Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. In terms of specialised legislation on cybersecurity and data protection, China has established a comprehensive legal framework that includes several key laws and regulations – ie, the “Three Fundamental Laws”:
These operate together with the “Three Key Regulations”:
The Three Fundamental Laws and the Three Key Regulations form the pillars of China's cybersecurity and data protection legal framework, with each addressing different aspects of data security and privacy.
The CSL was enacted on 1 June 2017 and forms the backbone of cybersecurity and data privacy protection legislation in China. The DSL came into effect on 1 September 2021 and is the fundamental law in the data security sphere, widely covering data security mechanisms, obligations and liabilities at both state administration and data processor level. The PIPL came into effect on 1 November 2021 and embraces the new era of personal information (PI) protection as well as corporate data protection compliance. The Three Key Regulations further detail the cybersecurity and data protection requirements set forth in the Three Fundamental Laws from different perspectives.
In addition to the specialised legislation, China's general legislation may also include provisions on privacy and data protection. Specifically, the Civil Code (民法典) plays a significant role in this regard. The Civil Code’s provisions relating to data privacy protections are basically consistent with the requirements provided in the Three Fundamental Laws, further solidifying the legal foundation for privacy and data protection in China. Data protection regulations on privacy are also scattered in:
Key Regulators
Since data regulation is a topic that impinges upon all industries, there is a wide range of law enforcement departments related to it, many of which have intersecting duties and authorities. There is no centralised regulatory body. Among all these regulators, the most important ones include:
Specifically, according to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR) and other industry regulators are in charge of law enforcement in the respective industries.
Moreover, it is noteworthy that the National Data Bureau, inaugurated in October 2023, is responsible for overseeing the integration, sharing and development of data resources, co-ordinating the construction of data infrastructure systems, and the planning and construction of digital China, the digital economy and digital society.
How Regulators Operate in Practice
When initiating administrative proceedings and enforcing the Three Fundamental Laws and other relevant laws and regulations, the competent authoritiesmust abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 54). The penalised parties should be given opportunities to state their case and defend themselves (Article 7). The penalised party is entitled to a hearing in cases where the administrative punishment involves the suspension of business, rescission of a business permit or licence, or a large penalty (Article 63).
According to Article 7 of the Law on Administrative Penalty, a party that refuses to accept administrative penalties imposed upon it may first apply to the relevant administrative organ for a reconsideration. If the party is still dissatisfied with the reconsideration decision, it is entitled to initiate an action before the people’s courts. Unless otherwise stipulated by applicable laws requiring the exhaustion of administrative reconsideration before seeking judicial review, it may also initiate an action before the people’s courts directly.
Administrative Proceedings
Administrative proceedings initiated by regulators can be triggered in different ways, including:
In addition to the procedures of administrative proceedings described in 1.2 Regulators, public security departments must abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). For example, there must be at least two police officers in the event of an on-site inspection, and such law enforcement officers must keep any personal and private information that becomes known to them during an inspection confidential.
To oversee the administrative proceedings initiated by the CAC, the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments (“Enforcement Procedures”, 网信部门行政执法程序规定) came into effect on 1 June 2023, and set the rules on jurisdiction, evidence, enforcement, etc. In addition, the Provisions on Administrative Penalty Procedures for Industry and Information Technology Authorities (工业和信息化行政处罚程序规定) came into effect on 1 September 2023, emphasising the transparency of enforcement activities and protection of the penalised/inspected parties' lawful rights and interests.
Calculation of Administrative Fines
The competent authorities will determine the amount of any fine on a case-by-case basis, taking into consideration the severeness of the violating acts, infringements of legitimate rights and interests on individuals, any adverse impact on society, etc. According to Article 34 of the Law on Administrative Penalty, the administrative authorities may, in accordance with law, formulate discretion benchmarks for administrative penalties to regulate the exercise of such discretion. Such discretion benchmarks for administrative penalties shall be made public.
Under the PIPL, the penalties for violations may include an order of rectification, warning, confiscation of illegal earnings, or the suspension or termination of apps or services. For severe violations, the violator may be fined up to CNY50 million or 5% of its turnover of the previous year at the company level, and the person directly in charge will be fined up to CNY1 million. The company’s business licences and permits may also be revoked.
Depending on the nature and severity of the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the provisions related to PI protection under the CSL may result in orders to take rectification measures, warning, confiscation of illegal earnings, fines or a combination of these. The fine imposed should exceed the amount of illegal earnings but may not exceed ten times such earnings; if there are no illegal earnings, the fine may not be more than CNY1 million. The person directly responsible may be subject to a fine ranging from CNY10,000 to CNY100,000. In the case of a severe violation, the competent authority may order the suspension of related business, require the violators to undergo rectification, the shutdown of a website, and the revocation of the business licence of the operator or provider. It is worth noting that the revised draft of the CSL, released in September 2022, has increased the upper limits of the fines to align with those prescribed under the PIPL. For severe violation, the amount of the fine may be up to CNY50 million or 5% of the violator’s turnover in the previous year, and the person directly in charge may be fined up to CNY1 million.
