is very similar to personalised recommendation (see “Automated decision-making” immediately below).

Automated decision-making

According to Article 24 of the PIPL, an automated decision should be transparent and fair. The PI subject is entitled to request an explanation and to refuse the decision if the automated decision has a significant impact on its rights and interests. In addition, when automated decision-making is used for commercial advertising or pushing notices, an option to receive a non-personalised message or a method to refuse such messages must be given to the PI subject.

Online monitoring or tracking

Under the CSL and PIPL regime, tracking technologies such as cookies are not prohibited; cookies are usually regarded as PI, the collection of which must comply with PI requirements.

Big data analysis

In the event of big data analysis, it is inevitable that data collected from various resources would be aggregated and used for a purpose that is normally different from the one that the data was originally collected for. Pursuant to the PI Specification, such data merging will be subject to the purpose that the data is collected for. In other words, the use of the aggregated or merged data in big data analysis must be consistent with the purpose consented to by the data subject prior to the use of the same. Furthermore, big data analysis may not be used to discriminate against customers.

Artificial intelligence

In 2023, the regulatory framework on AI was systematically built and implemented in China. The AIGC Measures expressly outline the regulatory framework for AI-generated content (AIGC) technology, encompassing various stages such as model training, application deployment, model optimisation and multiple subjects like AIGC developers, service providers, and users. In addition, the Measures for Review of Scientific and Technological Ethics (Trial) demonstrate China’s significant attention to technology development as well as ethical reviews of AI.

In addition to the above provisions, regarding the specific application of AI technology, as stipulated by the Administrative Provisions on Deep Synthesis in Internet-Based Information Services, contents generated by deep learning or other new technologies must be identified in a noticeable way.

Algorithms (explanations, logic, code)

Algorithm recommendation technologies have become the focus of the regulatory department. According to the Algorithm Provisions, “application of algorithm recommendation technologies” refers to the use of algorithmic technologies such as generation and synthesis, personalised push, sorting and selection, retrieval and filtering, scheduling decision-making, etc, to provide information to users. Algorithm recommendation service providers with public opinion attributes or social mobilisation ability must, within ten working days from the date of providing services, go through the filing procedures. In the past 12 months, the CAC has announced three batches of domestic deep-synthesis service algorithm filing information, including algorithms from technology companies such as Baidu, Alibaba, Tencent, etc.

Injury or Harm

In the event of an infringement of their privacy or legitimate rights, PI subjects may resort to the legal remedies provided by the Civil Code and the PIPL. In addition, injury or harm related to privacy and data rights could also lead to criminal liabilities where there is a serious circumstance of illegal sale or provision of PI.

A serious circumstance is deemed to have occurred where there is an illegal sale or provision of:

  • 50 pieces or more of location information, communication information or property information;
  • 500 pieces or more of accommodation information, health information or other information that may have an impact on citizens’ health or property security; or
  • 5,000 pieces or more of other PI (Article 5 of the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations).

Data that is subject to special regulations under the Chinese legal framework includes, without limitation, sensitive PI, important data, national core data and business data from certain industry sectors.

The definition of sensitive PI is discussed in 1.6 System Characteristics. Financial data, health data, communications data, voice telephony and text messaging, the content of electronic communications and a person’s sexual orientation are categorised as sensitive PI. More stringent restrictions and higher protection standards are applicable to sensitive PI.

The PI of children under 14 years old is also sensitive PI and is subject to special protection under the Provisions on the Cyber Protection of Children’s PI. Student data is not necessarily sensitive PI. It depends on which specific data type it is.

Employment-related data will not be deemed as sensitive PI merely because it is employment related. But if it falls into the category of sensitive PI because, for example, it contains the identity card number or bank account number of an employee, relevant regulations on sensitive PI would apply.

Specific identity and political or philosophical beliefs are deemed to be sensitive PI under the PIPL regime.

With regard to AI data, AIGC service providers are legally required to take effective measures to ensure the authenticity, accuracy, objectivity, and diversity of the training data while conducting data training, and properly fulfil the data protection obligations. Moreover, AIGC service providers and users are legally required not to infringe on the privacy rights and PI rights of others. AIGC service providers must also perform their legal obligations as PI handlers, including but not limited to obtaining the necessary consent, processing individual requests to exercise their rights, etc.

Internet, Streaming and Video Issues

Browsing data, viewing data, cookies, beacons and location data are all regarded as sensitive PI. Tracking technology is not prohibited under Chinese law. However, if PI is collected and used for behavioural or targeted advertising which has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of PI would be deemed illegal. There have been some discussions regarding privacy and data protection with major internet platforms such as WeChat and TikTok, but there has been no significant law enforcement activity or administrative punishment imposed on those companies, as there has been on Google and Facebook.

According to the CSL and the Administrative Measures on Internet-Based Information Services, the network service provider will be liable for any erroneous, illegal or prohibited information published on a website or other medium it provides, whether intentionally or negligently. If the provider immediately takes action to stop the wrongdoing or blocks access to such inaccurate information after receipt of notice from the affected party, its liability might be limited.

See 2.3 Online Marketing for discussion of behavioural or targeted advertising.

See 2.1 Omnibus Laws and General Requirements for a discussion of data subject rights, the right to be forgotten, data access and portability, the right of rectification or correction, rights to object to the sale of data and rights for automated decision-making.

