{"id":139480,"date":"2026-04-22T09:25:42","date_gmt":"2026-04-22T09:25:42","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139480"},"modified":"2026-04-27T14:18:38","modified_gmt":"2026-04-27T14:18:38","slug":"china-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/china-data-protection-cybersecurity\/","title":{"rendered":"China: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139480","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-china"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Zhong Lun Law Firm LLP<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/Zhong-Lun-logo.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Zhong Lun Law Firm LLP<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/Zhong-Lun-logo.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in China<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Law of the People&#8217;s Republic of China (CSL) was enacted on 1 June 2017 as the backbone of China\u2019s cybersecurity and data privacy protection legislation. It underwent its first revision on 28 October 2025, which took effect on 1 January 2026. The Data Security Law of the People&#8217;s Republic of China (DSL), enacted on June 10, 2021 and effective from September 1, 2021, establishes the fundamental framework for data security governance, including data security mechanisms, protection obligations, and liabilities at both the state and data handler levels. The Personal Information Protection Law of the People&#8217;s Republic of China (PIPL), enacted on August 20, 2021 and effective from November 1, 2021, constitutes the core legislation governing personal information (PI) protection and corporate data protection compliance. Collectively, the CSL, DSL, and PIPL form the foundation of China\u2019s data regulatory framework. In addition, the Anti-Telecom and Online Fraud Law of the People&#8217;s Republic of China, effective from December 1, 2022, specifically targets the illegal use of PI in telecom and online fraud.<\/p>\n<p>In addition to these foundational laws, China\u2019s cybersecurity and data protection regime is further supported by a wide range of supplementary regulations, implementing measures, and standards. Key regulations and rules include, but are not limited to, the following:<\/p>\n<p><strong>Comprehensive Administrative Regulations<\/strong><\/p>\n<ul>\n<li>Regulations on the Administration of Network Data Security<\/li>\n<li>Security Protection Regulations for Critical Information Infrastructure<\/li>\n<li>Regulations on the Graded Protection for Cybersecurity (Draft for Comments)<\/li>\n<li>Administrative Regulation for Public Security Video Image Information Systems<\/li>\n<\/ul>\n<p><strong>Special Rules for Cross Border Data Transfer (CBDT)<\/strong><\/p>\n<ul>\n<li>Measures for Security Assessment of Data Outbound Transfer<\/li>\n<li>Measures for the Standard Contract for Outbound Transfer of Personal Information<\/li>\n<li>Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information<\/li>\n<li>Regulations on Promoting and Regulating Cross-Border Data Flow<\/li>\n<\/ul>\n<p><strong>Cybersecurity &amp; Data Security Management and Risk Response<\/strong><\/p>\n<ul>\n<li>Cybersecurity Review Measures<\/li>\n<li>Measures for Network Data Security Risk Assessment (Draft for Comments)<\/li>\n<li>National Administrative Measures for Cybersecurity Incident Reporting<\/li>\n<\/ul>\n<p><strong>Artificial Intelligence Governance Norms<\/strong><\/p>\n<ul>\n<li>Interim Measures for the Management of Generative Artificial Intelligence Services<\/li>\n<li>Measures for the Management of Deep Synthesis Internet Information Services<\/li>\n<li>Interim Administrative Measures for the Management of Anthropomorphic Interactive AI Services (Draft for Comments)<\/li>\n<li>Administrative Service Measures for the Management of Artificial Intelligence Science and Technology Ethics (for Trial Implementation, Draft for Comments)<\/li>\n<\/ul>\n<p><strong>Large-scale Platform Supervision &amp; Algorithm Governance<\/strong><\/p>\n<ul>\n<li>Provisions on Personal Information Protection of Large-scale Online Platforms (Draft for Comments)<\/li>\n<li>Provisions on the Establishment of Personal Information Protection Supervision Committees by Large-scale Online Platforms (Draft for Comments)<\/li>\n<li>Administrative Provisions on Algorithm Recommendation for Internet Information Services<\/li>\n<li>Guiding Opinions on Strengthening the Comprehensive Governance of Internet Information Service Algorithms<\/li>\n<li>Anti-monopoly Guidelines of the Anti-monopoly Commission of the State Council on Platform Economy<\/li>\n<\/ul>\n<p><strong>Special Regulatory Systems for Minor Protection<\/strong><\/p>\n<ul>\n<li>Regulations on the Protection of Minors Online<\/li>\n<li>Measures for the Identification of Online Platform Service Providers with a Huge Number of Minor Users and Significant Impact on Minors<\/li>\n<li>Classification Measures for Online