Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. In terms of specialised legislation on cybersecurity and data protection, China has established a comprehensive legal framework that includes several key laws and regulations – ie, the “Three Fundamental Laws”:

• the Cybersecurity Law (CSL; 网络安全法);
• the Data Security Law (DSL; 数据安全法); and
• the Personal Information Protection Law (PIPL; 个人信息保护法).

These operate together with the “Four Key Regulations”:

• the Regulations for the Administration of Network Data Security (RANDS; 网络安全数据管理条例);
• the Security Protection Regulations for Critical Information Infrastructure (关键信息基础设施安全保护条例);
• the Regulations on the Protection of Minors Online (未成年人网络保护条例) ; and
• the Regulations on the Graded Protection for Cybersecurity (Draft for Comments) (网络安全等级保护条例 (征求意见稿)).

The Three Fundamental Laws and the Four Key Regulations form the pillars of China’s cybersecurity and data protection legal framework, with each addressing different aspects of data security and privacy.

The CSL was enacted on 1 June 2017 and forms the backbone of cybersecurity and data privacy protection legislation in China. It underwent its first revision in 2025, which took effect on 1 January 2026, achieving co-ordinated integration with the DSL and the PIPL. The DSL came into effect on 1 September 2021 and is the fundamental law in the data security sphere, widely covering data security mechanisms, obligations and liabilities at both state administration and data handler level. The PIPL came into effect on 1 November 2021 and embraces the new era of personal information (PI) protection as well as corporate data protection compliance. The Four Key Regulations further detail the cybersecurity and data protection requirements set forth in the Three Fundamental Laws from different perspectives.

In addition to the specialised legislation, China’s general legislation may also include provisions on privacy and data protection. Specifically, the Civil Code (民法典) plays a significant role in this regard. The Civil Code’s provisions relating to data privacy protections are basically consistent with the requirements provided in the Three Fundamental Laws, further solidifying the legal foundation for privacy and data protection in China. Data protection regulations on privacy are also scattered in:

• the Criminal Law (刑法);
• the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法);
• the E-commerce Law (电子商务法); and
• Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), etc.

Extraterritorial Reach

The PIPL has an extraterritorial effect on overseas PI processing activities, when the processing is for the purpose of providing products or services to, or analysing individuals within, China. The extraterritorial application of the DSL will be triggered where data processing activities conducted outside the territory of China harm its national security, public interests, or the lawful rights and interests of its citizens or organisations. The newly amended CSL expands its extraterritorial application, stipulating that overseas organisations and individuals engaged in activities endangering China’s cybersecurity shall be held legally accountable, and, where serious consequences are caused, measures such as freezing assets or other necessary sanctions may be imposed.

Interplay With Other Laws Governing Non-Personal Data, Cyber and AI

The interplay between PI protection laws and other laws governing non-personal data, cyber and AI in China is complex but complementary. The DSL establishes uniform baseline security management requirements for all types of data, including both personal and non-personal data. The CSL serves as the fundamental law for cyberspace governance and is designed to protect network operation security, network information security, and PI involved in network operations. With regard to AI-related laws, on one hand, the essential data protection laws (including the Three Fundamental Laws and the Four Key Regulations) are applicable to all data processing activities under AI-related scenarios. On the other hand, the AI-related laws specify and complement the data protection requirements in the context of AI.

Together, the PI protection laws and other laws governing non-personal data, cyber and AI provide a comprehensive approach to ensure cybersecurity and promote data and privacy protection. The above legal frameworks collectively address different aspects of data handling in China. However, they share unified objectives of enhancing cyber and data security and ensuring accountability in the digital age.

General Principles and Requirements

The core principles for processing PI established by the PIPL include the following:

• legality, legitimacy, necessity and good faith;
• purpose limitation and data minimisation;
• transparency;
• data accuracy; and
• accountability.

Under these principles, the PIPL sets forth a series of specific compliance requirements, including obligations to notify data subjects, obtain appropriate legal bases, implement PI security safeguards and incident response measures, as well as to fulfil specific obligations regarding cross-border data transfer (CBDT).

Data Subjects’ Rights

The PIPL provides PI subjects with the right, in relation to their data, to know, decide, restrict, refuse, access, copy, make portable, rectify, delete, and withdraw their consent. In addition, PI subjects are also provided with related rights on automated decision-making.

The right to data portability states that where PI subjects request to transfer their PI to another designated PI handler, such request shall be fulfilled by PI handlers when prescribed conditions are met.

Main Compliance Requirements for Organisations

To ensure compliance with the requirements of the PIPL, organisations should implement, at a minimum, the following compliance measures.