The Advertising Law is the fundamental law that regulates advertising. The Measures for Administration of Internet Advertising apply to online marketing. The sender must obtain from the recipients their consent to, or request for, advertising and the sender must also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.

Since online marketing, particularly behavioural and targeted advertising, is normally based on the analysis of PI collected from users, regulations on PI collection and use must be observed. To begin with, PI may not be collected or used for behavioural advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, must be provided to the individual. In addition, according to the PI Specification, the use of indirect user profiling which is generated from PI that is not from particular persons is recommended for online marketing, rather than direct user profiling. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.

Special Laws

Currently, there is no special law or regulation regulating workplace privacy. This is governed by the Employment Law, the Employment Contract Law, the CSL, the PIPL, and relevant laws and regulations governing PI. The PI of an employee is subject to the same PI protection regime as that of any other regular person.

AI Issues and Requirements

At present, there is no specific regulation of China’s AI-related laws for workplace privacy. However, the application of AI technology in the workplace should adhere to the general legal requirements for AI, which include taking effective measures to prevent discrimination based on belief, gender, age, health, etc, and infringement of individuals’ privacy and other PI-related rights.

Workplace Communications

Although employees’ PI is protected in the same way as regular PI, it is a fact that the employment relationship between employees and employers has its own features. It is commonly understood that employers must duly notify their employees that activities in the workplace, during working hours, and conducted with working facilities, are supervised and monitored by the employers. Employment contracts or the employee handbook usually contain clauses in this regard. Normally, the voluntary provision of PI by employees under the employment contract would be deemed as giving authorisation to their employers to collect and use their information in accordance with the purpose of employee management.


In China, labour unions do not play the same role as those in Western countries. Where there is infringement of an employees’ PI rights, instead of appealing to a labour union, the employees may report this to the competent authorities in charge of cybersecurity and PI protection.


Corporations usually adopt internal supervisory and reporting mechanisms, including whistle-blower hotlines and anonymous reporting channels. It is always an option, however, to report malfeasance to the competent government authorities. There is no unified standard rule and reporting mechanisms vary between corporations and industries.


E-discovery follows relevant litigation and arbitration rules. Access to employees’ PI for the purpose of e-discovery would be deemed as use in direct relation to a court trial, and thus no consent is required for the collection and use of such information. However, there might be situations where e-discovery is not necessarily directly related to court trials. Thus, it is advisable to plan ahead by establishing an archive system and incorporating clauses on access to an employee’s PI for the purposes of e-discovery and other reasons into the employment contract or employee handbook.

Other Issues

Network operators are required to implement technical measures and other necessary measures to guarantee the security of the collected PI and protect it from leakage, damage or loss. This may include the use of digital loss-prevention technologies. There is no law or regulation prohibiting employers from blocking websites to secure the productivity of their employees and it is advisable to publish such measures in the employment contract, employee handbook or relevant company policies.

Legal Standards for Regulators

The CSL, the DSL, the PIPL and the Consumer Protection Law are the four most fundamental standards used by law enforcement to regulate and punish violations of privacy or data protection laws. The PI Specification is heavily relied on as well. For data-processing activities that may endanger national security, the Cybersecurity Review Measures will also be referred to. For enforcement of AIGC violations, the CSL, the DSL, the PIPL, the Scientific and Technological Progress Law, etc, will be referred to. The Standards for Determining Unlawful Collection of Person Information by Apps set the rules for law enforcement against violations by mobile applications.

Potential Enforcement Penalties

Under the PIPL, the penalties for violations may include order of rectification, warning, confiscation of illegal earnings, suspension or termination of apps or services. For severe violations, the violator may be fined up to CNY50 million or 5% of its turnover of the previous year at the company level and the person directly in charge will be fined up to CNY1 million, company business licenses and permits may also be revoked.

Depending on the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the PI-protection-related provisions in the CSL may result in orders to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination of these. The fine should be more than the illegal earnings, but less than ten times the same. In the event that there is no illegal earning, the fine may not be more than CNY1 million. The directly responsible person may face a fine ranging from CNY10,000–100,000. In the case of a severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of a website, and the revocation of the business licence of the operator or provider.

It is worth noting that the Draft Revised CSL has increased the amount of fines to the same level as the PIPL. For severe violation, the amount of the fine may be up to CNY50 million or 5% of the violator’s turnover in the previous year. The person directly in charge may be fined up to CNY1 million.

Where there is a severe violation that could lead to criminal prosecution, the prosecution standards are stipulated by the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations (see the discussion in 2.1 Omnibus Laws and General Requirements).

Leading Enforcement Cases

Among the law enforcement activities pursued in 2023, violations punished by the administrative authorities include failure to obtain data subjects’ consent before PI collection, failure to implement a cybersecurity or PI protection system, and failure to detect a security vulnerability in network services. In the past 12 months, the CAC has conducted cybersecurity reviews on several enterprises to protect national data security, public interests, and the rights and interests of PI subjects.

Private Litigation

In general, most cases or proceedings take the form of administrative investigation and punishment initiated and imposed by government authorities. The legal bases for an individual to initiate private litigation mainly include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.

There have been many public interest lawsuits initiated from the Civil Code. It is expected that there will be more private litigation on PI protection in the coming year.

