Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. In terms of specialised legislation on cybersecurity and data protection, China has established a comprehensive legal framework that includes several key laws and regulations – ie, the “Three Fundamental Laws”:

• the Cybersecurity Law (CSL; 网络安全法);
• the Data Security Law (DSL; 数据安全法); and
• the Personal Information Protection Law (PIPL; 个人信息保护法).

These operate together with the “Three Key Regulations”:

• the Regulations for the Administration of Network Data Security (RANDS; 网络安全数据管理条例);
• the Security Protection Regulations for Critical Information Infrastructure (关键信息基础设施安全保护条例); and
• the Regulations on the Graded Protection for Cybersecurity (Draft for Comments) (网络安全等级保护条例 (征求意见稿)).

The Three Fundamental Laws and the Three Key Regulations form the pillars of China's cybersecurity and data protection legal framework, with each addressing different aspects of data security and privacy.

The CSL was enacted on 1 June 2017 and forms the backbone of cybersecurity and data privacy protection legislation in China. The DSL came into effect on 1 September 2021 and is the fundamental law in the data security sphere, widely covering data security mechanisms, obligations and liabilities at both state administration and data processor level. The PIPL came into effect on 1 November 2021 and embraces the new era of personal information (PI) protection as well as corporate data protection compliance. The Three Key Regulations further detail the cybersecurity and data protection requirements set forth in the Three Fundamental Laws from different perspectives.

In addition to the specialised legislation, China's general legislation may also include provisions on privacy and data protection. Specifically, the Civil Code (民法典) plays a significant role in this regard. The Civil Code’s provisions relating to data privacy protections are basically consistent with the requirements provided in the Three Fundamental Laws, further solidifying the legal foundation for privacy and data protection in China. Data protection regulations on privacy are also scattered in:

• the Criminal Law (刑法);
• the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法);
• the E-commerce Law (电子商务法);
• Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), etc.

Key Regulators

Since data regulation is a topic that impinges upon all industries, there is a wide range of law enforcement departments related to it, many of which have intersecting duties and authorities. There is no centralised regulatory body. Among all these regulators, the most important ones include:

• the Cyberspace Administration of China (CAC);
• the Ministry of Public Security (MPS); and
• the Ministry of Industry and Information Technology (MIIT).

Specifically, according to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR) and other industry regulators are in charge of law enforcement in the respective industries.

Moreover, it is noteworthy that the National Data Bureau, inaugurated in October 2023, is responsible for overseeing the integration, sharing and development of data resources, co-ordinating the construction of data infrastructure systems, and the planning and construction of digital China, the digital economy and digital society.

How Regulators Operate in Practice

When initiating administrative proceedings and enforcing the Three Fundamental Laws and other relevant laws and regulations, the competent authoritiesmust abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 54). The penalised parties should be given opportunities to state their case and defend themselves (Article 7). The penalised party is entitled to a hearing in cases where the administrative punishment involves the suspension of business, rescission of a business permit or licence, or a large penalty (Article 63).

According to Article 7 of the Law on Administrative Penalty, a party that refuses to accept administrative penalties imposed upon it may first apply to the relevant administrative organ for a reconsideration. If the party is still dissatisfied with the reconsideration decision, it is entitled to initiate an action before the people’s courts. Unless otherwise stipulated by applicable laws requiring the exhaustion of administrative reconsideration before seeking judicial review, it may also initiate an action before the people’s courts directly.

Administrative Proceedings

Administrative proceedings initiated by regulators can be triggered in different ways, including:

• reporting – where users may report to the regulators mentioned in 1.2 Regulators and consumer protection organisations, and investigations are launched accordingly;
• regular and irregular inspections – where special projects that last several months are launched to target specific industries or pain points in cyberspace; and
• inquiries into data leakage events, network loopholes or other cybersecurity/data incidents.

In addition to the procedures of administrative proceedings described in 1.2 Regulators, public security departments must abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). For example, there must be at least two police officers in the event of an on-site inspection, and such law enforcement officers must keep any personal and private information that becomes known to them during an inspection confidential.

To oversee the administrative proceedings initiated by the CAC, the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments (“Enforcement Procedures”, 网信部门行政执法程序规定) came into effect on 1 June 2023, and set the rules on jurisdiction, evidence, enforcement, etc. In addition, the Provisions on Administrative Penalty Procedures for Industry and Information Technology Authorities (工业和信息化行政处罚程序规定) came into effect on 1 September 2023, emphasising the transparency of enforcement activities and protection of the penalised/inspected parties' lawful rights and interests.