The Enforcement Procedures set forth the following rules.
Among the administrative proceedings undertaken in recent years, violations punished by the administrative authorities include but are not limited to:
The most notable cases in recent years involving such violations include the following.
Recent Developments in AI Regulation and Implications for Data Protection
China has taken agile legislative action to effectively address the regulatory, legal and ethical challenges posed by AI technology by building and implementing a comprehensive AI regulatory framework in recent years. The Interim Measures for the Administration of Generative Artificial Intelligence Services (“AIGC Measures”; 生成式人工智能服务管理暂行办法) came into effect on 15 August 2023 and expressly outline the regulatory framework for AI-generated content (AIGC) technology, encompassing various stages such as model training, application deployment and model optimisation, and multiple subjects like AIGC developers, service providers and users. AIGC service providers shall conduct an AIGC filing according to the AIGC Measures, as well as an algorithm filing according to the Administrative Provisions on Algorithm Recommendation for Internet Information Services (“Algorithm Provisions”; 互联网信息服务算法推荐管理规定), and the competent authorities will review such AIGC services from a cybersecurity and PI protection perspective, among others.
The Measures for Review of Scientific and Technological Ethics (Trial) (科技伦理审查办法(试行)), which came into effect on 1 December 2023, demonstrate China’s significant attention to technology development as well as ethical reviews of AI. Regarding the specific application of AI technology, as stipulated by the Administrative Provisions on Deep Synthesis in Internet-Based Information Services (互联网信息服务深度合成管理规定), contents generated by deep learning or other new technologies must be identified in a noticeable way and shall be reviewed technically or manually to avoid infringements of the rights and interests of data subjects.
In 2024, China continued to formulate relevant standards and technical documents for AIGC governance. In September 2024, the National Information Security Standardisation Technical Committee (TC260) issued the Artificial Intelligence Security Governance Framework (人工智能安全治理框架), which is designed to promote consensus and co-ordination among governments, international organisations, enterprises and other stakeholders regarding AI governance. The development of AI governance in China is further demonstrated by:
Safeguards Provided for Data Protection
With regard to data protection in the context of the use of AI systems, all phases related to AIGC services need to comply with the corresponding legal requirements for data protection.
For instance, regarding the phase of model training, AIGC developers and AIGC service providers are legally required to use data with lawful sources, to formulate clear data annotation rules and to take effective measures to ensure the authenticity, accuracy, objectivity and diversity of the training data and properly fulfil the data protection obligations (Articles 7 and 8 of AIGC Measures).
Regarding the phase of application operating, certain data protection risks concerning the reliability and robustness of the services, as well as issues related to transparency, necessity, etc, of data processing, may arise out of content generation, data analysis and processing, and AIGC service provision. Based on that, AIGC service providers shall assume responsibility for protecting the collected data and the information input by users, as well as performing their legal obligations as PI handlers. These obligations include:
Relevant technical measures shall also be taken to enhance the safety, stability and sustainability of services and ensure the normal use of users (Articles 9, 11 and 13 of AIGC Measures).
How AI Regulation Affects Data Protection in China
AI regulation and data protection are closely intertwined in China, where both are governed by legal frameworks designed to balance technological innovation with privacy and data protection. The data compliance issues associated with the entire lifecycle of AIGC, including but not limited to key stages such as model training, service provision and model optimisation, are complex and typically involve multiple parties, such as AIGC developers, service providers and service users, which poses significant challenges for privacy and data protection.
In key data protection regulations in China, specific provisions have been formulated to address AI development while simultaneously ensuring a balance between innovation and data protection, and safeguarding privacy associated with AIGC technologies. For instance, the RANDS provide that, insofar as the training data and processing activities thereof are concerned, the network data handlers providing AIGC services shall fulfil relevant security management obligations (Article 19 of the RANDS). Moreover, the increasingly rapid development of AI technology also drives competent authorities to further incorporate AI regulation into the legal framework of data protection. Action Plan for the Construction of Information Standards (2024–2027) (信息化标准建设行动计划(2024–2027年)) was released on 24 May 2024 and has expressly made AIGC related technical standards a key focus for future legislation.
Interplay Between AI-Related Laws and Data Protection-Related Laws
On one hand, the essential data protection laws (including the Three Fundamental Laws and the Three Key Regulations) are applicable to all data processing activities under AI-related scenarios. AIGC developers and service providers should also comply with such essential data protection laws when carrying out data processing activities. For instance, both the PIPL and the DSL require data minimisation and purpose limitation (in Article 6 of the PIPL and Article 32 of the DSL, respectively), which directly affects how AI models are trained. AI systems that process PI must ensure that users can exercise their rights as set out under the PIPL, such as the right to withdraw consent or request data deletion (Articles 15 and 47 of the PIPL). AI systems must incorporate robust security measures to prevent breaches of PI as set out in Article 27 of the DSL and Article 51 of the PIPL; as a result, AIGC service providers shall build these features into their platforms to comply with such data protection requirements. If AIGC services involve cross-border data transmission, the legal requirements on cross-border data transfer (CBDT) shall also be followed.