With regard to the field of AI, one civil case worth noting involved an individual suing an app after discovering that his voice had been AI-enabled and was being sold on the app. Therefore, the individual filed a lawsuit against the company that operated the app, claiming that it had infringed on his right of voice. This case is still under further trial. Another notable civil case in the Beijing Internet Court in November 2023, heard on a case-by-case basis, made a judgment that the images generated by the AI model in question possess originality and the copyright thereof shall be enjoyed by the AIGC user. This is the first case in China to affirm the copyright of AI-generated images. It is expected that there will be more AI-related litigations in 2024.

For the purpose of criminal prosecution, the people’s courts, the people’s procuratorates and public security bureaus are empowered by the Criminal Procedure Law to collect or obtain evidence from the entities and individuals concerned. Relevant parties are obliged to co-operate and provide truthful evidence (Article 54). Evidence involving any state secret, trade secret or private PI must be kept confidential (Article 152). Collection of evidence by judges, prosecutors and investigators from public security bureaus must follow legal procedure. When a search is to be conducted, a search warrant must be presented to the person to be searched (Article 138). A search warrant could be issued by the people’s procuratorates and public security bureaus. Any staff members of the authorities performing PI protection duties who neglect their duty, abuse their authority or commit malpractice for personal gain, without those actions constituting a crime, will be subject to disciplinary action pursuant to the laws (Article 68 of the PIPL).

The Constitution Law provides for the fundamental protection of privacy. The state respects and protects human rights (Article 33). The personal dignity of citizens of the People’s Republic of China is inviolable (Article 38). The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law (Article 40). According to Article 77 of the National Security Law, citizens and organisations are under a general obligation to provide support and assistance for work relating to national security.

Pursuant to the newly revised Counterespionage Law, activities such as cyberattack, intrusion, interference, control or destruction, among others, against a state organ, state secret involved entity or critical information infrastructure (CII), etc, committed by an espionage organisation or its agent or by any other person as instigated or funded by the aforesaid organisation or individual, or any domestic institution, organisation or individual in collusion with the aforesaid organisation or individual, are defined as espionage (Article 4). A national security authority may, as needed for counterespionage work, legally inspect the electronic equipment, facilities, relevant apps and tools of a relevant organisation or individual. If the national security authority discovers any circumstances compromising national security during inspection, it will order the organisation or individual to make rectification; and may take seizure or impoundment measures if the organisation or individual in question refuses to rectify the situation or still fails to satisfy the relevant requirements after rectification (Article 25).

China is not a signatory to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities (14 December 2022). However, the power of the national security authorities is not unrestricted. According to Article 37 of the Counterespionage Law, where any staff member of a national security authority divulges any state secret, trade secret or piece of private individual information, in violation of the relevant provisions, which constitutes a crime, the staff member will be subject to criminal liability in accordance with the law. In addition, according to Article 35 of the DSL, where a public security organ or state security organ needs to retrieve data for the purpose of safeguarding national security or investigating crimes, it will go through strict approval formalities in accordance with relevant provisions. The procedural requirement and protection provided by the Criminal Procedure Law, as mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, is also applicable here.

Organisations in China cannot invoke foreign government access requests as a legitimate basis to collect and transfer PI. On the contrary, according to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority.

Industry leaders, such as Huawei and ZTE, were accused of being manipulated by the Chinese government and secretly providing PI to the government. Some media voices also allege that the Counterespionage Law authorises the government to take or confiscate any property that might endanger national security. Yet, as discussed in 3.2 Laws and Standards for Access to Data for National Security Purposes, the laws and regulations only allow the government to access PI under special circumstances. Only for specific purposes such as criminal investigation, investigation of activities compromising national security and counterespionage work may the government conduct investigations that involve access to PI. During the course of investigations, the authorities must abide by strict procedures prescribed under relevant legislation. In addition, infringement of individual privacy by government authorities is regulated by both the Counterespionage Law and the Criminal Procedure Law. The PIPL also stipulates restrictions on the PI processing activities of government authorities for law enforcement or national security purposes.

According to the CSL, PI collected by CIIOs during their operations in China must be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment will be conducted. The PIPL expands the obligation to a certain extent to CIIOs and entities that process PI. A security assessment must be passed before PI can be transferred overseas. So far, the importing of data from overseas to China has not been the focus of the administration.

The PIPL provides three routes for cross-border data transfer compliance: (i) a security assessment organised by the authority; (ii) certification by the approved agencies; and (iii) standard contracts signed with the receiving party.

According to the Outbound Measures, the security assessment mainly covers the legality, legitimacy and necessity of the purpose, scope and method of transmitting the data abroad, impact analysis of the policies and regulations on data security and the network security environment of the country or region where the overseas recipient is located, data protection level of the overseas recipient, quantity, scope, type and sensitivity of the data, risk of leakage, tampering, loss, damage, etc, protection of data security and the rights and interests of PI subjects, legal documents between the data handler and the overseas recipient, etc.

The certification mechanism mentioned in the PIPL is finalised by the Certification Specification.

As to the standard contractual clauses, the Chinese SCCs came into effect on 1 June 2023.