• Conduct data mapping due diligence of PI processing activities; identify whether the obligation to inform data subjects has been fulfilled and appropriate legal bases have been obtained. Identify CBDT scenarios and evaluate whether the corresponding obligations have been fulfilled.
• Carry out classified and graded management of PI.
• Establish internal management policies and operational procedures.
• Implement appropriate technical security measures.
• Formulate and implement emergency response plan. Take remedial action and make necessary reports in the event of a PI breach.
• Designate a PI protection officer to ensure the legal threshold is met.
• Conduct PI compliance audits.
• Perform a PI Protection Impact Assessment (PIPIA) prior to engaging in specific processing activities.

Under the PIPL, PI that is likely to result in damage to the personal dignity of any natural person or damage to their personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the PI of minors under the age of 14, is defined as sensitive PI. 

Compared to general PI, sensitive PI is subject to more stringent protection requirements. It may be processed only for a specific purpose, where sufficiently necessary, and after strict protection measures have been taken.

According to Article 28 of the PIPL and the GB/T 45574-2025 Security Requirements for Sensitive Personal Information Processing (GB/T 45574-2025 敏感个人信息处理安全要求), the following constitute sensitive PI:

• health data;
• data about political/religious orientation;
• data on criminal convictions; and
• PI of minors under the age of 14.

The processing of such data requires the separate consent of the individual. In addition to the general notification items stipulated by the PIPL, the individual must also be informed of the necessity of processing the sensitive PI and its impact on their rights and interests. For processing the PI of minors under the age of 14, the consent of the minor’s parents or other guardians must be obtained, and dedicated PI processing rules shall be formulated.

Regarding other special categories of PI, such as personal financial data and genetic data, their processing is governed by separate legislation or sector-specific laws and regulations.

Under the PIPL, “anonymisation” refers to the processing of PI in a manner that makes it impossible to identify certain natural persons and so that it cannot be recovered. Once data meets this standard, it is no longer considered PI, and its subsequent use generally does not require obtaining individual consent. However, achieving this status is contingent upon the company having fully fulfilled its obligation to inform and obtain the corresponding legal basis when processing the original data. In other words, the subsequent anonymisation process must be founded upon the lawful collection of the original data.

Furthermore, the Measures for Review of Scientific and Technological Ethics (Trial) (“Ethics Review Measures”, 科技伦理审查办法(试行)) stipulate that scientific and technological activities involving human participants, including those utilising human biological samples or PI, shall undergo a review of scientific and technological ethics. Entities engaged in scientific and technological activities in fields such as life sciences, where the research content involves areas sensitive to scientific and technological ethics, shall establish a review committee for scientific and technological ethics.

Privacy Requirements for Use of Personal Data

AI-generated content (AIGC) developers and service providers should comply with essential data protection laws when carrying out PI processing activities. For instance, both the PIPL and the DSL require data minimisation and purpose limitation, which directly affects how AI models are trained. AI systems that process PI must ensure that users can exercise their rights as set out under the PIPL. AI systems must incorporate robust security measures to prevent breaches of PI and AIGC service providers shall build these features into their platforms to comply with such data protection requirements. Furthermore, Article 7 of the Interim Measures for the Administration of Generative Artificial Intelligence Services (“AIGC Measures”; 生成式人工智能服务管理暂行办法) provides that AIGC service providers shall ensure the lawfulness of the training model and data sources when processing training data, and data subjects’ consent shall be obtained if any PI is involved.

Automated Decision-Making Using AI

Article 24 of the PIPL sets forth restrictions on the use of PI for automated decision-making. When utilising PI for automated decision-making through AI, the transparency of the decision-making process and the fairness and impartiality of the outcomes shall be ensured. Unreasonable differential treatment against individuals in terms of transaction conditions such as pricing is prohibited. When a decision significantly affecting an individual’s rights and interests is made through automated decision-making, the individual is entitled to request an explanation and has the right to refuse the decision being made solely through automated decision-making.

Risk-Based Regime

China implements inclusive, prudent, categorised and tiered regulation over AIGC services, constituting a risk-based regime. There is no provision explicitly prohibiting the use of AI in specific high-risk application scenarios. However, AI shall not be used to generate illegal information or to engage in illegal activities. For instance, it is prohibited to use AI to generate content that infringes upon the lawful rights and interests of others or endangers national security, etc. Furthermore, AIGC technology shall not be utilised to engage in monopolistic or unfair competition practices.

How AI Regulation Affects Data Protection in China

Where PI processing is involved in AI scenarios, the essential data protection laws shall be complied with. Simultaneously, specialised regulations governing AI, such as the AIGC Measures, impose further specific requirements regarding the PI processing in AIGC services. Specific provisions have been formulated in key data protection regulations to address AI development while simultaneously ensuring a balance between innovation and data protection. For instance, the newly amended CSL specifically incorporates framework provisions on AI safety and development, emphasising that China will improve ethical norms for AI and strengthen risk monitoring, assessment and security oversight.