On the other hand, in some cases, the AI-related laws specify and complement the data protection requirements in the context of AI. For instance, Article 7 of the AIGC Measures provides that AIGC service providers shall ensure the lawfulness of the training model and data sources when processing training data, and data subjects’ consent shall be obtained if any PI is involved. In addition, echoing the relevant requirements in the PIPL, Article 11 of the AIGC Measures also specifies that users’ PI shall be collected based on the minimum necessary principle, and any illegal use, storage or provision is not allowed. Moreover, AIGC service providers shall timely address and respond to users’ requests to exercise their PI-related rights to access, copy, correct, supplement, delete, etc.
In China, AI regulation and data protection laws, including the PIPL and the AIGC Measures, are designed to complement each other, thereby fostering innovation of AI systems and maintaining respect for individuals' rights. The PIPL focuses on PI protection, whereas AI-related laws such as the AIGC Measures aim to regulate AI systems in a manner that ensures safety, accountability and ethical considerations. Together, they create a comprehensive regulatory structure that guides the responsible development and deployment of AI while safeguarding privacy and data protection rights.
In China, the majority of PI protection litigation cases are public interest litigation. In 2023, procuratorial organs in China handled more than 6,300 public interest lawsuits on PI protection. China also allows individuals to initiate private litigation, and the legal bases for an individual to initiate private litigation mainly include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.
The number of privacy litigation cases brought by individuals has increased rapidly in recent years. According to announcements by the Beijing Internet Court, it received a total of 113 cases related to PI protection disputes between October 2023 and October 2024. In contrast, merely 58 such cases were handled by the same court in the past five years leading up to 2023. This increase highlights a rapid growth trend in PI protection dispute cases.
One of the most noteworthy cases reflecting the impact of international developments on domestic litigation is the first case related to CBDT issues announced by Guangzhou Internet Court (further discussed in 2.2 Recent Case Law). Along with international economic and business developments, CBDT issues have become the focus of data subject attention, and a rise in privacy litigation involving CBDT is expected in the coming year.
One privacy litigation case worth noting involved an individual customer suing a European hotel group for infringement of their PI rights and interests due to CBDT.
In this case, regarding disclosure and transparency requirements, the Guangzhou Internet Court decided that the scope of recipients and the geographical regions are not clearly stated in the privacy notice, and data subjects are not explicitly informed where their PI will be transmitted or how it will be processed, which fails to comply with Articles 7 and 17 of the PIPL. Regarding the legal basis for such CBDT, the court affirmed that intragroup sharing of customers’ PI via the hotel’s central booking system to the overseas booked hotel and the global headquarters is legitimate and necessary for hotel management.
However, the court ruled out the legitimacy of transferring the customer’s PI to intragroup marketing departments and external business partners for the purpose of “marketing”, as it is not “necessary for performing the contract”, and thus the hotel group is still legally required to obtain the customers’ separate consents on such CBDT in accordance with the laws. Since the hotel failed to obtain the customer's separate consent, the court held that the hotel's data processing activities have not obtained adequate legal basis and are thus illegal, and ruled that the hotel should bear the corresponding infringement liability, which includes compensation for damages, the deletion of relevant PI and an apology to the individual.
Article 70 of the PIPL establishes the mechanism of public interest litigation for PI infringement. Where any PI handler processes PI in violation of the PIPL, which infringes upon the rights and interests of a large number of individuals, a lawsuit may be brough to a people's court in accordance with the law by:
In the past few years, the number of public interest litigation cases regarding PI protection has increased year by year. For example, prosecutors handled over 2,000 cases in 2021 and this number surged to more than 6,300 cases in 2023. This upward trend reflects the growing frequency of legal actions concerning PI protection initiated by prosecutors and shows the great importance attached to PI protection.
Objectives of Data Regulation
In China, regulations addressing the use of IoT services and the rights and obligations of data holders and data processing services are primarily shaped by a combination of data protection laws, regulations and industry-specific guidelines – ie, the Three Fundamental Laws and certain industrial measures and/or standards, such as:
Through the above regulations, China aims to protect the security and privacy of data collected through IoT devices, which may include PI, important data (ie, data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc, the specific scope of which is stated in the catalogues of important data formulated by the national, regional and other relevant departments) and other sensitive information that may be generated, stored or transmitted via IoT devices.
China also promotes the secure use and free flow of such data involved in IoT services, promotes the availability and accessibility of data, and enhances the activity of the data-driven economy, as set out under the Opinions on Building a Basic Data System to Better Play the Role of Data Elements (“Opinions”; 关于构建数据基础制度更好发挥数据要素作用的意见).