Calculation of Administrative Fines

The competent authorities will determine the amount of any fine on a case-by-case basis, taking into consideration the severeness of the violating acts, infringements of legitimate rights and interests on individuals, any adverse impact on society, etc. According to Article 34 of the Law on Administrative Penalty, the administrative authorities may, in accordance with law, formulate discretion benchmarks for administrative penalties to regulate the exercise of such discretion. Such discretion benchmarks for administrative penalties shall be made public.

Under the PIPL, the penalties for violations may include an order of rectification, warning, confiscation of illegal earnings, or the suspension or termination of apps or services. For severe violations, the violator may be fined up to CNY50 million or 5% of its turnover of the previous year at the company level, and the person directly in charge will be fined up to CNY1 million. The company’s business licences and permits may also be revoked.

Depending on the nature and severity of the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the provisions related to PI protection under the CSL may result in orders to take rectification measures, warning, confiscation of illegal earnings, fines or a combination of these. The fine imposed should exceed the amount of illegal earnings but may not exceed ten times such earnings; if there are no illegal earnings, the fine may not be more than CNY1 million. The person directly responsible may be subject to a fine ranging from CNY10,000 to CNY100,000. In the case of a severe violation, the competent authority may order the suspension of related business, require the violators to undergo rectification, the shutdown of a website, and the revocation of the business licence of the operator or provider. It is worth noting that the revised draft of the CSL, released in September 2022, has increased the upper limits of the fines to align with those prescribed under the PIPL. For severe violation, the amount of the fine may be up to CNY50 million or 5% of the violator’s turnover in the previous year, and the person directly in charge may be fined up to CNY1 million.

The Enforcement Procedures set forth the following rules.

• A single illegal act shall not be subject to more than two fines. In cases where the act violates multiple legal provisions and should be sanctioned with fines, punishment shall be given in accordance with the provision on the high amount of fines.
• Administrative punishments may not be imposed if the violation was first-time and minor, the harmful consequence was minor, and the illegal act was promptly corrected. Similarly, administrative punishments shall not be imposed if the violation was minor and rectified in a timely manner, and has not resulted in any harmful consequence.

Among the administrative proceedings undertaken in recent years, violations punished by the administrative authorities include but are not limited to:

• failure to satisfy transparency requirements and the minimum necessary principle of PI processing;
• failure to obtain data subjects’ consent before PI collection;
• insufficient security management; and
• failure to detect security loopholes in network services.

The most notable cases in recent years involving such violations include the following.

• In 2022, the CAC fined leading Chinese ride-hailing company DiDi Chuxing approximately CNY8.02 billion, due to its significant violation of the CSL, the DSL and the PIPL in aspects including illegal and excessive collection of users' and drivers' PI, failure to clearly explain the PI processing activities to individuals, etc.
• In September 2023, the CAC imposed an administrative fine of CNY50 million on China National Knowledge Infrastructure (CNKI), a well-known Chinese online platform, for its alleged unauthorised and excessive PI collection, lack of a public privacy policy and options for account cancellation, and failure to retain PI for the shortest necessary period of time.
• In June 2024, the National Financial Regulatory Administration announced that Bank of Communications was fined CNY1.6 million for data breaches such as security and operation management loopholes, insufficient disaster recovery management, etc.

Recent Developments in AI Regulation and Implications for Data Protection

China has taken agile legislative action to effectively address the regulatory, legal and ethical challenges posed by AI technology by building and implementing a comprehensive AI regulatory framework in recent years. The Interim Measures for the Administration of Generative Artificial Intelligence Services (“AIGC Measures”; 生成式人工智能服务管理暂行办法) came into effect on 15 August 2023 and expressly outline the regulatory framework for AI-generated content (AIGC) technology, encompassing various stages such as model training, application deployment and model optimisation, and multiple subjects like AIGC developers, service providers and users. AIGC service providers shall conduct an AIGC filing according to the AIGC Measures, as well as an algorithm filing according to the Administrative Provisions on Algorithm Recommendation for Internet Information Services (“Algorithm Provisions”; 互联网信息服务算法推荐管理规定), and the competent authorities will review such AIGC services from a cybersecurity and PI protection perspective, among others.

