Support Centre

China - Federal


Law: There is no single, comprehensive personal data protection law. However, there are provisions related to personal data protection in several pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law').

Regulator: There are several authorities which regulate aspects of data protection. In particular, the Ministry of Industry and Information Technology ('MIIT') and the Cyberspace Administration of China ('the CAC').

Summary: China currently takes a patchwork approach to personal data protection, and relevant provisions are contained in several different laws and regulations. The Cybersecurity Law provides certain general requirements and there are also obligations relating to the processing of children's personal data stipulated in the regulations for the protection of children's personal information (only available in Chinese here). There are also numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification. A proposed personal information protection law that is tabled to be discussed by the National People's Congress could harmonise the approach to the regulation of privacy.

In addition, a Data Security Law of the People's Republic of China (Draft) (only available in Chinese here) and Personal information protection Law (Draft) (only available in Chinese here) have been released by the National People's Congress of China. The Draft Data Security Law introduces data security requirements for data activities conducted within mainland China, while the Draft Personal Information Protection Law clarifies personal information processing rules, data subject rights, and the obligations of personal information processors, among other things. There is currently no specific timeline for when the draft Data Security Law or draft Personal Information Protection Law will be passed.


In China, the law on trade secrets branches the areas of intellectual property and information security, requiring a nuanced approach from companies in order to meet their obligations. Galaad Delval, Data Protection Officer at Chen & Co. Law Firm, discusses this topic and what should be considered herein.

Due to significant changes which are coming to China's data protection legal framework, organisations should carefully study how this new legislation compares to that of other jurisdictions with comprehensive data protection regulations in order to appropriately adapt their processing activities. Dora Luo, Partner at Hunton Andrews Kurth LLP, discusses this with reference to the provisions of the draft Personal Information Protection Law ('the Draft PIPL') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in order to illuminate a way forward.

Chinese law enforcement agencies have been ramping up their efforts in tackling cybersecurity and privacy failures, which is only set to continue with developments such as Big Data, the COVID-19 ('Coronavirus') pandemic, and forthcoming major legislative reforms. Barbara Li, Head of Corporate at Rui Bai Law Firm, discusses these trends and what they mean for organisations.

While the forthcoming Personal Information Protection Law ('PIPL') may in some ways represent China joining the increasing number of countries passing general data protection laws, the PIPL nevertheless contains various idiosyncratic features in how its provisions work and how it interacts with other pieces of Chinese legislation. Galaad Delval, Data Protection Officer at Chen & Co. Law Firm, discusses the PIPL and its background.

The Chinese data protection regime is set for a massive upheaval with the coming introduction of the Personal Information Protection Law ('PIPL'). Dr. Michael Tan, Julian Sun, and Chao Xuan, Partner and Associates respectively at Taylor Wessing, discuss the PIPL and its key provisions, as well as how it compares with the data protection laws of other jurisdictions.

The National People's Congress of the Republic of China ('NPC') released, on 21 October 2020, the draft Personal Information Protection Law ('the Draft Law'). The Draft Law sets out significant new obligations for personal information processors, protections for data subjects, along with high penalties for violations of its provisions. If enacted, the Draft Law would bring personal data protection requirements in China into much closer alignment with international approaches and standards.

China's legal framework for data protection is developing, with the Draft Data Security Law of the People's Republic of China ('the Draft Law') currently going through the legislative process. Dehao Zhang, Senior Associate at Fieldfisher LLP, discusses the Draft Law and its provisions.

The questions of when data transfers may be made from China to third countries, and which data localisation requirements will apply, are undeniably complex and thorny issues, with many separate laws and recommendations addressed to different entities and at different stages in the legislative process. Dehao Zhang, Senior Associate at Fieldfisher, addresses this topic and breaks down how businesses can best understand their obligations under a developing legal framework.

As the global focus on data protection continues to increase, so too do the number of countries introducing comprehensive data protection laws or updating existing legislation to bring it in line with European data protection laws and ensure personal data is protected in the digital era.

This webinar looks at key data protection developments and whistleblowing requirements in China. Our expert speakers discuss the privacy landscape in China before focusing on whistleblowing policy trends and case studies to help businesses operating in China react effectively and prepare for whistleblowing investigations.

China recently released its Technical Specifications for Personal Information Security GB/T 35273-2020 ('the 2020 Specification'), which provides recommended standards for companies in a variety of areas. In part two of this series, Galaad Delval, Data Protection Officer at Chen & Co. Law Firm, discusses the broader relevance of the 2020 Specification and how its provisions may potentially become mandatory.

This webinar looks at electronic digital marketing requirements across APAC and the European Union ('EU'). In particular, our expert speakers examine and compare legislation in Australia, the EU, Singapore, China, Japan, Hong Kong, the United Kingdom, and South Korea. As well as outlining the key requirements in each jurisdiction, this webinar recommends good practices for building a successful, and compliant, global electronic direct marketing campaign.