As to derogations, Article 38 of the PIPL allows the provision of PI according to international treaties or agreements concluded or acceded to by China. Further, the CBDT Provisions provide for the following scenarios that are exempt from the cross-border data transfer application procedures:

  • Cross-border data transfer that does not contain PI or important data.
  • Where data handlers transfer PI collected and generated overseas after being processed domestically without involving domestic PI or important data in the process.
  • For the establishment or performance of contracts to which individuals are parties.
  • In implementing cross-border HR management based on legally formulated labor rules and collective contracts.
  • In emergency situations to protect the life, health, and property safety of natural persons.
  • Where a Non-CIIO data handler provides PI of less than 100,000 individuals (excluding sensitive PI) to overseas since January 1 of the same year.

The cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct a security assessment prior to the cross-border transfer of PI and important data (see the discussion in 5.7 Other Significant Issues on the definition of important data). For non-CIIOs transferring PI, refer to 4.2 Mechanisms or Derogations That Apply to International Data Transfers.

With respect to important data, data handlers are required by the DSL to abide by the regulations or measures issued by a certain authority, which refers to the Outbound Measures.

The first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically and a security assessment is required for cross-border data transfer. For data handlers that are not CIIOs, but who process PI that reaches a certain volume threshold or collect important data, a security assessment is also required. Additionally, there are localisation requirements for special business data, including, without limitation:

  • credit investigation data;
  • personal financial information;
  • map data;
  • essential tech equipment required for online publication services;
  • data and information related to car hailing services;
  • health information of the population; and
  • insurance data and fiscal data.

In principle, such data must be stored within Chinese territory (excluding the Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements for each type of information will be applied.

There is no law or regulation requiring technical details, such as software code or encryption, to be shared with the government. For algorithms, the algorithm recommendation service providers are required to provide an assessment report of the algorithm mechanism and model during the filing procedures, the purpose of which is to ensure that the algorithm recommendation service providers are not setting up an algorithm model in violation of any laws, regulations or ethics.

Network operators are obliged to provide the necessary technical support and assistance to public security authorities and national security authorities for the purpose of safeguarding national security and investigating crimes according to the law (Article 28 of the CSL). The cybersecurity examination of online products and services that may affect national security is not aimed at acquiring technical details (Article 35 of the CSL); rather, the purpose of this examination is to evaluate whether there is a risk of massive data leakage, loss or cross-border movement; a risk of interruption of services; or a risk of a CIIO being controlled by foreign entities. Sharing technical details should be a voluntary decision on the part of the relevant entities.

According to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and cross-border data transfer mentioned above will apply.

In addition to Article 36 of the DSL, discussed in 4.6 Limitations and Considerations, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (“the Rules”) were released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021, with immediate effect. According to Article 36 of the DSL, companies or individuals may not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by the competent authorities. The Rules are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with the long-arm jurisdictions of certain countries and regions.

Big Data

When it comes to emerging digital and technology issues, it is hard to ignore the fact that the inherent biases of algorithms may lead to the infringement of individual rights and discrimination. Until the technologies are mature, and the error rates manageable, network operators and data handlers will continue to take a cautious attitude towards the application of such technologies.

For a discussion of big data analytics, automated decision-making, profiling and artificial intelligence (including machine learning), see 2.1 Omnibus Laws and General Requirements.

Network operators in the business of the internet of things (IoT) and big data analytics must pay special attention to implementing the MLPS. According to the national standards constituting the MLPS 2.0, IoT and big data applications are expressly included in the protected objects of the MLPS. Specific security requirements can be found in the corresponding national standards. Network operators of IoT and big data applications are advised to commence the grading and classification at their earliest convenience.

Automated Decision-Making

For the purpose of automated decision-making, a vast amount of data will be collected and aggregated. Taking autonomous vehicles as an example, the vehicles will be continuously collecting all location data of the users, which will be used, among other things, to generate direct user profiles. The MIIT issued some regulations regarding intelligent connected vehicles and provided requirements for collecting and processing data. The CSL, the PIPL, the PI Specification and relevant national standards would apply to the collection and processing of PI, including automated decision-making.

Biometric Data

The application of biometric data, including facial recognition, is increasing. Biometric data is highly sensitive PI. It is unique to each individual and it is impossible to change one’s biometric data. Processing of biometric data must be conducted with much higher and more stringent standards. Requirements for collecting and processing sensitive PI are found under Section 2, Chapter 2 of the PIPL. Additionally, the GB/T 40660-2021 Information Security Technology – Basic Requirements of Biometric Data also provides guidance for the processing of such data.

Other Areas

Geolocation data is sensitive PI, the collection and processing of which must be in accordance with the applicable rules as discussed in 2.2 Sectoral and Special Issues.

Drones, which are being used for recreational purposes as well as for law enforcement, are getting smaller and cheaper while the images a drone can produce are clearer and more accurate than ever. So far, only general rules on privacy and data protection are applicable to the use of drones.

Disinformation, deepfakes, and other illegal content such as inflammatory speech or erroneous content on the internet are regulated by the ecological governance of internet information content (see the discussion under 2.2 Sectoral and Special Issues). Should an individual suffer online harm, they can resort to the Civil Code and other applicable regulations and claim damages against the wrongdoer and or platform operator (if applicable).

“Dark patterns” and other online manipulation are regulated under the Consumer Protection Law and the PIPL. According to Article 8 of the Consumer Protection Law, consumers are entitled to autonomous selection of goods or services, and have the right to make comparisons, identification and selection. Pursuant to Article 5 of the PIPL, it is forbidden to process PI through deception, fraud and coercion.