Information That May Harm the Physical and Mental Health of Minors<\/li>\n<\/ul>\n<p><strong>Other Key Implementing Rules &amp; Certification Norms<\/strong><\/p>\n<ul>\n<li>National Administrative Measures for Public Service of Network Identity Authentication<\/li>\n<li>Administrative Measures for the Compliance Audit of Personal Information Protection<\/li>\n<\/ul>\n<p><strong>Industry-Specific Data Security Norms<\/strong><\/p>\n<p>The competent authorities in various industries will also issue their own sector-specific rules based on the overarching framework, for example:<\/p>\n<ul>\n<li>Administrative Measures for Data Security in the Business Field of the People&#8217;s Bank of China<\/li>\n<li>Administrative Measures for Data Security of Banking and Insurance Institutions<\/li>\n<li>Administrative Measures on Data Security in the Field of Industry and Information Technology (for Trial Implementation)<\/li>\n<\/ul>\n<p>This layered legislative framework and its supporting norms establish a nationwide supervisory mechanism binding on network operators, data handlers, enterprises, public institutions, and relevant social organizations. The regulatory scope covers nearly all online business activities, PI, important data, core business data, AI-generated content, and minor-related online information. Enforcement is carried out by multiple competent authorities, including the Cyberspace Administration of China (CAC), public security organs, industry and information technology departments, financial regulatory authorities, and market supervision departments, through both routine supervision and coordinated law enforcement. Non-compliance may give rise to a full range of legal consequences, including civil liability, administrative penalties such as fines, orders for rectification, and suspension of business, and, in serious cases, criminal liability.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Recent years have witnessed accelerated and significant legislative developments shaping China\u2019s unified legal and regulatory framework for cybersecurity, personal privacy, and data protection, with an increasing emphasis on refined institutional arrangements and operable compliance obligations.<\/p>\n<p>To enhance the foundational governance system, China completed the first official amendment to the CSL. Adopted on October 28, 2025, and effective from January 1, 2026, the revised CSL strengthens legal liability provisions, clarifies the supervision of emerging technologies such as artificial intelligence, and achieves systematic alignment with the PIPL and the DSL, thereby consolidating the three-pillar regulatory framework. With respect to PI protection compliance, the Administrative Measures for the Compliance Audit of Personal Information Protection, effective from May 1, 2025, standardize compliance audit activities of PI handlers and strengthen the protection of PI rights and interests.<\/p>\n<p>Other key dimensions are as follows.<\/p>\n<p><strong>Precise Identification and Targeted Regulation of Large-scale Online Platforms<\/strong><\/p>\n<p>Specialized identification and regulatory rules for specific categories of large-scale online platforms have been formally introduced. For example, in February 2026, eight departments, including CAC, jointly issued the Measures for the Identification of Online Platform Service Providers with a Huge Number of Minor Users and Significant Impact on Minors, which took effect on April 1, 2026. These Measures establish specific user thresholds and comprehensive impact assessment criteria. At the same time, regulatory rules applicable to general large-scale online platforms\u2014defining identification criteria and imposing specific obligations, such as the establishment of independent PI protection supervision bodies\u2014including the Provisions on Personal Information Protection of Large-scale Online Platforms, are expected to be further refined. This indicates that platform regulation is entering a stage of categorization, grading, and more precise supervision.<\/p>\n<p><strong>Refinement and Implementation of Supporting Legislation for Important Data Security Management<\/strong><\/p>\n<p>Building upon the important data protection regime under the DSL, supporting regulations across sectors have been introduced intensively. These include the Measures for the Security Management of Data in the Energy Industry (Trial), issued by the National Energy Administration and effective from July 1, 2026, the Implementation Plan for Enhancing Data Security Capabilities in the Industrial Sector (2024\u20132026), issued by the Ministry of Industry and Information Technology (MIIT), and the Measures for the Security Management of Data in the Business Areas of the People&#8217;s Bank of China. In addition, sector-specific guidelines for CBDT have been issued in industries such as finance and automotive, including the Compliance Guidelines for Promoting and Regulating Cross-border Data Flow in the Financial Industry (April 2025) and the Guidance for the Security of Cross-border Transfer of Automotive Data (2026 Edition). These instruments aim to establish a full-process governance framework covering the identification, protection, risk assessment, and outbound transfer management of important data.