Support Centre

China - Federal


Law: There is no single, comprehensive personal data protection law. However, there are provisions related to personal data protection in several pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law').

Regulator: There are several authorities which regulate aspects of data protection. In particular, the Ministry of Industry and Information Technology ('MIIT') and the Cyberspace Administration of China ('the CAC').

Summary: China currently takes a patchwork approach to personal data protection, and relevant provisions are contained in several different laws and regulations. The Cybersecurity Law provides certain general requirements and there are also obligations relating to the processing of children's personal data stipulated in the regulations for the protection of children's personal information (only available in Chinese here). There are also numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification. A proposed personal information protection law that is tabled to be discussed by the National People's Congress could harmonise the approach to the regulation of privacy.

In addition, a Data Security Law of the People's Republic of China (Draft) (only available in Chinese here) and Personal information protection Law (Draft) (only available in Chinese here) have been released by the National People's Congress of China. The Draft Data Security Law introduces data security requirements for data activities conducted within mainland China, while the Draft Personal Information Protection Law clarifies personal information processing rules, data subject rights, and the obligations of personal information processors, among other things. There is currently no specific timeline for when the draft Data Security Law or draft Personal Information Protection Law will be passed.


On 7 March 2021, State Councillor and Foreign Minister Wang Yi answered questions from media on the new measures to fight COVID-191, including the International Travel Health Certificate ('the Certificate') which displays, among other things, an individual's vaccination status. The Certificate can be displayed via the WeChat mini program in electronic form, as well as in paper form. Chinese citizens get the Certificate through either using WeChat to scan the official QR Code, or by searching for it on the WeChat mini program. Dehao Zhang, Counsel at Fieldfisher, discusses the Certificate from a data protection angle.

The regulation of e-commerce in China is an area of growing complexity that may prove to be a minefield for multinational companies in particular. Dr. Michael Tan and Julian Sun, Partner and Associate respectively at Taylor Wessing, discuss this issue with reference to obligations in both the privacy and competition spheres.

The increasing rate at which jurisidictions are updating their privacy laws may necessitate multinational companies to reconsider their privacy programs and set up local teams within countries such as China. Galaad Delval, independent privacy professional, discusses the various concerns that such organisations should take into account when doing so.

The second draft of the Personal Information Protection Law ('PIPL') has recently been released, with a host of changes that signal some significant new obligations to come for data processors. Dehao Zhang, Counsel at Fieldfisher, discusses this version of the PIPL and its new features.

FinTech is a complex subject for regulators and, in China, the approach taken herein has been evolving rapidly. Samuel Yang, Hongyu Jiang, and Jiaqian Che, Partner, Lawyer, and Legal Intern respectively at AnJie Law Firm, discuss this subject and its nuances.

The Cybersecurity Administration of China ('CAC') announced, on 22 March 2021, that it, along with three other departments, had issued a Regulation on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications ('the Regulation') in accordance with the Cybersecurity Law 2016.

The State Administration for Market Regulation announced, on 7 February 2021, that its anti-monopoly committee had issued anti-monopoly guidelines ('the Anti-Monopoly Guidelines'), which entered into effect on the day of issuance.

In China, the law on trade secrets branches the areas of intellectual property and information security, requiring a nuanced approach from companies in order to meet their obligations. Galaad Delval, Data Protection Officer at Chen & Co. Law Firm, discusses this topic and what should be considered herein.

Due to significant changes which are coming to China's data protection legal framework, organisations should carefully study how this new legislation compares to that of other jurisdictions with comprehensive data protection regulations in order to appropriately adapt their processing activities. Dora Luo, Partner at Hunton Andrews Kurth LLP, discusses this with reference to the provisions of the draft Personal Information Protection Law ('the Draft PIPL') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in order to illuminate a way forward.

Chinese law enforcement agencies have been ramping up their efforts in tackling cybersecurity and privacy failures, which is only set to continue with developments such as Big Data, the COVID-19 ('Coronavirus') pandemic, and forthcoming major legislative reforms. Barbara Li, Head of Corporate at Rui Bai Law Firm, discusses these trends and what they mean for organisations.

While the forthcoming Personal Information Protection Law ('PIPL') may in some ways represent China joining the increasing number of countries passing general data protection laws, the PIPL nevertheless contains various idiosyncratic features in how its provisions work and how it interacts with other pieces of Chinese legislation. Galaad Delval, Data Protection Officer at Chen & Co. Law Firm, discusses the PIPL and its background.

The Chinese data protection regime is set for a massive upheaval with the coming introduction of the Personal Information Protection Law ('PIPL'). Dr. Michael Tan, Julian Sun, and Chao Xuan, Partner and Associates respectively at Taylor Wessing, discuss the PIPL and its key provisions, as well as how it compares with the data protection laws of other jurisdictions.