Scope of Data Regulation
The main scope of regulations on IoT services, data holders and data processing services is as follows.
The interplay between data regulation and data protection requirements in China is complex but complementary. On one hand, data protection laws such as the Three Fundamental Laws govern the legality, legitimacy and necessity of data processing, as well as the protection of the rights and interests of data subjects involved in IoT services. On the other hand, broader data regulation framework – including the industry-specific regulations and guidelines – aims to oversee specific industries and types of data usage, ensuring that data protection principles are applied in various contexts, particularly in critical sectors such as IoT. Together, they provide a comprehensive approach to ensure cybersecurity and promote data and privacy protection.
The above legal frameworks collectively address different aspects of data handling in China. However, they share unified objectives of safeguarding data privacy, enhancing security and ensuring accountability in the digital age. The Three Fundamental Laws serve as the primary regulation governing data protection, while other industry-specific laws built on the foundation of the Three Fundamental Laws ensure that data is handled responsibly, transparently and in compliance with privacy rights in IoT scenarios. Data holders (which may include IoT service providers and data processors) and data processing service providers in China must navigate the aforementioned multiple frameworks to ensure the protection of user privacy and compliance with stringent data security requirements.
IoT service providers and data processing service providers in China must navigate a complex regulatory framework to ensure compliance with data protection and cybersecurity requirements. The main obligations arising from the applicable laws and regulations regarding the use of IoT services and data processing services are as follows.
Key regulators of IoT services and data processing services include the CAC, the MIIT and the MPS. The CAC is in charge of the overall planning of data protection and privacy, and the co-ordination of the competent authorities. The MIIT is the industry authority for IoT services and is responsible for the development of industry regulations and enforcement in the field of IoT. As IoT services involve network operations, the MPS, as the enforcement authority of CSL, is responsible for managing and enforcing the relevant requirements under the CSL.
In some cases, other departments (eg, the SAMR) may become responsible for enforcing the data regulation under certain circumstances, such as anti-unfair competition in IoT service provision.
Under the CSL and PIPL regimes, the use of cookies is usually regarded as the collection of PI, which must comply with PI protection-related requirements. According to Article 5 of the PIPL, the collection and use of PI must follow the principles of legality, legitimacy and necessity, which means that the use of cookies for user information collection must comply with these principles. Individuals must be truly, accurately and completely informed about the use of cookies in a prominent manner and in clear and understandable language, and the explicit consent of users must be obtained in accordance with Articles 13 and 17 of the PIPL. The use of cookies should also follow other general principles of data minimisation and data security protection. Furthermore, if cookies are collected and used for behavioural or targeted advertising that has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of cookies would be deemed illegal.
The Advertising Law (广告法) is the fundamental law that regulates advertising. The Measures for Administration of Internet Advertising (互联网广告管理办法) apply to online marketing. The sender must obtain consent to, or a request for, advertising from the recipients, and the sender must also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.
In addition, since online marketing, particularly behavioural and personalised advertising, is normally based on the analysis of PI collected from users, regulations on PI collection and use must be observed. To begin with, PI may not be collected or used for personalised advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, must be provided to the individual. In addition, according to the Information security technology – Personal information security specification (GB/T 35273–2020 信息安全技术 个人信息安全规范), the use of indirect user profiling generated from PI that is not from particular persons is recommended for online marketing, rather than direct user profiling. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.
Currently, there is no special data privacy law or regulation regulating the employment relationship. The PI of an employee is subject to the same PI protection regime as that of any other regular person. The employee PI protection is governed by the Employment Law (劳动法), the Employment Contract Law (劳动合同法), the CSL, the PIPL and other relevant laws and regulations governing PI. These laws have the following implications for the employment relationship.
Employee Data Protection
Under the PIPL, employers must ensure that they collect, store and process employee PI in compliance with the legal requirements – eg, employees must be informed about how their PI will be collected, processed or shared. An employer must have at least one legal basis for processing employees' PI. These legal bases may include obtaining employees' consent or processing such PI as necessary for human resources (HR) management under labour rules and collective agreements lawfully entered into, etc. If the processing of employees' PI is specified in the employer's lawfully established labour rules or in a legally executed labour contract, and can be defined as being necessary for HR management, then it is generally considered that the employer does not need to obtain the employee's consent for such PI processing. However, if the processing of such PI cannot be adequately justified as being necessary for HR management, the employer still should obtain the employee's consent (including separate consent if applicable) as required by the PIPL.
Employers should also follow the data processing principles of lawfulness, legitimacy, necessity and data minimisation. Employers must ensure employees' privacy-related rights, and adhere to other general requirements for PI processing, such as taking appropriate security measures to safeguard PI.