The Measures for Review of Scientific and Technological Ethics (Trial) (科技伦理审查办法(试行)), which came into effect on 1 December 2023, demonstrate China’s significant attention to technology development as well as ethical reviews of AI. Regarding the specific application of AI technology, as stipulated by the Administrative Provisions on Deep Synthesis in Internet-Based Information Services (互联网信息服务深度合成管理规定), contents generated by deep learning or other new technologies must be identified in a noticeable way and shall be reviewed technically or manually to avoid infringements of the rights and interests of data subjects.

In 2024, China continued to formulate relevant standards and technical documents for AIGC governance. In September 2024, the National Information Security Standardisation Technical Committee (TC260) issued the Artificial Intelligence Security Governance Framework (人工智能安全治理框架), which is designed to promote consensus and co-ordination among governments, international organisations, enterprises and other stakeholders regarding AI governance. The development of AI governance in China is further demonstrated by:

• the Basic Security Requirements for Generative Artificial Intelligence Service (TC260-003 生成式人工智能服务安全基本要求), released in February 2024;
• the Notice of the CAC on Seeking Public Comments on the Measures for Labelling Artificial Intelligence Generated Synthetic Contents (Draft for Comment) (人工智能生成合成内容标识办法(征求意见稿)), released in September 2024; and
• the Guidelines for Emergency Response to Generative Artificial Intelligence Service Security Incidents (Draft for Comment) (生成式人工智能服务安全应急响应指南(征求意见稿)), released in December 2024.

Safeguards Provided for Data Protection

With regard to data protection in the context of the use of AI systems, all phases related to AIGC services need to comply with the corresponding legal requirements for data protection.

For instance, regarding the phase of model training, AIGC developers and AIGC service providers are legally required to use data with lawful sources, to formulate clear data annotation rules and to take effective measures to ensure the authenticity, accuracy, objectivity and diversity of the training data and properly fulfil the data protection obligations (Articles 7 and 8 of AIGC Measures).

Regarding the phase of application operating, certain data protection risks concerning the reliability and robustness of the services, as well as issues related to transparency, necessity, etc, of data processing, may arise out of content generation, data analysis and processing, and AIGC service provision. Based on that, AIGC service providers shall assume responsibility for protecting the collected data and the information input by users, as well as performing their legal obligations as PI handlers. These obligations include:

• collecting only necessary PI;
• addressing individuals’ requests to exercise their rights; and
• preventing the unlawful retention or disclosure of users' input data and usage records to third parties.

Relevant technical measures shall also be taken to enhance the safety, stability and sustainability of services and ensure the normal use of users (Articles 9, 11 and 13 of AIGC Measures).

How AI Regulation Affects Data Protection in China

AI regulation and data protection are closely intertwined in China, where both are governed by legal frameworks designed to balance technological innovation with privacy and data protection. The data compliance issues associated with the entire lifecycle of AIGC, including but not limited to key stages such as model training, service provision and model optimisation, are complex and typically involve multiple parties, such as AIGC developers, service providers and service users, which poses significant challenges for privacy and data protection.

In key data protection regulations in China, specific provisions have been formulated to address AI development while simultaneously ensuring a balance between innovation and data protection, and safeguarding privacy associated with AIGC technologies. For instance, the RANDS provide that, insofar as the training data and processing activities thereof are concerned, the network data handlers providing AIGC services shall fulfil relevant security management obligations (Article 19 of the RANDS). Moreover, the increasingly rapid development of AI technology also drives competent authorities to further incorporate AI regulation into the legal framework of data protection. Action Plan for the Construction of Information Standards (2024–2027) (信息化标准建设行动计划(2024–2027年)) was released on 24 May 2024 and has expressly made AIGC related technical standards a key focus for future legislation.