The transparency requirements under the PIPL, which mandate the full fulfilment of notification obligations, are also applicable to AIGC services when processing PI. The AIGC Measures also require AIGC service providers to enhance the transparency of their services, as well as the accuracy and reliability of the generated content.

The RANDS provide that, in so far as the training data and processing activities thereof are concerned, the network data handlers providing AIGC services shall fulfil relevant security management obligations, which demonstrates the emphasis placed on data governance.

The Ethics Review Measures stipulate that entities engaged in AIGC activities, where the research content involves areas sensitive to scientific and technological ethics, shall establish an ethics review committee, conduct reviews of scientific and technological ethics for the AIGC activities and implement follow-up supervision over the AIGC activities.

According to Article 57 of the PIPL, in the event of a PI leak, alteration or loss, or where such an incident is likely to have occurred, the PI handler shall immediately take remedial measures and notify the competent authority and the affected individuals. The notification shall include:

• the categories of PI involved, the causes of the incident and the potential harm that may result;
• the remedial measures that have been taken and the measures individuals can adopt to mitigate the harm; and
• the contact details of the PI handler.

The Measures for the Administration of National Cybersecurity Incident Reporting (国家网络安全事件报告管理办法) further specify the thresholds, procedures and timelines for such reporting. For a “relatively major” incident – for instance, one involving the PI leakage of more than one million individuals – a report shall be submitted to the cyberspace administration authority within four hours. If the network operator is a Critical Information Infrastructure Operator (CIIO), the report shall be submitted within one hour.

Upon being informed of the incident, the competent authority may initiate an investigation in accordance with the law. Mass data privacy litigation is also possible – refer to 2.3 Collective Redress Mechanisms for more details.

Key Regulators and Their Core Competence

Since data regulation is a topic that impinges upon all industries, there is a wide range of law enforcement departments related to it, many of which have intersecting duties and authorities. There is no centralised regulatory body. Among all these regulators, the most important ones include:

• the Cyberspace Administration of China (CAC);
• the Ministry of Public Security (MPS); and
• the Ministry of Industry and Information Technology (MIIT).

The CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR) and other industry regulators are in charge of law enforcement in the respective industries.

Typical Investigative Workflow

Investigations initiated by regulators can be triggered in different ways, including:

• reporting – where users may report to the regulators and consumer protection organisations, and investigations are launched accordingly;
• regular and irregular inspections – where special projects that last several months are launched to target specific industries or pain points in cyberspace; and
• inquiries into data leakage events, network loopholes or other cybersecurity/data incidents.

While conducting investigations, special rules shall be followed by the regulators. For instance, the Measures for Supervision and Inspection of Cyberspace Security by Public Security Organs (Draft for Comments) (公安机关网络空间安全监督检查办法(征求意见稿)) prescribes the procedures for law enforcement inspections conducted by public security organs. The Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments (网信部门行政执法程序规定) set the rules to oversee the investigations initiated by the CAC. The MIIT must conduct its enforcement activities in accordance with the List of Administrative Law Enforcement Matters of the Ministry of Industry and Information Technology (2025 Edition) (工业和信息化部行政执法事项清单(2025年版)).

Domestic and Cross-Border Co-Ordination Mechanism

The CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. A collaborative mechanism has been established among various departments for information sharing and case transfer. For instance, if the CAC or the industrial authority discovers any clues indicating criminal offences, they will transfer the case to the public security organs. There is no Chinese equivalent to GDPR “lead supervisory authority” mutual-recognition.

Binding Force of Guidance

In China, regulatory documents in various forms possess a hierarchical binding effect, collectively shaping the compliance framework for enterprises. Documents issued in the form of departmental rules carry legal enforceability. Violations of such rules may directly result in administrative penalties. Guidance documents – such as policy interpretations, FAQs, and typical case studies issued by authorities – do not in themselves create direct binding legal force. However, they articulate the official interpretation and prevailing enforcement priorities of the regulators, serving as critical reference materials for corporate compliance.

Investigations and Enforcement Actions

When initiating administrative proceedings and enforcing the laws, the competent authorities must abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 54). For triggers of investigations, refer to 1.7 Regulators.

Regulators shall promptly notify the parties concerned of the facts of the violation and facilitate their submission of statements and defences (Article 41). Generally, the regulator shall make the administrative penalty decision within 90 days from the date of case filing (Article 60). Prior to rendering an administrative penalty decision, the regulator shall inform the parties of the proposed penalty and its legal basis (Article 44).

The penalised parties are entitled to a hearing in cases where the administrative penalty involves the suspension of business, rescission of a business permit or licence, or a large penalty (Article 63). If a party is dissatisfied with an administrative penalty, it has the right to apply for administrative reconsideration or file an administrative lawsuit (Article 7).