CBDT of Employee PI
Employers that intend to transfer employees’ PI outside of China must adhere to specific restrictions and requirements as set out under the PIPL. This could have significant implications for multinational companies, particularly those with operations both in China and abroad, as it is common practice for such companies to conduct intragroup sharing of employees’ PI.
According to Article 5.2 of the Provisions on Facilitating and Regulating Cross-border Data Flows (“CBDT Provisions”; 促进和规范数据跨境流动规定), where it is necessary to outbound transfer employees' PI for the purpose of conducting cross‑border HR management in accordance with the labour rules and regulations formulated and collective contracts concluded in accordance with the laws, companies are exempt from submitting applications of security assessment, obtaining certification from the approved agencies or filing for standard contractual clauses.
For transferring employee PI abroad, employers still need to obtain legal basis for such CBDT and to meet the disclosure obligations in accordance with Article 39 of the PIPL. On the other hand, employers will be exempted from submitting CBDT application procedures for outbound transfers of employees’ PI that are necessary for HR management, thereby significantly reducing the compliance burden borne by employers.
Employer Liability and Accountability
The PIPL and related regulations hold employers accountable for how they handle employee PI. If employers illegally mishandle or misuse employee PI, they could face severe penalties, including fines, restrictions on operations or even legal actions by employees. To avoid such risks, employers need to revise their HR policies to ensure data privacy compliance in employee onboarding, performance evaluations and resignation procedures. Employers shall also provide training for HR staff to understand the legal obligations around employee PI handling. Stringent security measures shall be taken to protect employees' PI from breaches, which also impacts the company's internal practices and operations.
Challenges for Employers
The evolving regulatory legal framework of data privacy is shaping the employment relationship by balancing the protection of employees’ PI against the operational needs of employers. Employers are required to adopt more robust data protection measures and to enhance transparency in their management of employees’ PI. This presents new challenges for employers, such as increased costs associated with implementing data protection efforts and introducing legal complexities. Multinational companies with operations in China must navigate the intricate landscape of data protection laws across multiple jurisdictions. Such companies may also encounter difficulties in aligning and harmonising the data privacy practices concerning their global business operations.
All forms of data or PI processing activities occurring in asset deals shall be governed by the DSL and the PIPL. The requirements and obligations set forth under the DSL and the PIPL for data and PI processing shall be complied with accordingly. Specifically, with regard to any transfer of PI due to merger, division, dissolution or declaration of bankruptcy, etc, Article 22 of the PIPL specifies additional disclosure requirements that relevant data subjects shall be informed of the name and contact information of the PI recipient. In the event of any changes to the original purpose and method of data processing by the PI recipient, consents from the concerned data subjects shall be re-obtained.
According to the CSL, PI collected by CIIOs during their operations in China must be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment shall be conducted. The PIPL expands the applicable scope of security assessment. A suitable CBDT mechanism shall be implemented before PI can be transferred overseas. So far, the importing of data from overseas to China has not been the focus of the administration.
The PIPL provides three routes for CBDT compliance:
According to the Measures for the Security Assessment of Data Cross-Border Transfer (“Outbound Measures”; 数据出境安全评估办法), the security assessment mainly covers the legality, legitimacy and necessity of the purpose, scope and method of the outbound transfer of data. It also includes:
The certification mechanism mentioned in the PIPL is finalised by the Technical Specification for Certification of Cross-Border Transfers of Personal Information V2.0 (网络安全标准实践指南–个人信息跨境处理活动安全认证规范V2.0). The Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Exposure Draft) (个人信息出境个人信息保护认证办法(征求意见稿)) were released on 3 January 2025, further regulating the certification of mechanisms for the outbound transfer of PI.
As for standard contractual clauses, the Measures for the Standard Contracts for Outbound Transfer of Personal Information (个人信息出境标准合同办法) came into effect on 1 June 2023.
Regarding derogations, Article 38 of the PIPL allows the provision of PI according to international treaties or agreements concluded or acceded to by China. Furthermore, the CBDT Provisions that came into effective on 22 March 2024 provide for the following scenarios that are exempt from the CBDT application procedures:
With the goal of stabilising the economy and promoting development, the CBDT Provisions responded to companies’ expectations and have substantially facilitated CBDT and alleviated companies’ compliance burden.
The cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct a security assessment prior to the cross-border transfer of PI and important data. With respect to important data, data handlers are required by the DSL to abide by the regulations or measures issued by a certain authority, which refers to the Outbound Measures. In addition, the CBDT of certain specially regulated data (eg, human genetic resources information) is subject to specific regulatory rules provided in certain fields and may require government approval, according to applicable regulatory rules for the CBDT of such data.
For non-CIIOs transferring PI, refer to 5.1 Restrictions on International Data Transfers.
