China - Federal | DataGuidance

China - Federal

Summary

Law: Personal Information Protection Law ('PIPL') (Enforcement date of 1 November 2021)

Regulator: The Cyberspace Administration of China ('the CAC').

Summary: On 20 August 2021 China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on 1 November 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC has also approved, on 10 June 2021, the Data Security Law, which entered into effect on 1 September 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.

There are also provisions related to personal data protection in several other pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law') which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.

Browse more content in China - Federal

All Guidance Notes

All News

All Insights

News

15 September 2023

China: CAC publishes opinions on reporting internet information

14 September 2023

China: TC260 requests comments on draft standard on security requirements for data transaction services

14 September 2023

China: Standard on biometric facial recognition testing method published

14 September 2023

China: CBIRC issues notice on data services of currency brokers

07 September 2023

China: CAC fines CNKI RMB 50M for PIPL and CSL violations

29 August 2023

China: TC260 requests comments on draft standard on processing of important data

23 August 2023

China: TC260 requests comments on draft Standard on Security Risk Assessments

23 August 2023

China: TC260 requests comments on draft Standard on Automated Decision-Making

15 August 2023

China: Interim Measures on Generative AI enter into force

15 August 2023

China: State Council publishes opinion on increasing foreign investments, examines data flows

14 August 2023

China: TC260 announces publication of four cybersecurity standards

09 August 2023

China: TC260 requests comments on practice guidelines for content identification method for generative AI

Insights

September 2023

China: Compliance audit of personal data protection

In many aspects, the Personal Information Protection Law (PIPL), which became effective on November 1, 2021, looks very similar to the EU's General Data Protection Regulations (GDPR). However, many of these similarities remain as high-level principles under the PIPL, while more detailed content has been rolled out step by step. Earlier this year, the Cyberspace Administration of China (CAC), established export security assessment procedures and Standard Contractual Clauses (SCCs) for data exports. Now, the CAC is shifting its focus to compliance audits. On August 3, 2023, the CAC presented the draft Administrative Measures for Compliance Audit of Personal Information Protection (Draft Audit Measures) soliciting public comments. For Data Protection Officers (DPOs) and compliance officers, this topic will become another important task to include in their planning for implementation in 2024.

In this Insight article, Julian Sun, from Taylor Wessing, delves into the key provisions of the Draft Audit Measures and sheds light on the evolving compliance audit framework, highlighting its importance, nuances, and potential impacts for companies operating in China.

July 2023

China: Draft administrative measures for generative AI - key takeaways

On April 11, 2023, the Cyberspace Administration of China (CAC) released draft Administrative Measures for Generative Artificial Intelligence (Draft Measures) on April 11, 2023. The Draft Measures, which comprise 21 articles, aim to promote a healthy development and standardized application of generative artificial intelligence (AI) technology, while allowing room for research and development in this area.

Kevin Duan, Partner at Han Kun Law Offices, analyzes the regulatory issues and potential challenges that the Draft Measures may pose in practice.

July 2023

China: Personal information protection in health and pharmaceutical industries - part two

The requirements for personal information protection in the health and pharmaceutical industries are complex. Danjun Wu, Partner at Guantao Law Firm, provides a two-part overview: part one introduces the basic requirements for personal information protection to be met by medical institutions and pharmaceutical companies, and part two introduces the specific protection obligations to be fulfilled by medical institutions and pharmaceutical companies in the key contexts of processing personal information.

June 2023

China: Personal information protection in health and pharmaceutical industries - part one

June 2023

China: Automotive data protection - key compliance requirements and challenges

Since 2021, in the wake of the Provisional Regulations on Data Security Management of the Automotive (the Automotive Data Regulations), and under the purview of China’s data protection legislation landmark legislations - the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), data protection and cybersecurity concerns have become increasingly prominent in the automotive industry. The strengthened rules in processing automotive data impose challenges for automotive companies, especially in the process of human-machine interaction, e.g., the function of 360° panoramic camera, interior remote monitoring, remote intelligent parking, etc. In this article, Sherry Gong and Tong Zhu, from Hogan Lovells, look at the key compliance requirements and challenges for automotive companies to consider when navigating data protection in China.

