Data protection and cybersecurity laws in China

The Cybersecurity Law of the People's Republic of China (PRC) is a high-level legislation setting out the basic regulatory framework for both data protection and cybersecurity matters.

The PRC Data Security Law provides more detailed administrative mechanisms and requirements regarding data security, expanding on the basic data protection framework laid out in the Cybersecurity Law. This law focuses specifically on the governance of non-personal data. 

The PRC Personal Information Protection Law (PIPL) is the first comprehensive law that governs the processing of personal information in the PRC, building on the personal information protection framework established in the PRC Cybersecurity Law. This law focuses specifically on protecting personal information.

The Regulation on Network Data Security Management is the first administrative-level legal instrument in China, which provides detailed stipulations of the PRC Cybersecurity Law, the PRC Data Security Law and the PIPL.

The Measures on Security Assessment of Cross-border Data Transfer, regulate the cross-border transfer of data that is subject to security assessment by the Cyberspace Administration of China.

The Provisions on Facilitating and Regulating Cross-border Data Flow provide adjustments to the implementation of the cross-border data transfer regulations to promote free flow of data.

The Measures on the Standard Contract for Outbound Transfer of Personal Information regulate the cross-border transfer of personal information through entering the standard contract formulated by the Cyberspace Administration of China.

The Implementation Rules on Personal Information Protection Certification provide a framework and general rules on the voluntary certification for personal information protection for both domestic processing and cross-border personal information transfers.

The Measures for Personal Information Protection Compliance Audits provide systematic and operational guidelines for conducting personal information compliance audits.

Some sector regulators may also issue specific data protection rules applicable to the respective sectors. For instance, the Ministry of Industry and Information Technology issued the Administrative Measures on Data Security in the Field of Industry and Information Technology.

• Cyberspace Administration of China (CAC)
• Ministry of Industry and Information Technology (MIIT)
• Ministry of Public Security (MPS)
• Sector regulators

Draft Provisions on Measures for Personal Information Protection Certification for Cross-Border Transfer of Personal Information: the CAC has issued these draft provisions, which aim to regulate personal information protection certification for cross-border transfer of personal information. These provisions are still in draft form.

• rectification orders and warning
• administrative fines
• confiscation of illegal income
• suspension of business operations
• shutting down the website
• suspending or terminating the application
• revocation of relevant sectoral licenses or business licences
• prohibition of directly responsible executives and other directly responsible personnel from serving as directors, supervisors, senior management, and personal information protection officers of relevant enterprises within a specified period

• criminal detention
• imprisonment up to seven years
• criminal fines

• negative impact on social credit scores

Registration: Further, offshore entities falling under the PIPL's extraterritorial scope shall submit the names of relevant individuals or entities responsible for personal information processing to the authorities. This applies if offshore handlers process personal information of individuals located in China to offer products/services to China or analyse or assessment their behaviour.

Notification: personal information handler shall notify the regulator and/or the data subjects in case of a data breach.

Authorisation: there is no specific requirement with regard to the authorisation.

Non-personal Data

• Data Security Law: mandates general data security requirements, including:
  • Conduct data classification: Categorise and classify data based on its level of importance and potential impact.
  • Establish a comprehensive data security management mechanism: Implement security measures throughout the data processing lifecycle, carry out data security training, and adopt corresponding technical measures.
  • Enhanced protection for "important data" and "core data": Implement the following measures for processing important data, while the processing of core data is subject to even stricter measures (not specified in the Data Security Law):
    • Appoint a data protection officer or management body.
    • Conduct regular risk assessments.
    • Comply with data localisation requirements (passing the security assessment before exportation).

Personal Information

• PIPL: imposes the following general requirements for personal information processing activities:
  • Lawful basis: Process personal information only with a lawful basis under the PIPL.
  • Transparency: Fully inform individuals about how their personal information is collected and used.
  • Data subject rights: Respond to requests from individuals regarding their personal information rights.
  • Data breach reporting: Notify the regulator and affected individuals in case of a data breach.
  • Data security: Implement internal data management mechanisms and technical measures to protect personal information.
  • Data retention and deletion: Retain data for the minimum necessary time and appropriately delete it afterward.
  • Protection impact assessment: Conduct protection impact assessments for certain high-risk processing activities.
  • Specific consent: Obtain specific consent from individuals for specific processing activities.
  • Channel options for cross-border transfer: Undergo one of three channel options for exporting personal information, unless applicable exemptions apply (please refer to the section “Transfers out of country”):
    • apply for and pass the security assessment by the CAC;
    • obtain certification from an approved institution; or
    • enter into a data transfer agreement based on the standard contract formulated by the CAC.

