The mainland of the People’s Republic of China (“PRC”) has implemented data protection legislation that applies across sectors in mainland China. Companies doing business in or with China should be familiar with all relevant privacy and data security laws or regulations, including those listed below.

NOTE: Access to some of the government websites referred to herein from outside mainland China may be blocked due to the application of Chinese cross-border data transfer regulations or other reasons.

National Data Protection Authority - Other Government Agencies

Cyberspace Administration of China (CAC)
State Administration for Market Regulation (SAMR)
Ministry of Industry and Information Technology (MIIT)
National Information Security Standardization Technical Committee
Ministry of Public Security
State Data Administration
New authority set up in 2023; website not announced
State Administration for Financial Supervision
People’s Bank of China
China Cybersecurity Review, Certification, and Market Regulation Big Data Center

Privacy Law and Regulations

National-Federal Laws and Regulations
Personal Information Protection Law
Cyber Security Law
Data Security Law
Civil Code
Article 253 of Criminal Law and related Amendment IX and Interpretations on Several Issues Concerning the Application of Laws in Hearing Criminal Cases of Citizens’ Personal Information Infringement

Chinese (Criminal Law), Chinese (Amendment IX), and Chinese (Interpretations)

Consumer Rights and Interests Protection Law
E-Commerce Law
Sectoral/Regional Privacy Laws and Regulations
Implementing Regulations of Personal Information Protection Law, Cyber Security Law, and Data Security Law
Cybersecurity Review Measures
Regulations on the Security Protection of Critical Information Infrastructure
Regulations for the Online Protection of Children’s Personal Information
Regulations on the Protection of Minors Online
Provisions on Facilitating and Regulating Cross-Border Data Flows
Data Export Security Assessment Measures
Guide to Applications for Data Export Security Assessment (Second Edition)
Measures on the Standard Contract for the Export of Personal Information
Guide to Filing of the Standard Contract for the Export of Personal Information (Second Edition)
Implementing Rules for Personal Information Protection Certification
Implementation Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macau Greater Bay Area (Mainland, Hong Kong)
Filing Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (Applicable to the Hong Kong Special Administrative Region)
Filing Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (Applicable to the nine cities in Guangdong Province)
Implementation Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macau Greater Bay Area (Mainland, Macau)
Filing Guidelines on the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macau) (Applicable to the nine cities in Guangdong Province)
Interim Administrative Measures for Generative AI Services
Administrative Regulations on the Security of Network Data
Specifications for Security Certification of the Cross-Border Handling of Personal Information, Version 2.0 (recommended in effect)
GB/T 35273-2020 Information Security Technology – Personal Information Security Specification (recommended in effect)
GB/T 42574 Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (recommended in effect)
GB/T 43697-2024 Data Security Technology – Rules for Data Classification and Grading (recommended in effect)
TC260-PG-20244A Guidelines for Identification of Sensitive Personal Information (recommended in effect)
Mobile Applications
Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via App
Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications
Administrative Provisions for Information Services of Mobile Internet Applications
Finance
PBOC Implementing Measures for Protecting Financial Consumers’ Rights and Interests
Administrative Measures for Protecting Consumers’ Rights and Interests by Banking and Insurance Institutions
PBOC Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions
PBOC Notice to Enhance Protection Work of Personal Financial Information by Banking Financial Institutions
Healthcare
Administrative Measures on Standards, Security and Services for National Healthcare and Medical Big Data (Trial)
Administrative Measures on Management of Population Health Information (Trial)
Administrative Regulations for Medical Records by Medical Institutions
Administrative Regulations on Human Genetic Resources
Automobile
Several Provisions on Management of Automobile Data Security (for Trial Implementation)
Postal Service
Administrative Measures on Real Name Collection and Delivery of Postal and Courier Items
Anti-Spam Laws and Regulations
Advertising Law
Implementing Regulations to Consumer Rights and Interests Protection Law
Ministry of Industry and Information Technology Administrative Provisions on Short Message
Measures for the Administration of Internet Email Services