Interplay Between AI-Related Laws and Data Protection-Related Laws

On one hand, the essential data protection laws (including the Three Fundamental Laws and the Three Key Regulations) are applicable to all data processing activities under AI-related scenarios. AIGC developers and service providers should also comply with such essential data protection laws when carrying out data processing activities. For instance, both the PIPL and the DSL require data minimisation and purpose limitation (in Article 6 of the PIPL and Article 32 of the DSL, respectively), which directly affects how AI models are trained. AI systems that process PI must ensure that users can exercise their rights as set out under the PIPL, such as the right to withdraw consent or request data deletion (Articles 15 and 47 of the PIPL). AI systems must incorporate robust security measures to prevent breaches of PI as set out in Article 27 of the DSL and Article 51 of the PIPL; as a result, AIGC service providers shall build these features into their platforms to comply with such data protection requirements. If AIGC services involve cross-border data transmission, the legal requirements on cross-border data transfer (CBDT) shall also be followed.

On the other hand, in some cases, the AI-related laws specify and complement the data protection requirements in the context of AI. For instance, Article 7 of the AIGC Measures provides that AIGC service providers shall ensure the lawfulness of the training model and data sources when processing training data, and data subjects’ consent shall be obtained if any PI is involved. In addition, echoing the relevant requirements in the PIPL, Article 11 of the AIGC Measures also specifies that users’ PI shall be collected based on the minimum necessary principle, and any illegal use, storage or provision is not allowed. Moreover, AIGC service providers shall timely address and respond to users’ requests to exercise their PI-related rights to access, copy, correct, supplement, delete, etc.

In China, AI regulation and data protection laws, including the PIPL and the AIGC Measures, are designed to complement each other, thereby fostering innovation of AI systems and maintaining respect for individuals' rights. The PIPL focuses on PI protection, whereas AI-related laws such as the AIGC Measures aim to regulate AI systems in a manner that ensures safety, accountability and ethical considerations. Together, they create a comprehensive regulatory structure that guides the responsible development and deployment of AI while safeguarding privacy and data protection rights.

In China, the majority of PI protection litigation cases are public interest litigation. In 2023, procuratorial organs in China handled more than 6,300 public interest lawsuits on PI protection. China also allows individuals to initiate private litigation, and the legal bases for an individual to initiate private litigation mainly include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.

The number of privacy litigation cases brought by individuals has increased rapidly in recent years. According to announcements by the Beijing Internet Court, it received a total of 113 cases related to PI protection disputes between October 2023 and October 2024. In contrast, merely 58 such cases were handled by the same court in the past five years leading up to 2023. This increase highlights a rapid growth trend in PI protection dispute cases.

One of the most noteworthy cases reflecting the impact of international developments on domestic litigation is the first case related to CBDT issues announced by Guangzhou Internet Court (further discussed in 2.2 Recent Case Law). Along with international economic and business developments, CBDT issues have become the focus of data subject attention, and a rise in privacy litigation involving CBDT is expected in the coming year.

One privacy litigation case worth noting involved an individual customer suing a European hotel group for infringement of their PI rights and interests due to CBDT.

In this case, regarding disclosure and transparency requirements, the Guangzhou Internet Court decided that the scope of recipients and the geographical regions are not clearly stated in the privacy notice, and data subjects are not explicitly informed where their PI will be transmitted or how it will be processed, which fails to comply with Articles 7 and 17 of the PIPL. Regarding the legal basis for such CBDT, the court affirmed that intragroup sharing of customers’ PI via the hotel’s central booking system to the overseas booked hotel and the global headquarters is legitimate and necessary for hotel management.

However, the court ruled out the legitimacy of transferring the customer’s PI to intragroup marketing departments and external business partners for the purpose of “marketing”, as it is not “necessary for performing the contract”, and thus the hotel group is still legally required to obtain the customers’ separate consents on such CBDT in accordance with the laws. Since the hotel failed to obtain the customer's separate consent, the court held that the hotel's data processing activities have not obtained adequate legal basis and are thus illegal, and ruled that the hotel should bear the corresponding infringement liability, which includes compensation for damages, the deletion of relevant PI and an apology to the individual.

Article 70 of the PIPL establishes the mechanism of public interest litigation for PI infringement. Where any PI handler processes PI in violation of the PIPL, which infringes upon the rights and interests of a large number of individuals, a lawsuit may be brough to a people's court in accordance with the law by:

• the People's Procuratorate;
• the consumer organisations specified by law; and
• the organisations determined by the CAC.

In the past few years, the number of public interest litigation cases regarding PI protection has increased year by year. For example, prosecutors handled over 2,000 cases in 2021 and this number surged to more than 6,300 cases in 2023. This upward trend reflects the growing frequency of legal actions concerning PI protection initiated by prosecutors and shows the great importance attached to PI protection.