Data subjects have several rights concerning their personal information, including: the right to be informed and decide; the right to restrict or deny anyone from the processing; the right to access and copy; the right to data portability; the right to correction and supplementation; the right to deletion; the right to explanation of processing rules; the right to de-register an account (if applicable); the right to withdraw the consent.

If a data handler (i.e., those autonomously determining the purpose and methods of personal information processing) engages third parties to process personal information, i.e., entrusted processors, it shall enter a contract with the third parties to specify the purposes, duration and method of processing, categories of personal information and protection measures involved, as well as the rights and obligations of both parties. The data handler shall conduct a protection impact assessment before the entrusted processing and keep a record of the processing. The data handler shall supervise the processing activities carried out by the third parties.

Non-personal data can be transferred out of country without restriction, unless it constitutes important data. Important data cannot be transferred out of the country unless passing the security assessment by the regulator.

To transfer personal information out of China, data handlers shall satisfy the following requirements:

• Obtain specific consent from the data subject;
• Conduct a protection impact assessment; and
• Undergo one of the three channel options:
  • Apply for and pass the security assessment by the CAC;
  • Obtain certification from an approved institution; or
  • Enter into a data transfer agreement based on the standard contract formulated by the CAC.
• The three channel options could be exempted in the following scenarios:
  • transfer any personal information overseas for the purpose of executing and performing a contract to which the individual is a party;
  • transfer any personal information of an internal staff member overseas for the purpose of cross-border human resources management under labour rules and collective contract;
  • transfer any personal information overseas in emergency for the purpose of protecting the health, life, and property safety of a natural person; or
  • where a data processor other than critical information infrastructure operator transfers overseas the personal information of less than 100,000 individuals (excluding sensitive personal information) each year on a cumulative basis.

However, data handlers meeting specific criteria, such as being certified as critical information infrastructure operators or processing/exporting personal data surpassing defined volume thresholds, must undergo a security assessment before exporting personal information. These data handlers cannot opt for the other channel options, i.e., certification or standard contracts.

According to the Data Security Law, the handler of important data shall specify a data security responsible person and management body. Under the PIPL, a data hander who processes personal information that meets the volume to be set by the CAC, shall appoint a person responsible for personal information protection. Further according to the Measures for Personal Information Protection Compliance Audits, a personal information handler that processes the personal information of 1 million individuals or more shall appoint a personal information protection officer to be responsible for the processor's personal information protection compliance audits, and submit the Personal Information Protection Officer information to the cyberspace authority at the districted-city level where the handler is located.

The PIPL requires to take the following measures to protect the personal information security:

• Formulate internal management systems and operating procedures; 
• Implement classified management of personal information; 
• Adopt appropriate security technologies such as encryption and de-identification; 
• Reasonably determine the operating permissions for personal information processing, and regularly provide safety education and training to relevant personnel; 
• Formulate and organize the implementation of emergency response plans for personal information security incidents; 
• Other measures stipulated by laws and administrative regulations.

According to the PIPL, it is required to notify the regulator, and the affected individuals about the breach. However, if the remedial measures taken by the data handler can effectively avoid any damage caused by the breach, the data subject may decide not to notify the data subjects.

According to the Regulation on Network Data Security Management, data handlers shall also establish and improve their emergency response plans for network data security incidents. In the event of a network data security incident, they shall immediately activate the plan. If a security incident causes harm, the network data handler shall promptly notify the interested parties of the security incident and associated risks, the consequences of the harm, and the remedial measures taken by means of phone calls, text messages, instant messaging tools, emails, or public announcements. If any laws or administrative regulations stipulate that notification is not required, such provisions shall apply.

According to the PIPL, when providing information or conducting commercial marketing to individuals through automated decision-making, options that do not target their personal characteristics should be simultaneously offered. Alternatively, convenient methods for individuals to refuse should be provided. According to the Advertisement Law, any organization or individual, without the consent or request of the data subjects, shall not send advertisements to their residences, vehicles, etc., nor send advertisements to them through electronic means.