Sanctions and Remedies

The Three Fundamental Laws uniformly stipulate that any violation of the laws which causes damage to others shall bear civil liability. Where a crime is constituted, criminal liability shall be imposed.

For administrative penalties, under the PIPL, the penalties for violations may include:

• an order of rectification;
• warning;
• confiscation of illegal earnings; or
• the suspension or termination of apps or services.

For severe violations, the violator may be fined up to CNY50 million or 5% of its turnover of the previous year at the company level, and the person directly in charge will be fined up to CNY1 million. The company’s business licences and permits may also be revoked.

Depending on the nature and severity of the violation, different sanctions and penalties may be imposed by the CSL. Authorities may:

• order rectification;
• issue warnings;
• impose fines on both the enterprise and the directly liable person(s); and
• (where the circumstances are serious) suspend the offending business line, order suspension-for-rectification, or revoke the relevant business licence or the company’s business licence.

The amended CSL materially raises the ceiling for administrative fine to CNY10 million, thereby aligning it with the upper limit already provided in the DSL.

The authorities will determine the amount of any fine on a case-by-case basis, taking into consideration the severity of the violating acts, infringements of legitimate rights and interests on individuals, any adverse impact on society, etc. The administrative authorities may, in accordance with law, formulate discretion benchmarks for administrative penalties to regulate the exercise of such discretion. Such discretion benchmarks shall be made public.

Under Article 33 of the Law on Administrative Penalty, no administrative penalty shall be imposed under the following circumstances:

• where the illegal act is of a minor nature, has been timely rectified, and has caused no harmful consequences;
• where the act constitutes a first-time violation, the harmful consequences are minor, and it has been timely rectified; or
• where the party concerned provides sufficient evidence to prove the absence of subjective fault.

Significant data enforcement actions and trends in the past 24 months include the following.

• In 2024, the MPS launched the “Clean Network” (净网) operation, investigating and resolving over 7,000 cases involving PI infringement.
• In March 2025, the CAC, MIIT, MPS and SAMR jointly issued an announcement on the launch of the 2025 Special Campaign Series for Personal Information Protection.
• In 2025, the MPS initiated the “Protecting Networks 2025” (护网2025) special operation, focusing on penalising failures to fulfil obligations related to cybersecurity, data security and PI protection.
• From April to July 2025, the CAC carried out the “Clear and Bright: AI Technology Abuse Rectification” (清朗·AI 技术滥用整治) campaign, shutting down unregistered LLM applications, investigating training data from illegal sources, and cracking down on the use of AI to create illegal content.
• The MIIT regularly publicly announces and orders the removal of apps that infringe upon users’ rights and interests.

The practical takeaways for organisations are as follows.

• Conduct regular self-audits and risk assessments, integrate compliance reviews into the development and launch processes for new products and services.
• Actively monitor the official notices, typical cases and enforcement trends published by regulatory authorities.
• Focus on areas subject to frequent regulatory penalties. In accordance with the key compliance issues highlighted in notices from authorities, conduct self-inspections to determine whether the organisation’s apps engage in practices such as unauthorised PI collection, excessive permission requests, etc.

Over the past 24 months, privacy and data-related disputes adjudicated by Chinese courts have exhibited a notable trend characterised by a surge in case numbers and a refinement of adjudication rules. First, there has been a marked increase in the number of data-related cases heard by the courts. According to announcements by the Beijing Internet Court, it received a total of 113 cases related to PI protection disputes between October 2023 and October 2024. In contrast, merely 58 such cases were handled by the same court in the past five years leading up to 2023. Secondly, adjudication rules are becoming more unified and clearer: to address difficulties in judicial practice, the Supreme People’s Court, in August 2025, issued for the first time a series of guiding cases on the judicial protection of data rights and interests, establishing uniform adjudication standards for core issues such as data ownership and PI protection.

Claimant Types and Common Causes of Action

In China, the majority of PI protection litigation cases are public interest litigation brought by procuratorial organs and consumer organisations. China also allows individuals to initiate private litigation, and the legal bases for an individual to initiate private litigation mainly include the Civil Code, the Consumer Protection Law, the CSL and the PIPL. Common causes of action include:

• collecting, disclosing or providing PI without consent;
• excessive PI collection;
• PI leakage; and
• exercising PI rights, etc.

Typical Remedies and Non-Material Damage

Typical remedies for privacy disputes include:

• cessation of infringement;
• apologies; and
• compensation for damages.

Regarding non-material damage, Article 1183 of the Civil Code stipulates that where an infringement upon an individual’s personal rights and interests causes serious mental damage, the infringed party has the right to claim compensation for mental damages. Observing cases of typical PI disputes, published by the courts, in some instances courts have supported compensation for mental damage. The prerequisite for supporting such a claim is that the infringement upon PI-related rights has resulted in serious mental distress, which must exceed the tolerance limit of an ordinary person. The amount of compensation should correspond to the severity of the mental distress and is determined flexibly by the courts based on the specific circumstances of each case.