Fiduciary duties for privacy or data protection have not been expressly defined under the current legal framework. Similar obligations might be the duties of the DPOs (see the discussion under 2.1 Omnibus Laws and General Requirements).

To address the problems and concerns brought about by emerging technologies, TC260 is actively conducting research and has released industry study reports and, most importantly, recommended national standards to guide the application of various cutting-edge technologies. For example, TC260 published the Practice Guide to Cybersecurity Standards – Guidelines on the Code of Ethics for Artificial Intelligence in January 2021 to address ethics topics regarding artificial intelligence. The Measures for Review of Scientific and Technological Ethics (Trial) require that relevant organisations whose research content involves sensitive areas of ethics of science and technology should set up an Ethics of Science and Technology (review) Committee to carry out ethical review.

There are plenty of special enforcement projects, such as Clearing the Network 2023 (净网2023), launched by the MPS and implemented by provincial public security departments throughout the year. The CSL and the PIPL have been the major legal basis for investigations and punishment (refer to 2.5 Enforcement and Litigation for more details). There has been no civil case with a large settlement or joint action with respect to privacy and data protection (including AI). However, refer to 2.5 Enforcement and Litigation for discussion of two remarkable civil cases.

Due diligence on privacy and data protection in corporate transactions would normally start with interviews to gain an understanding of the existing situation in terms of cybersecurity protection measures and data processing at the relevant company. A gap analysis would then be conducted to evaluate the deviation between compliance requirements and the actual situation. The last step would be offering compliance suggestions. The focus of the due diligence would usually be on the following aspects:

  • the management systems of the network operation security;
  • information on the network products and services purchased by the company;
  • the collection and processing of data;
  • data storage and internal management;
  • data output; and
  • cross-border data transfer.

According to the disclosure requirements for listed companies, investigations, criminal punishment or major administrative punishment must be disclosed.

Unlike the legislation moves in the EU, there is no national-level single law or regulation to regulate tech companies and digital technology, such as the Digital Markets Act, the Digital Services Act, the Data Act, or the UK Digital Regulatory Co-operation Forum. However, just as the above laws focus on promoting fairness and competition in the digital sector and better protection of individuals’ fundamental rights, there are several provisions scattered in laws or regulations at different legislative levels in China.

For the facilitation of fairer competition, the Draft Revised Anti-unfair Competition Law of the People’s Republic of China was published for comments in 2022.

For the governing of large online platforms, Article 58 of the PIPL requires the important internet platform service providers to establish a sound PI protection compliance system and accept supervision from the public. To ensure fair service to individuals, the Anti-monopoly Guidelines of the Anti-monopoly Commission of the State Council on Platform Economy became effective in 2021. In addition, the Cybersecurity Review Measures aim to protect the platforms that process large amounts of PI from endangering national security.

For the protection of individuals from false information, the Administrative Provisions on Deep Synthesis in Internet-Based Information Services and the AIGC Measures already became effective in 2023. In addition, regulations in the financial sector may impose certain obligations.

The terms of important data and CII are unique concepts under the CSL, the PIPL and the DSL regime.

Important Data

According to the Important Data Identification Guidelines (Draft), “important data” refers to the kind of data which, if tampered with, damaged, divulged, or illegally obtained or utilised, may affect national security and public interest. So far, no regulation on implementing methods of important data identification and their scope have been officially published. However, according to the Important Data Identification Guidelines (Draft), important data does not usually include state secrets or PI, but rather, statistical data and derived data based on massive amounts of PI. Even though such guidelines have not come into force, there have been indications that the modification of legislation regarding important data, and law enforcement trends in the same area, are to be expected. The cross-border transfer of important data is subject to special procedures which are discussed in detail in 4.3 Government Notifications and Approvals.

Critical Information Infrastructure (CII)

The CSL, PIPL and DSL provide for a special protection scheme in China on CII and the corresponding protection principles. The Security Protection Regulations for Critical Information Infrastructure came into effect in September 2021. Other regulations and national standards on CII are currently at the stage of soliciting opinions. Information infrastructure in important industries and sectors – such as public communications, information services, energy, transport, water conservancy, finance, public service, e-government and the national defence science and technology industry – might fall within the scope of such regulation. The purpose of offering extra protection for CII is to protect national security, the national economy, people’s livelihoods and the public interest.

Zhong Lun Law Firm

22-31/F, South Tower of CP Centre
20 Jin He East Avenue
Chaoyang District
Beijing 100020

+86 010 5957 2003

+86 010 6568 1022
Author Business Card

Trends and Developments


Global Law Office (GLO) dates back to the establishment of the Legal Consultant Office of China Council for the Promotion of International Trade (CCPIT) in 1979. By the approval of the Ministry of Justice of the People’s Republic of China, the firm was renamed “China Global Law Office” in 1984 to emphasise its international perspective and full embrace of the outside world. After over 40 years of persistent effort and development, GLO has become a prominent large comprehensive law firm in the Chinese legal industry. GLO has committed to the mission of “serving domestic and foreign clients with its global vision, global team and global quality” since its inception, allowing the firm to maintain a leading position in the industry in the midst of an ever-changing global economic environment. All the lawyers at GLO are graduates of first-tier domestic and/or international law schools, and most of them hold LLM or higher degrees. Many of GLO’s partners are qualified to practise law internationally, including in the US, UK, Australia, Switzerland, New Zealand and Hong Kong, among others.