Objectives of Data Regulation

In China, regulations addressing the use of IoT services and the rights and obligations of data holders and data processing services are primarily shaped by a combination of data protection laws, regulations and industry-specific guidelines – ie, the Three Fundamental Laws and certain industrial measures and/or standards, such as:

• the Measures on Safety Evaluation for Cloud Computing Services (云计算服务安全评估办法);
• Information Security Technology – Security Technical Requirements of Data Transmission for IoT (GB/T 37025-2018信息安全技术—物联网数据传输安全技术要求);
• Notice of the Pilot Programme of Vehicle-Road-Cloud Integration Application for Intelligent Connected Vehicles (关于开展智能网联汽车”车路云一体化”应用试点工作的通知);
• Guidelines for the Construction of Network Security and Data Security Standard System for Telematics (车联网网络安全和数据安全标准体系建设指南), etc.

Through the above regulations, China aims to protect the security and privacy of data collected through IoT devices, which may include PI, important data (ie, data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc, the specific scope of which is stated in the catalogues of important data formulated by the national, regional and other relevant departments) and other sensitive information that may be generated, stored or transmitted via IoT devices.

China also promotes the secure use and free flow of such data involved in IoT services, promotes the availability and accessibility of data, and enhances the activity of the data-driven economy, as set out under the Opinions on Building a Basic Data System to Better Play the Role of Data Elements (“Opinions”; 关于构建数据基础制度更好发挥数据要素作用的意见).

Scope of Data Regulation

The main scope of regulations on IoT services, data holders and data processing services is as follows.

• The CSL emphasises the security of network and information infrastructure from the perspective of technology, and applies to any IoT service that operates on a network. It imposes requirements for network operators, which could be either data holders or data processing service providers, to ensure the security of their networks, including IoT devices.
• The PIPL focuses on how the data handlers collect, store, use and process the PI generated by IoT devices, and applies to data holders and data processing service providers who collect and process PI in China.
• The DSL is another key law addressing data security, which covers not only PI but also general data in the course of IoT services provision, especially for “important data” generated or processed by IoT services.
• Other industrial measures and/or standards (the Measures on Safety Evaluation for Cloud Computing Services, Information Security Technology – Security Technical Requirements of Data Transmission for IoT, etc) collectively depict the roadmaps for the pre-assessment and stringent supervision of the technologies, infrastructures and other key aspects of cloud computing service platforms involved in IoT services.

• In terms of facilitating data use, the Opinions unveil orientations and guidelines to promote efficient data circulation. A data ownership affirmation mechanism shall be established, in which the legal rights enjoyed by all participants in the process of data production, circulation and use, including data holders and data processing service providers, shall be defined. As far as corporate data that does not involve PI and public interests is concerned, the relevant parties may legally enjoy the rights and interests to hold, use and obtain profits from such data. Regarding PI, a corresponding authorisation mechanism shall be established to collect, hold, host and use PI according to the scope of individual authorisation, so as to promote the rational use of PI. Data holders, data processing service providers and other relevant stakeholders may legally carry out business co-operation and circulate data, sharing the dividends of the digital economy.

The interplay between data regulation and data protection requirements in China is complex but complementary. On one hand, data protection laws such as the Three Fundamental Laws govern the legality, legitimacy and necessity of data processing, as well as the protection of the rights and interests of data subjects involved in IoT services. On the other hand, broader data regulation framework – including the industry-specific regulations and guidelines – aims to oversee specific industries and types of data usage, ensuring that data protection principles are applied in various contexts, particularly in critical sectors such as IoT. Together, they provide a comprehensive approach to ensure cybersecurity and promote data and privacy protection.

The above legal frameworks collectively address different aspects of data handling in China. However, they share unified objectives of safeguarding data privacy, enhancing security and ensuring accountability in the digital age. The Three Fundamental Laws serve as the primary regulation governing data protection, while other industry-specific laws built on the foundation of the Three Fundamental Laws ensure that data is handled responsibly, transparently and in compliance with privacy rights in IoT scenarios. Data holders (which may include IoT service providers and data processors) and data processing service providers in China must navigate the aforementioned multiple frameworks to ensure the protection of user privacy and compliance with stringent data security requirements.