In China, the first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically, and a security assessment is required for CBDT. Data handlers who are not CIIOs but process PI reaching a certain volume threshold or who collect important data are required to undergo a security assessment. There are also localisation requirements for specially regulated business data, including relating to the following:
In principle, such data must be stored within the Chinese territory (excluding the Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements for each type of information shall apply, such as obtaining approval from the competent authorities.
According to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and CBDT as mentioned in 5.1 Restrictions on International Data Transfers shall apply.
In addition, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (“the Rules”; 阻断外国法律与措施不当域外适用办法) were released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021, with immediate effect. According to Article 36 of the DSL, companies or individuals may not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by the competent authorities. The Rules are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with the long-arm jurisdictions of certain countries and regions.
Legislation regulating CBDT in China has been actively evolving in recent years. Specifically, for the purposes of facilitating data flow and promoting foreign investments, and pursuant to Article 6 of the CBDT Provisions, under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of CBDT application procedures (“Negative List”).
In May and August 2024, and February 2025, Tianjin, Beijing Shanghai and Hainan Pilot Free Trade Zones respectively released their Negative List as well as relevant supporting measures. In these free trade zones, only the CBDT of data listed on the Negative List conducted by companies still requires CBDT application procedures, and CBDT application procedures can be exempted for transferring data not listed on the Negative List.
In addition to the Negative List, local governments are also exploring other initiatives to facilitate the flow of data. For example, the Implementation Guidelines for Standard Contracts on Cross-Border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (粤港澳大湾区个人信息跨境流动标准合同实施指引) were issued to facilitate data flow among companies within the Greater Bay Area.
In November 2024, aiming to encourage a more efficient, convenient and collaborative approach for international data flows, the CAC issued the Global Data Cross-Border Flow Co-operation Initiative (全球数据跨境流动合作倡议), advocating for the principles of “openness, inclusiveness, security, co-operation and non-discrimination” towards all international stakeholders.
The above underscores the Chinese government's objectives to stabilise the economy and enhance the facilitation of international data transfers.
22-31/F, South Tower of CP Centre
20 Jin He East Avenue
Chaoyang District
Beijing 100020
PRC
+86 010 5957 2003
+86 010 6568 1022
chenjihong@zhonglun.com www.zhonglun.comData Practice in China in 2024: A Year-End Review
2024 saw noteworthy developments in cross-border data transfer, data security measures, personal information compliance audit and AI-related litigation, including flexibility in the regulation of cross-border data transfers from China, the practical implementation of rules for personal information protection, and rapid developments in data assets. All these efforts highlight China’s desire to establish a secure and dynamic digital economy that addresses domestic growth needs while keeping an eye on global digital trade, embracing international standards and tackling practical challenges.
Meanwhile, the pervasive application of new technologies like generative artificial intelligence (AI) spurred an increase in litigation on intellectual property right claims and personal information protection, sending cautionary notes to businesses about things they need to prepare for in an ever-changing legal environment.
Cross-border data transfers
Provisions on Facilitating and Regulating Cross-border Data Flows
The Provisions on Facilitating and Regulating Cross-border Data Flows (the “Provisions”) were released by the Cyberspace Administration of China (CAC) on 22 March 2024 and introduced critical updates to China's regulatory mechanisms for cross-border data transfers (the “Regulatory Mechanisms”). Although the Provisions do not change the local processing preference established by the three channels that make up the Regulatory Mechanisms – ie, the Security Assessment, the China standard contractual clauses (CN SCC) and the cross-border privacy certification – it does put the regulation on cross-border data transfer at ease by increasing the triggering thresholds for the Regulatory Mechanisms.
Highlights of the Provisions include the following.
Following the Provisions, the CAC further updated the implementation guidance for Security Assessments and CN SCC filings. These updates include simplified templates for personal information protection impact assessment reports, which further reduce the compliance burdens.
The Provisions and the implementation guidance substantially reduce the need to go through the Regulatory Mechanisms for cross-border data transfers and the compliance burden in preparing the application package for the Regulatory Mechanisms.
FTZs’ Negative Lists and Whitelists
Local governments and FTZs have been active in facilitating cross-border data flows. In 2024, Tianjin and Beijing FTZs published their respective Negative Lists for cross-border data transfers, while the Lingang Special Area of the Shanghai FTZs and the Fujian Pingtan FTZs released Whitelists, identifying data that is exempt from the Regulatory Mechanisms. Although the Negative Lists make more sense in the western style of legal governance, the Whitelists may be easier in implementation given the administrative law enforcement style in China.
Global co-operation
China alerted the global community to its Global Cross-Border Data Flow Co-operation Initiative in November 2024, outlining constructive strategies for cross-border data flows and demonstrating its commitment to balancing development and security. The execution of the Memorandum of Understanding with Germany concerning cross-border data transfers, along with continuous efforts to join regional agreements such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the Digital Economy Partnership Agreement, highlight the dream of fostering an open and collaborative international framework for cross-border data flow in China's favour.