Data Practice in 2023: A Year in Review

The year 2023 was pivotal in China’s data practice. China was navigating the global terrain, aligning its data regulatory framework with international benchmarks, embracing the ambitious transformation into “Digital China” by harnessing the potential of data and prioritising the safeguarding of personal information. Meanwhile, the dynamic and ever-changing legislative, regulatory and judicial arms that focus on compliance posed a significant challenge for enterprises as the latter strived to stay abreast of the numerous requirements.

This article looks back at the progression and implementation of China’s regulatory framework of data protection and data usage in 2023, including cross-border data transfers, the influence of data as a production factor, the significance of data elements, the establishment of the China National Data Bureau, the dual-investigation regulatory mechanism in cybersecurity and data security incidents, and the interplay between civil public interest litigation and facial recognition technology within the judicial system. Through this year-end review of 2023, what rationally may happen in 2024 becomes more apparent. (For clarity, the data referred to in this article includes both personal information and non-personal information.)

Regulatory mechanisms for data cross-border transfer


China’s data cross-border transfer regulatory mechanisms (the “Regulatory Mechanisms”) comprise the security assessment, the China standard contractual clause (the “CN SCC”), and the privacy protection certification. The former two of the Regulatory Mechanisms are administered by the Cyberspace Administration of China (CAC). The Regulatory Mechanisms witnessed substantial progress in 2023. Notably, the CAC published the final versions of the CN SCC Rules and the CN SCC on 22 February 2023, which took effect on 30 June 2023.

In adhering to the filing requirements of the CN SCC, the data processor needs to map all scenarios of the outbound transfer of personal information by the Chinese categories of personal information, conduct the Personal Information Impact Assessment (the “PIIA”) following the Chinese requirements for each scenario, and negotiate with each of their foreign recipients to sign a CN SCC. This CN SCC must adopt the official template released by the CAC, and it is permissible for a CN SCC to have other and additional terms in its exhibits, as long as they are not in conflict with the main text of the CN SCC.

The data processor should file the executed CN SCC with the provincial CAC office for records within ten working days from the effective date of the executed CN SCC. To file on record, the data processor should submit both the executed CN SCC and the PIIA corresponding to the CN SCC. A supplement or amendment to a CN SCC on file should be made and filed for the record in the same process, if the purpose, scope, category, sensitivity, methods and storage site of the outbound transfer of the personal information have been changed, or if the overseas recipient has changed the purpose and method to process the personal information transferred to them, or has extended the storage term of the personal information.

On 13 December 2023, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong SAR (the “ITIB”) jointly released the GBA SCC. It should be noted that if data processors and overseas recipients are both located in the Guangdong–Hong Kong–Macao Greater Bay Area (the “GBA”), they can comply with the requirements in the newly effective Guidelines for the GBA SCC and sign the GBA SCC. Created as a light-duty version of the CN SCC, the Guidelines for the GBA SCC expand the applicability of the CN SCC filing mechanisms, simplify the requirements of the PIIA, and provide an additional filing channel. The GBA SCC is expected to be more user-friendly to processors in their compliance efforts and obligations. 

Draft provisions

On 28 September 2023, the CAC released the draft Provisions on Regulating and Promoting Cross-Border Data Flows (the “Draft Provisions”), which attempt to provide clarifications and exemptions to the current Regulatory Mechanisms. The contemplated exemptions aim to address concerns about the uncertainty created by the existing provisions and the enforcement of the Regulatory Mechanisms. Although there are questions that remain to be answered, the Draft Provisions represent an effort by the CAC to promote the free flow of data.

Highlights of the Draft Provisions

  • Exemptions from the Regulatory Mechanisms: the transfer of employee data necessary for HR management; the transfer involving the performance of a contract, such as online shopping, hotel/flight bookings and visa applications; and the transfer of less than 10,000 individuals’ personal information in a year.
  • Increased threshold for the CAC security assessment: data processors anticipating the transfer of personal information for more than 10,000 but less than one million individuals in a year are no longer obliged to go through the CAC security assessment.
  • Clarification on the identification of important data: important data can only be determined upon individual notice from the competent regulators or the local authorities, and upon the important data catalogue published by the competent regulators or the local authorities.
  • Negative lists within Pilot Free-Trade Zones: the Pilot Free-Trade Zones in China are entitled to formulate their own negative list of data (the “Negative List”) to allow the free cross-border flow of data without the need to go through the current Regulatory Mechanisms.

Implementation of the Regulatory Mechanisms

The year 2023 saw the implementation of the Regulatory Mechanisms. Despite the fact that the grace period for the CAC security assessment concluded on 1 March 2023, only two organisations obtained official approval before that date. One was a collaborative research project between a Chinese hospital and a Dutch medical facility, and the other was a state-owned Chinese airline. Nevertheless, their success still sheds light on others going through similar processes.

With the Regulatory Mechanisms taking their final form after the CN SCC Rules came into effect, enterprises continued to navigate the complex waters of compliance. According to the official news, 39 enterprises in Beijing passed the CAC security assessment and nine enterprises successfully filed for the CN SCC. Although there may still be some lingering questions and uncertainties, the developments suggest that the Regulatory Mechanisms are improving, and the practice by the CAC could be more predictable in the near future.

