The People’s Republic of China (“PRC”) has implemented data protection legislation that applies across sectors in mainland China. Companies doing business in or with China should be familiar with all relevant privacy and data security laws or regulations, including those listed below.
National Data Protection Authority - Other Government Agencies
Cyberspace Administration of China (CAC)
State Administration for Market Regulation (SAMR)
Ministry of Industry and Information Technology (MIIT)
National Information Security Standardization Technical Committee
Ministry of Public Security
State Data Administration
New authority set up in 2023; website not announced
State Administration for Financial Supervision
Privacy Law and Regulations
National-Federal Laws and Regulations
Personal Information Protection Law
Cyber Security Law
Data Security Law
Civil Code
Article 253 of Criminal Law and related Amendment IX and Interpretations on Several Issues Concerning the Application of Laws in Hearing Criminal Cases of Citizens’ Personal Information Infringement
National Security Law
Consumer Rights and Interests Protection Law
E-Commerce Law
Sectoral Privacy Laws and Regulations
Implementing Regulations of Personal Information Protection Law, Cyber Security Law, and Data Security Law
Cybersecurity Review Measures
Regulations on the Security Protection of Critical Information Infrastructure
Regulations for the Online Protection of Children’s Personal Information
Data Export Security Assessment Measures
Guide to Applications for Data Export Security Assessment (First Edition)
Measures on the Standard Contract for the Export of Personal Information
Guide to Filing of the Standard Contract for the Export of Personal Information (First Edition)
Implementing Rules for Personal Information Protection Certification
Interim Administrative Measures for Generative AI Services
Specifications for Security Certification of the Cross-Border Handling of Personal Information, Version 2.0 (recommended in effect)
GB/T 35273-2020 Information Security Technology – Personal Information Security Specification (recommended in effect)
GB/T 42574 Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (recommended in effect)
Mobile Applications
Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via App
Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications
Administrative Provisions for Information Services of Mobile Internet Applications
Finance
PBOC Implementing Measures for Protecting Financial Consumers’ Rights and Interests
Administrative Measures for Protecting Consumers’ Rights and Interests by Banking and Insurance Institutions
PBOC Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions
PBOC Notice to Enhance Protection Work of Personal Financial Information by Banking Financial Institutions
Healthcare
Administrative Measures on Standards, Security and Services for National Healthcare and Medical Big Data (Trial)
Administrative Measures on Management of Population Health Information (Trial)
Administrative Regulations for Medical Records by Medical Institutions
Administrative Regulations on Human Genetic Resources
Automobile
Several Provisions on Management of Automobile Data Security (for Trial Implementation)
Postal Service
Administrative Measures on Real Name Collection and Delivery of Postal and Courier Items
Related Resources
- Resource CenterChina Privacy and Data Security Resource Center
- Client Alert
China’s Data Regulator Significantly Relaxes CBDT Regime
China’s data regulator has issued the Provisions on Facilitating and Regulating Cross-Border Data Flows addressing a range of issues concerning China’s cross-border data transfer regime.
- Client Alert
Characteristics of the Current Asian Landscape: Commonalities and Differences