June 2023

International: Comparing China's Standard Contract to the EU's SCCs

As the digital economy continues to expand globally and the legal regimes of data protection vary in different jurisdictions, multinational companies carrying out cross-border data transfer activities face challenges in complying with multi-jurisdictional data protection regulations. In this context, those relatively flexible approaches for cross-border data transfers with less regulatory involvement will become important instruments for multinational companies seeking to navigate the legal landscape.

In this Insight article, Dora Luo (Duoqun), Partner at Hunton Andrews Kurth LLP, examines the similarities and differences between the Standard Contract for Cross-border Transfer of Personal Information (the Standard Contract) under the Personal Information Protection Law (PIPL) and the Standard Contractual Clauses (SCCs) under the General Data Protection Regulation (GDPR), with a particular focus on requirements, steps that must be taken before their use, circumstances that may require revision, and general comments.

June 2023

China: MLPS 2.0 - An introduction to the Baseline Standard

Part one of this series presents an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) ('the Security Design Requirements'), Part two looks at the Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058-2019) ('the 2019 Implementation Guide'), and Part three explores the Information Security Technology - Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) ('the Evaluation Requirement'). In this Insight article, Jim Fitzsimmons, Principal at Control Risks Group Limited, looks specifically at the GB/T 22239-2019 Information Security Technology – Baseline for Classified Protection of Information System Security (the Baseline Standard).

May 2023

China: Overview of the finalised Standard Contract Measures for Exporting Personal Information

On 24 February 2023, the Cyberspace Administration of China ('CAC') promulgated the finalised Standard Contract Measures for Exporting Personal Information¹ ('the Measures'), along with the Personal Information Export Standard Contract ('the Standard Contract'). The Measures will take effect on 1 June 2023. Most companies which transfer personal information out of China will need to adopt responsive measures in order to comply.

In this Insight article, Richard Qiang, Partner at DaHui Lawyers, provides a summary of the key takeaways from the Measures and the Standard Contract.

May 2023

China: Overview of guidance on building basic data systems - How to keep data development momentum going

On 2 December 2022, the Communist Party of China ('CPC') Central Committee and the State Council jointly released the Opinions on Building Basic Systems for Data to Better Play the Role of Data Factors ('the Opinions'), in order to speed up efforts to build basic systems for data, give full play to China's strengths in massive-scale data and rich application scenarios, and stimulate the potential of data factors. Dr. Annie Xue and Yang Chen, from GEN Law Firm, outline the key takeaways from the Opinions.

April 2023

International: China's Standard Contract for cross-border data transfers - What do you need to know to implement it

On 24 February 2023, the Cyberspace Administration of China ('CAC') released the final form of its key transfer mechanism for data exports - the long-awaited Personal Information Export Standard Contract ('the Standard Contract') and its accompanying Measures on the Standard Contract ('the Measures'), which set out the principles governing the use of the Standard Contract. While the Standard Contract comprises one of three transfer mechanisms under China's data protection law - the Personal Information Protection Law of the People's Republic of China ('PIPL') - the Standard Contract is anticipated to be the most popular approach for international businesses seeking to export personal information out of mainland China.

Alex Roberts, from Linklaters, and Roger Li and Tiantian Ke, from Zhao Sheng Law Firm, look at the key aspects of the Standard Contract and compare them to the EU 2021 Standard Contractual Clauses ('EU SCCs').

April 2023

China: Dissecting the SCC Measures

Great news from the Cyberspace Administration of China ('CAC') - China's Standard Contract Measures for Exporting Personal Information ('the SCC Measures') have been officially adopted by the CAC on 22 February 2023. Since this date, there officially are three approaches for data transfers under the Personal Information Protection Law ('PIPL') of the People's Republic of China ('PRC'). Without a doubt, the Chinese Standard Contractual Clauses ('SCCs') will be a great choice for small and medium-sized organisations to comply with the requirements for data transfers.

Dehao Zhang, Counsel at Fieldfisher China, discusses the SCC Measures, including requirements around Personal Information Protection Impact Assessments ('PIPIAs') and practical considerations for businesses.

March 2023

China: Unpacking requirements for Critical Information Infrastructure Operators

Critical Information Infrastructure Operators ('CIIOs') are extremely important to China's cybersecurity and national security under Chinese laws and regulations. In this Insight article, Dehao Zhang, Counsel at Fieldfisher China, dives into the definition and legal obligations of CIIOs.

China - Federal

Summary

Browse more content in China - Federal

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us