Data markets and data services trade

Data markets

Recognising the complexity of data characteristics, The Opinions on Building the Fundamental Data Policies to Better Leverage Data as a Production Element (the “Data 20”) was released at the end of 2022, calling for the creation of a multi-level market trading system encompassing national, regional and industrial data trading exchanges. In 2023, data markets experienced a surge of development. Although curb trading remains predominant, exchange trading is substantially increasing.

By September 2023, there were 60 registered data exchanges nationwide, showcasing the growing interest in the data exchange trading business. The Shanghai, Shenzhen and Guiyang Data Exchanges, respectively, issued rules governing exchange trading. However, issues such as homogenisation of data products and services and lack of vitality persisted, calling for substantive innovation in an adaptive data circulation Regulatory Mechanism.

Data services trade

There are two distinct categories of data products in the data markets: raw data, which is presented in the form of databases; and data services, which consist of reports, recommendations and strategic resolutions. Data services, in particular, convert data into insightful information tailored to specific business needs, thereby empowering enterprises to achieve greater competitive advantage.

In 2023, the Shenzhen Data Exchange implemented an innovative measure to streamline the process of conducting global data services trade. Specifically, the Shenzhen Data Exchange landed the first overseas data service provider, ZY Technologies (HK) Co, to list its product “Xinshuzhi”. This started the process to provide comprehensive information technology products and service solutions for global trading companies and e-commerce platforms.

Data elements and the National Data Bureau

Data elements

In 2023, data elements continued to play a crucial role in the industry transformation and integration of the digital economy with the traditional economy. Initially recognised as one of the five key production factors in 2020, data elements received renewed acknowledgement and emphasis in the Data 20. The latter not only reaffirmed data elements as valuable assets but also proposed the establishment of a fundamental data system encompassing the data property rights mechanism, the data trading and transaction mechanism, and the data revenue allocation mechanism.

The State Council released the Overall Layout Plan for the Construction of Digital China (the “Plan”) in 2023, which reaffirmed the data revenue allocation mechanism and emphasised its importance. Moreover, Data Element X: A Three-Year Action Plan (2024–2026) (the “X Plan”), launched by the National Data Bureau as part of its efforts to provide a strategic vision for unleashing the potential of data elements, specifically outlined 12 application directions for data elements. These are the sectors of industrial manufacturing, modern agriculture, commercial circulation and transport, financial services, technological innovation, cultural tourism, medical health, emergency management, meteorological services, smart cities, and green and low-carbon initiatives.

National Data Bureau

While efforts are underway to promote the marketing and circulation of data elements, there is still a long way to go. To accelerate the process, the Plan proposed the establishment of the National Data Bureau (NDB), which would be hosted in the National Development and Reform Commission (NDRC). Founded on 25 October 2023, the NDB was tasked with advancing fundamental data institutions and co-ordinating the integration, exchange, development and application of data resources. It is hoped that the NDB can navigate the challenges, successfully shaping China’s future landscape of data utilisation in 2024.

Enhanced oversight through dual investigation

In response to rising cyber and data security threats, the Ministry of Public Security (the “Police”) has intensified its focus on online personal information protection in recent years. The year 2023 was no exception; the “dual investigation of one case” approach (the “dual investigation”) became a key strategy of the Police to effectively mitigate cybersecurity threats.

Dual investigation refers to investigating unlawful online activities while simultaneously checking the compliance performance by the data processors who are the victims of said unlawful activities. Specifically, a dual investigation encompasses a thorough examination of whether the suffering data processors have implemented statutorily required security protection measures to safeguard user information and prevent cyber-attacks, etc. Once the non-compliance is identified, if the victim data processors refuse to fulfil their statutory obligations, penalties will also be imposed on them. 

In 2023, the Police used the dual investigation to understand the root causes of successful cyber-attacks. Usually, the Police may, for instance, obtain leads from domestic and foreign websites, including those on the dark web, and utilise them to locate the victim data processors in China. The objective of a dual investigation is to assess the compliance status of the victim data processors in the investigation of cybercrime incidents and to promote compliance with cybersecurity obligations.

The first civil public interest litigation on facial information

Facial recognition technology (FRT) has emerged with unparalleled technological advantages, integrated into diverse aspects of our daily lives. However, the widespread use of FRT has raised challenges for personal information protection, particularly given that facial information is biometric information and classified as sensitive personal information in China. For example, poor FRT with weak security capabilities could simply be tricked with a photo of a face it recognises, increasing the risk of potential misuse of facial information. Concerns regarding facial information protection have surfaced, prompting judicial responses.

Pursuant to China’s Personal Information Protection Law (the “PIPL”), procuratorates may initiate civil public interest litigation for personal information protection if a personal information processor processes personal information in violation of the PIPL and thereby violates the rights and interests of multiple individuals. Moreover, the protection of biometric information has been acknowledged by the Supreme People’s Procuratorate of China (the “SPP”) as a significant area of concern in civil public interest litigation. Prosecutors across the nation initiated more than 160 civil public interest litigation cases concerning the protection of personal information in 2023. Meanwhile, an exclusive discussion of civil public interest litigation for the protection of facial information was included in a Bluebook published by the SPP.