There is no designated law governing the specific use of cookies or adtech. The general cybersecurity and data protection requirements apply. Scattered requirements focusing mainly on notify are set forth in some national standards such as GB/T 42574-2023 Information security technology – Implementation guidelines for notices and consent in personal information processing.

Moderate.

• Public database of national standards: http://openstd.samr.gov.cn/bzgk/gb 

The Cybersecurity Law of the PRC, a high-level legislation, sets out the basic regulatory framework for both cybersecurity and data protection matters. The Cybersecurity Review Measures, outlining the requirements and procedures for cybersecurity reviews, apply to the purchase of network products and services by critical information infrastructure (CII) operators and online platform operators engaging in data processing activities that affect or have the potential to affect national security. The Security Protection Regulations for Critical Information Infrastructure are specifically designed to safeguard the security of CII. There are also sector-specific regulations and national technical standards, continuously evolving and adapting to the changing cybersecurity landscape in China.

The CAC issued second amendments to the Cybersecurity Law on 28 March 2025, which is currently still in draft status. The amendments aim to amend the existing Cybersecurity Law by adjusting fine ranges and adding penalty provisions, ensuring coordination with newly implemented laws to improve the overall legal responsibility system.

According to the State Council's 2025 Legislative Work Plan, the Regulation on the Graded Protection of Cybersecurity is at the stage of preparatory formulation.

The Cybersecurity Law applies to the establishment, operation, maintenance and use of network. Since "network" is defined broadly under the Cybersecurity Law, which could potentially capture systems, websites, applications, etc., the Cybersecurity Law has a wide application scope.

• Cyberspace Administration of China (CAC)
• Ministry of Industry and Information Technology (MIIT)
• Ministry of Public Security (MPS)
• Sector regulators

Network operators and online service providers shall fulfil security protection obligations appropriate for their assigned cybersecurity protection levels.

These obligations primarily involve:

• Establishing internal security management systems, operating rules, and assigning responsible personnel.
• Implementing technical measures to prevent computer viruses, network attacks, and other cybersecurity threats.
• Monitoring and recording network operational status and security incidents, maintaining network logs for at least six months.
• Performing data classification, backing up important data, and implementing data encryption and other relevant measures.
• Developing cybersecurity incident response capabilities, mitigating breaches, and reporting them to the relevant government authorities.

CII operators face additional requirements, such as data localisation and using certified network products. Moreover, upon procuring network products and services, they must assess potential national security risks arising from their operation. If any potential or actual impact on national security is identified, these CII operators must apply for a cybersecurity review by the regulator.

Manufacturers of products classified as critical network equipment or specialised network security products shall comply with the mandatory technical requirements outlined in the applicable national standards. They must also ensure these products have undergone safety certification or safety testing through a qualified organisation.

Administrative sanctions:

• rectification orders and warning
• administrative fines
• confiscation of illegal income
• suspension of business operations
• shutting down the website
• revocation of relevant sectoral licenses or business licences

• criminal detention
• imprisonment 
• criminal fines 

• negative impact on social credit scores

Yes—the National Computer Network Emergency Response Technical Team/Coordination Center of China (known as CNCERT/CC) was founded in August 2001. It is a non-governmental non-profit cybersecurity technical center and the key coordination team for China's cybersecurity emergency response community and is the national CERT of China.

Based on the National Cybersecurity Incident Emergency Response Plan, key aspects of management structure includes:

Leadership and Coordination: the CAC provides central leadership and coordination across different agencies. National Computer Network Emergency Response Technical Team (CNCERT/CC) coordinates technical response. National Cybersecurity Incident Response Office under the CAC coordinates cross-regional/agency response. 

Incident Classification and Response Levels: cybersecurity incidents are categorised of 4 severity levels: especially major, major, relatively large, general. There are different response requirements for different level of incidents. Corresponding emergency response shall be activated based on incident level.

In addition, on 8 December 2023 the CAC issued the Draft Provisions on the Management of Network Security Incident Reporting, which is still in draft status.

None.

• Public database of national standards: http://openstd.samr.gov.cn/bzgk/gb