New implementation rules on data security and protection
Network Data Security Management Regulations
After the initial release of the original draft for public comments, the Network Data Security Management Regulations (the “Regulations”) were finally released in September 2024, and came into effect on 1 January 2025. The Regulations address important aspects of network data governance, enhancing and complementing the existing data protection framework under the Cybersecurity Law (CSL), the Data Security Law (DSL) and the PIPL.
Key areas in the Regulations that might impact businesses include the following.
Dealing with network security incidents
As cyber threats and data breaches continue to increase in China, the Chinese regulators are enhancing the requirements regarding network security and the corresponding protection mechanisms, particularly the notification and reporting obligation. Businesses are required to take prompt remedial actions and notify the competent regulatory authorities of any network security incidents. The Regulations mandate reporting within 24 hours for incidents that pose a risk to national security or public interest, which is a shorter timeframe than the 48-hour reporting period established under the Regulations on Network Product Security Vulnerabilities Management for software vulnerability reporting.
In 2024, the rules dealing with network security incidents were made clearer. For example, the Emergency Response Plan for Data Security Incidents in the Industrial and Information Technology Field (Trial), released by the Ministry of Industry and Information Technology (MIIT) and effective in November 2024, provides that data processors are responsible for the prevention, monitoring, emergency response to and reporting of data security incidents. Upon identifying an incident, data processors must first categorise its severity into one of the statutorily defined levels (extremely serious, serious, significant, or general) and notify the relevant regulatory authority. They must then initiate an emergency response by declaring an emergency status, implementing data recovery or tracing measures, and conducting ongoing monitoring and analysis. Finally, a thorough investigation into the cause of the incident, an assessment of its impact, a summary of lessons learned, and a comprehensive report are required.
Determination of important data
This was another key development in 2024. Under the current laws, important data is broadly defined as information that pertains to specific fields, groups or regions, or that reaches a certain level of precision and scale; if such data is leaked, tampered with or destroyed, it could directly harm national security, economic stability, social order, public health or safety.
Currently, as clarified under both the Provisions and the Regulations, the determination of important data rests with the relevant principal authorities. Businesses are obliged to identify and report such important data to the relevant principal authorities for final and official determination.
Nationally, regulators of some specific industries, such as the automotive sector, have established their own data security regulations, providing guidance on the identification of important data.
In addition, the recommended national standard, Data Security Technology – Rules for Data Classification and Grading (the “Standard”), came into effect in October 2024 and provided details for important data identification. The Standard suggested that data processors should first refer to the data classification and grading rules, or to the important data catalogues specified by the competent regulatory authorities in their respective industries, and then use the Standard to determine data levels and assess whether they meet the criteria of important data therein.
Moreover, MIIT released the Second Draft Guidelines for Identification of Important Data in the Industrial Field and the most recent Guidelines for Identification of Important Data in the Telecommunications Field. Both guidelines indicate that personal data related to certain groups, or sensitive personal data affecting over 100,000 individuals, may qualify as important data, underscoring the rising concern over the protection of large-scale personal data sets.
Personal Information Protection Compliance Audit (PIPCA)
The PIPL mandates that businesses conduct a PIPCA regularly or when required by regulators, particularly when personal information processing activities pose significant risks or following data security incidents. The 2023 Draft Measures on Personal Information Protection Compliance Audit Management (the “Draft Measures”) and the recommended national standard, Draft Data Security Technology – Personal Information Protection Compliance Audit Requirements (the “Draft Standard”), released in 2024, further supplemented and clarified the details under the current framework of the PIPCA.
The Draft Measures require businesses that process the personal information of more than one million individuals to conduct at least one PIPCA annually, while other data processors must perform such audits at least once every two years. The Draft Measures outline various aspects of Compliance Audits, including their types, applicable scope, frequency, triggering conditions, audit institutions, time frames, procedures and key focus areas. The Draft Standard further complements these measures by specifying key audit content, methodologies, structured audit workflows, etc.
The PIPCA for personal information protection is accelerating in implementation, with full-scale implementation on its way. Businesses should be prepared to have a PIPCA plan in place, based on the upcoming official PIPCA rules.
Increased focus on AI governance
In recent years, China has been working to balance the benefits and risks of the growth of AI technologies. To support this, the government has introduced national strategies to promote AI development, alongside laws, regulations and guidelines designed to regulate AI services offered to the public.
Draft Artificial Intelligence Law of the PRC
In 2024, China moved forward with AI laws and policies that are commensurate to the development of AI technologies. On 9 May 2024, the State Council’s Legislative Working Plan announced that the draft Artificial Intelligence Law will be reviewed by the Standing Committee of the National People's Congress. The first comprehensive law on AI in China is on the horizon.
Registration of generative AI services
Article 17 of the Interim Measures on Generative AI Services requires generative AI services with public opinion attributes or social mobilisation capability to conduct security assessments and register with the state CAC and its local counterparts, in order to prevent security risks. The registration obligation applies not only to service providers of generated AI but also to the companies that integrate third-party generated AI services into their own services. According to the law, generated AI services that fail to complete the registration process before going online may be shut down.