The first civil public interest litigation on facial information in China was selected as one of the model cases of personal information protection in Guangdong Province in 2023. In this case, four defendants had been convicted of infringing on citizens’ personal information by employing AI to generate videos from photos containing facial information and using the videos to deceive facial recognition systems to make illegal profits. The defendants also deleted a large amount of information and many transaction records, making it impossible to verify the victims. Subsequently, the Procuratorate of Yuexiu District, Guangzhou, filed a civil public interest litigation against them in the Guangzhou Internet Court because multiple unspecified individuals’ rights and social interests had been damaged.

It is worth noting that this case introduced an innovative approach for addressing damages and mitigating adverse effects through public service compensation. The defendants were required to actively participate in education programmes, public welfare campaigns, volunteer service, and other activities related to personal information protection, within one year from the effective date of the civil public interest judgment. The effectiveness of these actions would offset public interest damages. Later in 2023, a hearing was conducted to confirm that the defendants’ compensation behaviour was satisfactory, thus relieving them of all public interest damages.

The public service has two purposes: (i) to ensure that defendants comprehend their errors, rectify their behaviour, and redress damages, proposing a path of “restorative justice combined with a system of comprehensive social governance”; and (ii) to raise the public’s awareness in protecting their personal information in this new type of harm to their rights and interests.

Overall, this case not only introduced a standard to determine damages caused by large-scale harm to personal information but also emphasised the significance of safeguarding sensitive personal information like facial information.

Looking Ahead: Data Practice in 2024

The following is expected to happen in 2024.

Alignment of the Chinese Regulatory Mechanisms with the regional protocols

Anticipating the final version of the Draft Provision, Lin-gang Special Area of China (Shanghai) Pilot Free-Trade Zones have taken the lead, announcing plans to release their own catalogue of important data in March 2024. China’s Department of Commerce is making solid preparations to participate in regional economic and trade protocols, including the Regional Comprehensive Economic Partnership (the “RCEP”), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (the “CPTPP”), and the Digital Economy Partnership Agreement (the “DEPA”), never mind the further development of the “one belt one road” initiative and the expanding of the BRICS. Such an effort will align the Regulatory Mechanisms with regional benchmarks in data protection and free flow. If all goes according to plan, multinational companies in China can expect a streamlined process for data cross-border transfer, and the more transparent and anticipatable enforcement of law in administration.

New developments in data element mechanisms and data transactions

The booming development of the data exchanges and data transactions in 2023 calls for more administration-led legislative efforts to clearly define the fundamental data element mechanism and data rights mechanism. People are hoping more administrative legislation, like the Interim Provisions on the Accounting Treatment of Enterprise Data Resources, will be released to build the foundation for the further development of data businesses. How the NDB will fulfil such an expectation will be key to the success of the data boom in 2024. 

Measures on compliance audits of personal data protection

On 3 August 2023, the CAC released the draft Administrative Measures for the Compliance Audit of Personal Information Protection (the “Draft Measures”). The Draft Measures offer comprehensive guidelines on critical aspects related to personal information compliance audits. Key components include the subjects required to conduct the personal information audits, definitions of various types of personal information audits, the recommended frequency of personal information audits, and an Annex outlining obligations for data processors during personal information audits, etc. While serving as a valuable supplement to existing provisions in personal data protection laws, there are pending questions from the Draft Measures that will need to be addressed in the final version. It is hoped that 2024 will reveal balanced answers in the personal information compliance audit.

Final Words

As the data practice odyssey continues into 2024, there appear to be some positive changes in the regulatory mania, and businesses have a glimmer of hope that a new era, balancing innovation, compliance and globalisation in the pursuit of the dream of “Digital China”, may lie ahead. 

Global Law Office

36th Floor, Shanghai One ICC
No 999 Middle Huaihai Road
Xuhui District
Shanghai 200031

+86 21 2310 8288

+86 21 2310 8299
Author Business Card

Law and Practice


Zhong Lun Law Firm is one of the largest full-service law firms in China, with over 420 partners, over 2,500 professionals, and with offices in Beijing, Shanghai, Shenzhen and other major cities in China and around the world. The firm’s cybersecurity and data protection team was a pioneer in specialising in this field. The partners of Zhong Lun have been invited on many occasions to participate, as legal experts, in the legislative process relating to cybersecurity and data protection legislation. Actively practising in the technology and telecommunications industries in the past two decades, and providing professional legal services to a large number of multinational clients that embrace the challenges of digitalisation, Zhong Lun has accumulated profound experience and developed a unique system of project compliance processes to assist in solving domestic and cross-border data protection issues. Zhong Lun’s clients in this field include Microsoft, ZTE, Daimler, SAP, China Life, CITIC and Cisco.

Trends and Developments


Global Law Office (GLO) dates back to the establishment of the Legal Consultant Office of China Council for the Promotion of International Trade (CCPIT) in 1979. By the approval of the Ministry of Justice of the People’s Republic of China, the firm was renamed “China Global Law Office” in 1984 to emphasise its international perspective and full embrace of the outside world. After over 40 years of persistent effort and development, GLO has become a prominent large comprehensive law firm in the Chinese legal industry. GLO has committed to the mission of “serving domestic and foreign clients with its global vision, global team and global quality” since its inception, allowing the firm to maintain a leading position in the industry in the midst of an ever-changing global economic environment. All the lawyers at GLO are graduates of first-tier domestic and/or international law schools, and most of them hold LLM or higher degrees. Many of GLO’s partners are qualified to practise law internationally, including in the US, UK, Australia, Switzerland, New Zealand and Hong Kong, among others.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.