In August 2025, the Supreme People’s Court released guiding cases on the judicial protection of data rights and interests, addressing issues of high public concern such as the determination of data ownership and PI protection, thereby unifying the adjudication standards for similar cases.

In one case where an individual sued an app for excessively collecting users’ PI, the app required the submission of user profile information such as educational stage and English proficiency level, without providing options such as “skip” or “refuse”, nor offering alternative login methods for users who disagreed with providing such information. The court held that user profile information did not constitute necessary PI for the app to provide its basic functional services. Therefore, the legal basis of “necessary for contract conclusion or performance” was not applicable, and consent should have been obtained. The app’s design forced users to check the “agree” box for using the app. Such “consent” was given involuntarily and thus did not constitute valid consent.

Article 70 of the PIPL establishes the mechanism of public interest litigation for PI infringement. Where any PI handler illegally processes PI, which infringes upon the rights and interests of a large number of individuals, a lawsuit may be brought to the court by:

• the People’s Procuratorate;
• the consumer organisations specified by law; and
• the organisations determined by the CAC.

In the past few years, the number of public interest litigation cases regarding PI protection has increased year by year. From July 2015 to September 2025, prosecutors have handled nearly 25,000 cases specifically focused on PI protection. This upward trend reflects the growing frequency of legal actions concerning PI protection initiated by prosecutors and shows the great importance attached to PI protection.

The core admissibility criteria is that the illegal PI processing must infringe upon the rights and interests of a large number of individuals, thereby harming the public interest. As stipulated in the Draft Procuratorial Public Interest Litigation Law (检察公益诉讼法(草案)) released on 28 October 2025, the admissibility of such litigation is also contingent upon preliminary evidence indicating the commission of an unlawful act.

Concerning indicative timelines, after a procuratorate places a case on file, it must decide whether to initiate civil public interest litigation within one year. For cases that are major, complex or difficult, this period may be extended. Subsequent litigation stages, including trial and appeal, are generally subject to the time limits prescribed by the Civil Procedure Law (民事诉讼法).

In terms of relief, a court may order the defendant to cease the infringement and assume liabilities such as:

• eliminating the adverse effects;
• restoring reputation;
• making apology; and
• providing compensation.

Furthermore, under the court’s auspices, the procuratorate may reach a mediation agreement or a settlement with the defendant regarding the enforcement of the judgment.

With regard to non-personal data protection, China has established a fundamental legal framework centred on the DSL. Furthermore, the Three Fundamental Laws operate synergistically to cover the entire life cycle of data processing. The RANDS, which apply to all network data processing, mark a co-ordinated regulatory framework that unifies privacy, data security and non-personal data governance under shared obligations.

Regarding cross-sector data access and sharing frameworks for IoT, cloud computing or other data processing services, China has not enacted unified legislation for their regulation. Instead, such frameworks are predominantly governed by a combination of data protection laws, sectoral regulations and industry-specific guidelines – ie, the Three Fundamental Laws, as well as certain industrial measures and/or standards such as:

• the Measures on Safety Evaluation for Cloud Computing Services (云计算服务安全评估办法); and
• Information Security Technology－Security Technical Requirements of Data Transmission for IoT (GB/T 37025-2018信息安全技术—物联网数据传输安全技术要求), etc.

China also promotes the secure use and free flow of such data, promotes the availability and accessibility of data and enhances the activity of the data-driven economy, as set out under the Opinions on Building a Basic Data System to Better Play the Role of Data Elements (“Opinions”; 关于构建数据基础制度更好发挥数据要素作用的意见).

Under China’s legal framework, all entities processing data – whether as IoT service providers (similar to data holders) or as parties that obtain and process data through transactions, licensing or other means (similar to data users) – are subject to statutory obligations for data processing. The PIPL and the DSL delineate distinct rights and responsibilities for different roles, notably data handlers (comparable to data controllers under the GDPR) and entrusted parties of data processing (comparable to data processors under the GDPR). In addition, the Opinions establish protections for data originators from the perspective of data ownership.

The frameworks encompass both personal and non-personal data. The DSL adopts a broad definition of data, which includes any information recorded in electronic or non-electronic form. Consequently, non-personal data, such as industrial data, also falls within the scope of protection under the DSL. The protection of PI is primarily governed by the PIPL.

Currently, China has not enacted a single, standalone law equivalent to the Data Act. Instead, it has adopted a model that combines comprehensive legislation with supporting policies. Foundational laws establish the framework for safeguarding data sovereignty and security, while policies like the Opinions are progressively advancing the marketisation of data. This approach aims to strike a prudent balance between promoting data sharing and innovation on one hand, and addressing security concerns on the other.