IoT service providers and data processing service providers in China must navigate a complex regulatory framework to ensure compliance with data protection and cybersecurity requirements. The main obligations arising from the applicable laws and regulations regarding the use of IoT services and data processing services are as follows.

• The CSL sets out that network operators (which may include IoT service providers as well as data processing service providers, which are often involved in IoT operations as cloud service providers) shall ensure the security of networks, comply with cybersecurity obligations in relation to multi-level protection schemes (MLPS), take all necessary remedies and timely report any cybersecurity incidents to relevant authorities (Articles 21, 25 and 42). If the network operator is a Critical Information Infrastructure Operator (CIIO), it must comply with stringent security requirements to protect the infrastructure from cyber-attacks (Article 34).
• Pursuant to the DSL, while carrying out data processing activities related to IoT services and data processing services, a sound data security management system shall be established throughout the whole process, including carrying out data security training and corresponding security measures (Article 27). Moreover, IoT service providers and data processors shall meet the obligations for the protection of important data collected through IoT devices and generated/processed by IoT services, including designating a responsible person, conducting regular risk assessment and reporting to competent authorities, etc (Articles 27 and 30).
• Obligations for IoT service providers as provided by PIPL mainly include complying with the minimum necessary principle (Article 6), satisfying the transparency requirement (Article 17) and obtaining valid legal basis for collection and processing of PI (Article 13). IoT device users should also be informed of their PI-related rights. In the event of any CBDT, the relevant obligations in relation to CBDT as provided in 5.1 Restrictions on International Data Transfers shall also be fulfilled by IoT service providers. Data processing service providers usually act as the entrusted party under the PIPL and thus shall process PI according to the purposes, methods, etc, as stipulated in the agreement with the PI handler. In addition, the entrusted party shall not delegate the PI processing to others without the consent of the PI handler (Article 21).

Key regulators of IoT services and data processing services include the CAC, the MIIT and the MPS. The CAC is in charge of the overall planning of data protection and privacy, and the co-ordination of the competent authorities. The MIIT is the industry authority for IoT services and is responsible for the development of industry regulations and enforcement in the field of IoT. As IoT services involve network operations, the MPS, as the enforcement authority of CSL, is responsible for managing and enforcing the relevant requirements under the CSL.

In some cases, other departments (eg, the SAMR) may become responsible for enforcing the data regulation under certain circumstances, such as anti-unfair competition in IoT service provision.

Under the CSL and PIPL regimes, the use of cookies is usually regarded as the collection of PI, which must comply with PI protection-related requirements. According to Article 5 of the PIPL, the collection and use of PI must follow the principles of legality, legitimacy and necessity, which means that the use of cookies for user information collection must comply with these principles. Individuals must be truly, accurately and completely informed about the use of cookies in a prominent manner and in clear and understandable language, and the explicit consent of users must be obtained in accordance with Articles 13 and 17 of the PIPL. The use of cookies should also follow other general principles of data minimisation and data security protection. Furthermore, if cookies are collected and used for behavioural or targeted advertising that has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of cookies would be deemed illegal.

The Advertising Law (广告法) is the fundamental law that regulates advertising. The Measures for Administration of Internet Advertising (互联网广告管理办法) apply to online marketing. The sender must obtain consent to, or a request for, advertising from the recipients, and the sender must also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.

In addition, since online marketing, particularly behavioural and personalised advertising, is normally based on the analysis of PI collected from users, regulations on PI collection and use must be observed. To begin with, PI may not be collected or used for personalised advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, must be provided to the individual. In addition, according to the Information security technology – Personal information security specification (GB/T 35273–2020 信息安全技术 个人信息安全规范), the use of indirect user profiling generated from PI that is not from particular persons is recommended for online marketing, rather than direct user profiling. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.

Currently, there is no special data privacy law or regulation regulating the employment relationship. The PI of an employee is subject to the same PI protection regime as that of any other regular person. The employee PI protection is governed by the Employment Law (劳动法), the Employment Contract Law (劳动合同法), the CSL, the PIPL and other relevant laws and regulations governing PI. These laws have the following implications for the employment relationship.

