China - Federal
Law: There is no single, comprehensive personal data protection law. However, there are provisions related to personal data protection in several pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law').
Regulator: There are several authorities which regulate aspects of data protection. In particular, the Ministry of Industry and Information Technology ('MIIT') and the Cyberspace Administration of China ('the CAC').
Summary: China currently takes a patchwork approach to personal data protection, and relevant provisions are contained in several different laws and regulations. The Cybersecurity Law provides certain general requirements and there are also obligations relating to the processing of children's personal data stipulated in the regulations for the protection of children's personal information (only available in Chinese here). There are also numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification. A proposed personal information protection law that is tabled to be discussed by the National People's Congress could harmonise the approach to the regulation of privacy.
In addition, a Data Security Law of the People's Republic of China (Draft) (only available in Chinese here) and Personal information protection Law (Draft) (only available in Chinese here) have been released by the National People's Congress of China. The Draft Data Security Law introduces data security requirements for data activities conducted within mainland China, while the Draft Personal Information Protection Law clarifies personal information processing rules, data subject rights, and the obligations of personal information processors, among other things. There is currently no specific timeline for when the draft Data Security Law or draft Personal Information Protection Law will be passed.