The interaction between the above data regulation frameworks and privacy rules, as well as the IP protection of non-personal data, is not realised through a single statutory provision, but accomplished through a layered, multi-dimensional and dynamically evolving comprehensive legal system. The core logic resides in the foundational legal framework constituted by the Three Fundamental Laws, which establish red lines and principled obligations for all data processing activities.

Specifically concerning PI processing, data generated by IoT or cloud computing services, once constituting PI, must fully comply with PI processing obligations stipulated under the PIPL. This includes ensuring a legal basis as defined by the PIPL, such as obtaining user consent. Concurrently, regulations pertaining to IoT or cloud computing require service providers to implement technical measures – such as encryption and access control. These requirements constitute the operational implementation of the overarching legal principles of “confidentiality” and “security”.

Non-personal data generated by the IoT or processed via cloud computing – such as industrial data – is regulated by the DSL and CSL in terms of its storage, transmission and cross-border security. While raw IoT data, such as sensor readings, generally does not constitute intellectual property (IP) in itself, once such data undergoes original compilation or in-depth analysis, it may give rise to a data product eligible for copyright protection or protectable as a trade secret, thus falling within the scope of IP law.

The processing of PI within contexts such as the IoT and cloud computing is likewise subject to the Three Fundamental Laws, encompassing the stipulated rights and obligations as well as the necessary action items for organisations. For details, refer to 1.2 Rights and Obligations.

For non-personal data, the DSL seeks to safeguard the rights of data owners by imposing obligations on data processing. Organisations are required to establish a data management system and implement technical measures to ensure data security. In terms of data circulation, China encourages the compliant and efficient use of data, while establishing security boundaries for data sharing and trading. For instance, data intermediary service providers are obligated to verify the legality of data sources and the identities of the parties involved in data transactions.

Pursuant to the DSL, China has established a co-ordinated working mechanism for data security, applicable to data including non-personal data. Local authorities and various government departments are responsible for the data collected and generated within their respective regions and sectors, as well as for the security of such data. The CAC takes the lead in co-ordinating network data security efforts and related regulatory work. The MPS and other relevant authorities undertake data security regulatory responsibilities within their respective statutory remits. Sector-specific authorities, such as the MIIT and those overseeing transportation, and finance, assume data security regulatory duties for their respective industries.

Moreover, the National Data Bureau, inaugurated in October 2023, is responsible for overseeing the integration, sharing and development of data resources, co-ordinating the construction of data infrastructure systems, and the planning and construction of digital China, the digital economy and digital society.

Co-Ordination With Privacy and Competition Authorities

The regulation of PI and non-personal data is integrated through a shared enforcement framework. The CAC leads the enforcement of the PIPL but its mandate extends into network data issues, which may involve non-personal data regulation. Sectoral authorities also assume regulatory duties over both PI and non-personal data within their respective industries.

China’s competition authorities, primarily the SAMR, also collaborate with non-personal data regulators. In early 2025, the SAMR, jointly with the National Data Bureau, the CAC and three other departments, issued the Implementation Plan for Improving the Security Governance of Data Circulation to Better Promote the Marketization and Value Realization of Data as a Factor of Production (“Implementation Plan”,关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案). It explicitly stipulates the punishment of monopolistic and unfair competition practices involving the use of data, thereby providing guidance for subsequent enforcement by the SAMR. In daily operations, these authorities have established mechanisms for information sharing, case notification, and co-ordinated law enforcement. For instance, non-personal data regulators may transfer leads to the SAMR if they discover indications of unfair competition involving data during routine oversight. Conversely, when investigating cases of data-related unfair competition, the SAMR may require the CAC to provide professional input on data regulation.

Enforcement Trends

The joint formulation and issuance of core policies by multiple authorities has become a regular practice. A case in point is the Implementation Plan, which aims to promote the utilisation of data. Various sectoral authorities have intensively introduced detailed data rules specific to their respective industries. For example, both the People’s Bank of China and the MIIT have issued or drafted relevant sector-specific regulations, thereby making the oversight more scenario-specific and practical.

The use of online tracking technologies is usually regarded as PI collection, which must comply with PI protection-related requirements. According to the PIPL, the collection and use of PI must follow the principles of legality, legitimacy and necessity, which means that the use of online tracking technologies for user information collection must comply with these principles. Individuals must be truly, accurately and completely informed in a prominent manner and in clear and understandable language, and consent must be obtained. The “opt-out” model is generally not permitted under the core principles of the PIPL.

The Advertising Law (广告法) is the fundamental law that regulates advertising. The Measures for Administration of Internet Advertising (互联网广告管理办法) apply to online marketing. The sender must obtain consent to, or a request for, advertising from the recipients, and the sender must also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.

