Law: Personal Information Protection Law ('PIPL') (Enforcement date of 1 November 2021)
Regulator: The Cyberspace Administration of China ('the CAC').
Summary: On 20 August 2021 China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on 1 November 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC has also approved, on 10 June 2021, the Data Security Law, which entered into effect on 1 September 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.
There are also provisions related to personal data protection in several other pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law') which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.