Employee Data Protection

Under the PIPL, employers must ensure that they collect, store and process employee PI in compliance with the legal requirements – eg, employees must be informed about how their PI will be collected, processed or shared. An employer must have at least one legal basis for processing employees' PI. These legal bases may include obtaining employees' consent or processing such PI as necessary for human resources (HR) management under labour rules and collective agreements lawfully entered into, etc. If the processing of employees' PI is specified in the employer's lawfully established labour rules or in a legally executed labour contract, and can be defined as being necessary for HR management, then it is generally considered that the employer does not need to obtain the employee's consent for such PI processing. However, if the processing of such PI cannot be adequately justified as being necessary for HR management, the employer still should obtain the employee's consent (including separate consent if applicable) as required by the PIPL.

Employers should also follow the data processing principles of lawfulness, legitimacy, necessity and data minimisation. Employers must ensure employees' privacy-related rights, and adhere to other general requirements for PI processing, such as taking appropriate security measures to safeguard PI.

CBDT of Employee PI

Employers that intend to transfer employees’ PI outside of China must adhere to specific restrictions and requirements as set out under the PIPL. This could have significant implications for multinational companies, particularly those with operations both in China and abroad, as it is common practice for such companies to conduct intragroup sharing of employees’ PI.

According to Article 5.2 of the Provisions on Facilitating and Regulating Cross-border Data Flows (“CBDT Provisions”; 促进和规范数据跨境流动规定), where it is necessary to outbound transfer employees' PI for the purpose of conducting cross‑border HR management in accordance with the labour rules and regulations formulated and collective contracts concluded in accordance with the laws, companies are exempt from submitting applications of security assessment, obtaining certification from the approved agencies or filing for standard contractual clauses.

For transferring employee PI abroad, employers still need to obtain legal basis for such CBDT and to meet the disclosure obligations in accordance with Article 39 of the PIPL. On the other hand, employers will be exempted from submitting CBDT application procedures for outbound transfers of employees’ PI that are necessary for HR management, thereby significantly reducing the compliance burden borne by employers.

Employer Liability and Accountability

The PIPL and related regulations hold employers accountable for how they handle employee PI. If employers illegally mishandle or misuse employee PI, they could face severe penalties, including fines, restrictions on operations or even legal actions by employees. To avoid such risks, employers need to revise their HR policies to ensure data privacy compliance in employee onboarding, performance evaluations and resignation procedures. Employers shall also provide training for HR staff to understand the legal obligations around employee PI handling. Stringent security measures shall be taken to protect employees' PI from breaches, which also impacts the company's internal practices and operations.

Challenges for Employers

The evolving regulatory legal framework of data privacy is shaping the employment relationship by balancing the protection of employees’ PI against the operational needs of employers. Employers are required to adopt more robust data protection measures and to enhance transparency in their management of employees’ PI. This presents new challenges for employers, such as increased costs associated with implementing data protection efforts and introducing legal complexities. Multinational companies with operations in China must navigate the intricate landscape of data protection laws across multiple jurisdictions. Such companies may also encounter difficulties in aligning and harmonising the data privacy practices concerning their global business operations.

All forms of data or PI processing activities occurring in asset deals shall be governed by the DSL and the PIPL. The requirements and obligations set forth under the DSL and the PIPL for data and PI processing shall be complied with accordingly. Specifically, with regard to any transfer of PI due to merger, division, dissolution or declaration of bankruptcy, etc, Article 22 of the PIPL specifies additional disclosure requirements that relevant data subjects shall be informed of the name and contact information of the PI recipient. In the event of any changes to the original purpose and method of data processing by the PI recipient, consents from the concerned data subjects shall be re-obtained.

According to the CSL, PI collected by CIIOs during their operations in China must be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment shall be conducted. The PIPL expands the applicable scope of security assessment. A suitable CBDT mechanism shall be implemented before PI can be transferred overseas. So far, the importing of data from overseas to China has not been the focus of the administration.

The PIPL provides three routes for CBDT compliance:

• obtaining approval for CAC security assessment;
• being certified by the recognised agencies; or
• concluding standard contractual clauses with the overseas recipient.

According to the Measures for the Security Assessment of Data Cross-Border Transfer (“Outbound Measures”; 数据出境安全评估办法), the security assessment mainly covers the legality, legitimacy and necessity of the purpose, scope and method of the outbound transfer of data. It also includes:

• an impact analysis of the policies and regulations on data security and the network security environment of the country or region where the overseas recipient is located;
• the data protection level of the overseas recipient;
• the quantity, scope, type and sensitivity of the data;
• risk of leakage, tampering, loss, damage, etc;
• protection of data security and the rights and interests of PI subjects; and
• legal documents between the data handler and the overseas recipient, etc.