Restrictions on Profiling

Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, must be provided to the individual. In addition, according to the Information security technology – Personal information security specification (GB/T 35273–2020 信息安全技术 个人信息安全规范), the use of indirect user profiling generated from PI that is not from particular persons is recommended for online marketing, rather than direct user profiling.

Restrictions on Use of Sensitive or Children’s Data for Marketing Purposes

The collection and use of sensitive PI for marketing purposes is subject to strict limitations under the PIPL. For any marketing activity involving sensitive PI, separate consent must be obtained, and individuals shall be informed of the necessity of processing sensitive PI and the impact on their rights.

Regarding children’s data, which is classified as sensitive PI under the PIPL, enhanced protections are established. When processing the PI of minors under the age of 14, the consent of their parents or other guardians must be obtained. The Regulations on the Protection of Minors in Cyberspace (未成年人网络保护条例) stipulate that commercial marketing shall not be conducted towards minors through automated decision-making methods. Consequently, the use of children’s data for marketing purposes may only proceed under these strictly limited conditions.

Consent Requirements

Since online marketing, particularly personalised advertising, is normally based on the analysis of PI collected from users, regulations on PI collection and use must be observed. PI may not be collected or used for personalised advertising if the PI subjects have not agreed to this.

The PI processing requirements stipulated in the Three Fundamental Laws are also applicable to the employment context. As an exception, where the processing of employee PI is necessary for human resources (HR) management purposes, consent or applying the CBDT mechanisms (refer to 5.1 Restrictions on International Data Transfers for details) may no longer be required. However, it is essential to ensure that any such processing is conducted in accordance with lawfully established labour rules or legally executed collective contracts. Additionally, the HR necessity of the data processing must be clearly substantiated.

Employees Monitoring

The monitoring of employees, such as through time-tracking systems, must comply with principles of necessity and legitimacy. Employers should inform employees of the monitoring purpose, scope and methods. Processing must be justified as necessary for HR management (eg, performance assessment) under lawful labour rules; otherwise, consent must be obtained.

Remote Work

For remote work, employers must establish clear policies regarding the use of company-provided or personal devices. Employees should be informed about data collection related to remote activities (eg, work hour logs), and the data processing must adhere to the “necessity” test under labour rules.

Use of IT Systems

Employers using IT systems (eg, email, internal platforms) to process employee data must define the purpose and scope in labour rules or labour contracts. Processing for HR management (eg, payroll, attendance) typically does not require consent. However, for systems involving non-essential data for HR management, consent may be needed.

Bring Your Own Device Policies

BYOD policies require balancing security needs with employee privacy. Employers must clarify employee PI collection scope in the BYOD scenario and implement security measures for the collected data accordingly. Consent may be needed if processing extends beyond HR necessities.

Background Checks

Background checks must be lawful, necessary and transparent. Employers should obtain prior consent and limit checks to job-relevant information. Excessive data collection, such as unrelated health details, is not allowed. Results must be kept confidential and securely stored, with retention periods aligned with HR purposes.

Job Application

For job applications, employers must inform candidates of the data processing purposes, such as recruitment evaluation. Consent is typically required, and separate consent may be needed as stipulated in the PIPL. Data of unsuccessful applicants should be deleted after the necessary retention period expires, in accordance with the data minimisation principle.

All forms of data processing activities occurring in M&A and asset deals shall be governed by the DSL and the PIPL. The requirements and obligations set forth under the DSL and the PIPL shall be complied with accordingly.

Due Diligence Phase

Acquiring parties must adhere to the principle of data minimisation and necessity. Access to and review of the target company’s PI should be limited to what is strictly essential for the due diligence. Robust confidentiality agreements must govern all parties to prevent unauthorised use or disclosure of PI.

Notification Upon Change of Control

With regard to any transfer of PI due to change of control, Article 22 of the PIPL specifies additional disclosure requirements that relevant individuals shall be informed of the name and contact information of the PI recipient. Individual’s consent is not required.

Post-Closing Integration

The PI recipient (the acquirer) must ensure its subsequent processing complies with the original purpose and method as understood by the individuals. In the event of any changes to the original purpose and method of data processing, consent shall be re-obtained.

According to China’s regulatory framework, the CBDT of data encompasses both PI and non-personal data, the latter primarily referring to “important data” – the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc.

A “transfer” or “outbound transfer” is broadly construed as a data handler transferring data, collected and generated during its operations within China, to locations outside China. It also includes situations where the data collected and generated is stored within China, but can be queried, accessed, downloaded or exported remotely from overseas. It should be noted that if activities involving the PI processing of individuals within China are conducted outside China, with the purpose of providing products or services to such individuals or analysing or evaluating their behaviour, this also constitutes CBDT.