According to the CAC’s announcement on 8 January 2025, 302 generative AI services had been registered successfully with CAC as of 31 December 2024; 105 services that integrate third-party AI interfaces were also registered. The registration process for these integrated services is simpler than the standard registration process.
National standards regarding the safety of AI services
In 2024, China issued the national standards for AI service security, showcasing the best compliance practices in generative AI business operation. These standards also serve as references for authorities in interpreting and enforcing related regulations.
Highlights of data assets and use
Data as an asset
On 1 January 2024, the Interim Provisions on Accounting Treatment for Enterprise Data Resources came into effect. These provisions allow data to be recorded as an asset on enterprises’ balance sheets and clearly define the scope of data resources and applicable standards.
As of the end of August 2024, public statistics show that 41 companies listed on the stock exchanges in China have included data assets on their balance sheets, totalling approximately CNY1.3 billion and potentially boosting their revenues. These companies are primarily in the information transmission, software and IT services, and manufacturing sectors. For example, an AI company with significant intellectual property and data resources embedded in its AI models lacks tangible collateral and aims to leverage these data resources as an asset for financing to address capital constraints.
Despite this, companies still face uncertainties and challenges in listing data as an asset. Key issues include confirming data asset rights, protecting individual data security and privacy, and assessing the fair value of data. Most companies are currently observing early adopters and have not yet acted.
Data exploitation and utilisation
The National Data Bureau was established in late 2023 and took proactive measures in 2024 to facilitate data utilisation and monetisation. On 20 December 2024, the National Data Bureau and other departments issued the Opinions on Promoting the Development and Utilisation of Enterprise Data Resources. The document aims to protect enterprises’ legitimate rights in data collection, development, utilisation and benefit distribution.
On 30 December 2024, the National Development and Reform Commission, the National Data Bureau and other departments issued Guiding Opinions to Promote the High-Quality Development of the Data Industry. The document highlights key areas in the data lifecycle, including data collection, data storage, data governance, data analysis, data trade, data exploitation and data security. In 2025, it calls for co-ordinated efforts between central ministries and local governments to implement the incentives outlined in the guidelines.
Law enforcement and judicial judgments
Regular inspections on apps, mini programs and software development kits (SDKs)
The governmental authorities continue to carry out compliance inspections on publicly available apps, mini programs and SDKs regarding personal information protection laws. The most common non-compliance issues include inadequate privacy policies, illegal collection of personal information, excessive device permission requests, and failure to respond to individuals’ requests for their personal information rights.
Judicial cases concerning AI are on the rise
In 2024, like the EU and the United States, China experienced a surge of disputes relating to artificial intelligence, marking several “first cases” in China. Most of these cases involve copyright issues. Landmark cases in 2024 include the following.
First case on cross-border transfer of personal information
In September 2024, the Guangzhou Internet Court released a civil case regarding a dispute concerning the cross-border transfer of personal information, which attracted wide attention. A Chinese citizen filed a lawsuit against a famous global hotel group and its Chinese affiliate (“Hotel”), challenging the legality of their cross-border data-sharing practices.
In this case, when the plaintiff joined the Hotel’s membership programme and booked a hotel stay through the Hotel’s app, the plaintiff provided personal information, including their name, contact details, nationality and payment information. Following the reservation, the plaintiff discovered that the personal information had been shared with foreign entities, including marketing partners and affiliates in several countries. The Hotel’s privacy policy, accessible upon registration, included a broad clause allowing cross-border data transfers, but did not specify which entities would receive the information or the purpose for each data transfer.
The Guangzhou Internet Court ultimately ruled in favour of the plaintiff, as follows.
This case serves as an important compliance reminder for multinational companies operating in China or processing Chinese individuals’ personal information, that even privacy policies adhering to international standards such as the GDPR may fall short in meeting PIPL compliance.
What to expect in 2025
Legal developments on data security and protection in 2025 will continue to be shaped by the need for domestic economic growth, technological innovations, and the evolving global politics and interaction. The focus will remain on balancing the already robust data protection with the pressure to grow the domestic economy and technical innovation. In recent years, China has developed a trend of following EU legislative movements to address emerging data protection challenges and manage risks in the new technology development.
For multinational companies that are operating business in China, it is worthwhile keeping a close watch on the implementation of the Network Data Security Management Regulations, which will implement the legal requirements under those three milestone laws of the CSL, the DSL and the PIPL. The PIPCA development, regulations and judicial cases on the use of AI tools also merit attention in 2025.
36th Floor, Shanghai One ICC
No. 999 Middle Huaihai Road
Xuhui District
Shanghai 200031
China
+86 21 2310 8288
+86 21 2310 8299
vincentwang@glo.com.cn www.glo.com.cn