The certification mechanism mentioned in the PIPL is finalised by the Technical Specification for Certification of Cross-Border Transfers of Personal Information V2.0 (网络安全标准实践指南–个人信息跨境处理活动安全认证规范V2.0). The Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Exposure Draft) (个人信息出境个人信息保护认证办法(征求意见稿)) were released on 3 January 2025, further regulating the certification of mechanisms for the outbound transfer of PI.

As for standard contractual clauses, the Measures for the Standard Contracts for Outbound Transfer of Personal Information (个人信息出境标准合同办法) came into effect on 1 June 2023.

Regarding derogations, Article 38 of the PIPL allows the provision of PI according to international treaties or agreements concluded or acceded to by China. Furthermore, the CBDT Provisions that came into effective on 22 March 2024 provide for the following scenarios that are exempt from the CBDT application procedures:

• CBDT that does not contain PI or important data;
• where data handlers transfer PI collected and generated overseas after being processed domestically without involving domestic PI or important data in the process;
• for the establishment or performance of contracts to which individuals are parties;
• in implementing cross-border HR management based on legally formulated labour rules and collective contracts;
• in emergency situations to protect the life, health and property safety of natural persons; and
• where a non-CIIO data handler provides PI of fewer than 100,000 individuals (excluding sensitive PI) to an overseas recipient since January 1 of the same year.

With the goal of stabilising the economy and promoting development, the CBDT Provisions responded to companies’ expectations and have substantially facilitated CBDT and alleviated companies’ compliance burden.

The cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct a security assessment prior to the cross-border transfer of PI and important data. With respect to important data, data handlers are required by the DSL to abide by the regulations or measures issued by a certain authority, which refers to the Outbound Measures. In addition, the CBDT of certain specially regulated data (eg, human genetic resources information) is subject to specific regulatory rules provided in certain fields and may require government approval, according to applicable regulatory rules for the CBDT of such data.

For non-CIIOs transferring PI, refer to 5.1 Restrictions on International Data Transfers.

In China, the first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically, and a security assessment is required for CBDT. Data handlers who are not CIIOs but process PI reaching a certain volume threshold or who collect important data are required to undergo a security assessment. There are also localisation requirements for specially regulated business data, including relating to the following:

• credit information;
• personal financial information;
• map data;
• essential tech equipment required for online publication services;
• data and information related to car hailing services;
• health information of the population; and
• insurance data and fiscal data.

In principle, such data must be stored within the Chinese territory (excluding the Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements for each type of information shall apply, such as obtaining approval from the competent authorities.

According to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and CBDT as mentioned in 5.1 Restrictions on International Data Transfers shall apply.

In addition, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (“the Rules”; 阻断外国法律与措施不当域外适用办法) were released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021, with immediate effect. According to Article 36 of the DSL, companies or individuals may not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by the competent authorities. The Rules are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with the long-arm jurisdictions of certain countries and regions.

Legislation regulating CBDT in China has been actively evolving in recent years. Specifically, for the purposes of facilitating data flow and promoting foreign investments, and pursuant to Article 6 of the CBDT Provisions, under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of CBDT application procedures (“Negative List”).

In May and August 2024, and February 2025, Tianjin, Beijing Shanghai and Hainan Pilot Free Trade Zones respectively released their Negative List as well as relevant supporting measures. In these free trade zones, only the CBDT of data listed on the Negative List conducted by companies still requires CBDT application procedures, and CBDT application procedures can be exempted for transferring data not listed on the Negative List.

In addition to the Negative List, local governments are also exploring other initiatives to facilitate the flow of data. For example, the Implementation Guidelines for Standard Contracts on Cross-Border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (粤港澳大湾区个人信息跨境流动标准合同实施指引) were issued to facilitate data flow among companies within the Greater Bay Area.

In November 2024, aiming to encourage a more efficient, convenient and collaborative approach for international data flows, the CAC issued the Global Data Cross-Border Flow Co-operation Initiative (全球数据跨境流动合作倡议), advocating for the principles of “openness, inclusiveness, security, co-operation and non-discrimination” towards all international stakeholders.

The above underscores the Chinese government's objectives to stabilise the economy and enhance the facilitation of international data transfers.