To lawfully conduct CBDT, data handlers must select and fulfil a specific compliance pathway based on the nature and the volume of data transferred. There are three main CBDT compliance routes:

• obtaining the CAC security assessment approval, a mandatory prior approval required from the CAC, applying to –
1. CIIOs transferring PI or important data abroad; and
2. non-CIIO data handlers transferring important data, or transferring, since January 1 of the current year, PI of more than 1 million individuals or sensitive PI of more than 10,000 individuals;
• being certified by the recognised agencies (“Certification”); or
• concluding the CAC’s prescribed standard contractual clauses with the overseas recipient and filing it with the provincial CAC within 10 working days of its effectiveness (SCCs).

For non-CIIO data handlers whose cumulative transfers since January 1 fall within the range of 100,000 to 1 million individuals’ PI, or less than 10,000 individuals’ sensitive PI, and do not involve important data, the Certification and SCCs routes are alternative options – the data handler may choose either one.

Crucially, onward transfers by the overseas recipient are subject to strict regulation and must meet several conditions. These include, but are not limited to:

• providing comprehensive notice to the individual;
• obtaining separate consent; and
• executing a binding agreement with the onward recipient.

This agreement must ensure that the recipient’s PI processing complies with the protection standards stipulated by Chinese laws.

Regarding exceptions, Article 38 of the PIPL allows the provision of PI according to international treaties or agreements concluded or acceded to by China. Furthermore, Provisions on Promoting and Regulating Cross-Border Data Flows (“CBDT Provisions”, 促进和规范数据跨境流动规定) provide for the following scenarios that are exempt from the CBDT application procedures:

• CBDT that does not contain PI or important data;
• where data handlers transfer PI collected and generated overseas after being processed domestically without involving domestic PI or important data in the process;
• for the establishment or performance of contracts to which individuals are parties;
• in implementing cross-border HR management based on legally formulated labour rules and collective contracts;
• in emergency situations to protect the life, health and property safety of natural persons; and
• where a non-CIIO data handler provides PI of fewer than 100,000 individuals (excluding sensitive PI) to an overseas recipient since January 1 of the same year.

Further, according to Article 6 of the CBDT Provisions, Free Trade Pilot Zones (FTZs) may formulate their own lists of data that is applicable to the CBDT mechanism (Negative List). Data handlers within the FTZs are exempted from applying the CBDT mechanism when providing data not included on the Negative List overseas.

For transferring PI and important data abroad, refer to 5.1 Restrictions on International Data Transfers.

In addition, the CBDT of certain specially regulated data (eg, human genetic resources information) is subject to specific regulatory rules provided in certain fields and may require government approval, according to applicable regulatory rules for such CBDT.

In China, the first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically, and a security assessment is required for CBDT.

There are also localisation requirements for specially regulated business data, including relating to the following:

• credit information;
• personal financial information;
• map data;
• essential tech equipment required for online publication services;
• data and information related to car hailing services;
• health information of the population; and
• insurance data and fiscal data.

In principle, such data must be stored within China (excluding the Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas.

Regarding remote access, accessing data stored in China from overseas typically constitutes a data transfer. Consequently, any such data transfer or remote access will be subject to the specific CBDT requirements applicable to the respective data type.

The Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (“the Rules”; 阻断外国法律与措施不当域外适用办法) released by the Ministry of Commerce are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with the long-arm jurisdictions of certain countries and regions.

The Rules and the privacy laws work together – often complementarily – to create a comprehensive framework that limits foreign-driven data access or discovery from within China. The Rules addresses foreign regulatory orders broadly (not limited to PI), while the DSL/PIPL focus on data sovereignty, PI protection and data transfers. According to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within China without the approval of the competent authority.

Key Recent Developments

Measures for the Certification of Cross-Border Provision of Personal Information, which came into force on 1 January 2026, signify the comprehensive implementation of China’s CBDT compliance framework. Serving as the final and integral component of the CBDT mechanisms, these Measures provide companies with a clear and stable compliance pathway through a market-based certification mechanism, thereby refining the overarching CBDT regulatory framework.

In September 2025, the National Cybersecurity Notification Center publicly disclosed an enforcement case in which a multinational enterprise was penalised for illegal CBDT activities. The identified violations included failure to do the following:

• complete the requisite security assessment for the CBDT;
• provide adequate notification to its users regarding the transfer;
• obtain separate consent from users; and
• implement necessary security technical measures.

Expected Future Developments in 2026

In 2026, the CBDT Certification mechanism will likely become another compliance route for companies. Companies need to prepare for this shift by ensuring their data protection practices align with the certification criteria.

It is anticipated that the formulation and implementation of the Negative List within FTZs will be significantly accelerated in 2026. Practical enforcement at the local level is already underway, with numerous FTZs having released Negative Lists in 2024 and 2025. Driven by central policy guidance and solidified through successful local pilots, 2026 is expected to be a pivotal year during which more FTZs will advance the development and implementation of their respective Negative Lists.