<\/p>\n<p><strong>Institutionalization of Cybersecurity Incident Reporting<\/strong><\/p>\n<p>The National Administrative Measures for Cybersecurity Incident Reporting were officially issued on September 15, 2025, and took effect on November 1, 2025. These Measures establish a nationally unified framework for cybersecurity incident reporting, clarifying classification standards, reporting entities, procedures, time limits, including the requirement that incidents involving critical information infrastructure be reported within one hour, and multi-channel reporting mechanisms. This marks the entry of cybersecurity emergency response and incident reporting into a stage of standardization and mandatory compliance.<\/p>\n<p><strong>Continuous Issuance and Iteration of AI-specific Technical and Normative Rules<\/strong><\/p>\n<p>A series of supporting normative documents have been intensively issued or opened for public comment. For example, CAC solicited public comments on the Interim Administrative Measures for the Management of Anthropomorphic Interactive AI Services (Draft for Comments), and MIIT and other departments sought opinions on the Administrative Service Measures for the Management of Artificial Intelligence Science and Technology Ethics (for Trial Implementation, Draft for Comments). Together with already effective regulations such as the Interim Measures for the Management of Generative Artificial Intelligence Services and the Measures for the Management of Deep Synthesis Internet Information Services, these instruments collectively form a full-lifecycle regulatory system governing generative and synthetic AI applications.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In China, clear and prominent enforcement trends and regulatory priorities have emerged in the areas of privacy protection, data security, and cybersecurity supervision, primarily reflected in the following key dimensions.<\/p>\n<p><strong>First, intensified supervision and enforcement in CBDT<\/strong><\/p>\n<p>With the comprehensive implementation and normalization of supporting rules for CBDT, including security assessment, standard contracts, and PI protection certification, regulatory certainty has increased. Authorities such as CAC continue to carry out targeted inspections of corporate outbound data activities, with formal penalties and judicial cases emerging in practice. In addition to administrative rectification orders and penalties imposed by regulators, civil tort litigation relating to the illegal outbound transfer of PI has also emerged in judicial practice, forming a dual governance structure combining administrative enforcement and civil liability.<\/p>\n<p><strong>Second, advancement of special rectification and filing supervision in AI and algorithm governance<\/strong><\/p>\n<p>Filing management for generative AI services and algorithm recommendation services has become routine. Regulatory authorities conduct dynamic spot checks and ledger management throughout the service lifecycle. Pursuant to regulations such as the Measures for the Management of Deep Synthesis Internet Information Services and the Interim Measures for the Management of Generative Artificial Intelligence Services, together with mandatory labeling requirements, local regulators have imposed formal administrative penalties for violations including failure to file, non-compliant content labeling, and improper algorithmic applications. This marks the entry of the AI regulatory framework into a stage of substantive enforcement.<\/p>\n<p><strong>Third, refinement of supporting mechanisms for cybersecurity incident reporting<\/strong><\/p>\n<p>National-level provisions concerning the classification, triggering conditions, time limits, and hierarchical reporting obligations for cybersecurity incidents are being continuously optimized. Related specific reporting requirements and platform mechanisms are also being clarified, requiring entities to conduct real-time monitoring, emergency response, and mandatory reporting of cybersecurity risks and incidents, with a view to achieving standardized, full-process supervision.<\/p>\n<p><strong>Fourth, full implementation of routine PI protection compliance audits and oversight inspections<\/strong><\/p>\n<p>Through special governance campaigns, continue to strengthen supervision over PI processing activities across a wide range of scenarios, including APPs, mini-programs, SDKs, and smart devices. Key annual special governance actions continue to prioritize the rectification of the use of AI for illegal activities, the combating of online rumors and false information, the strengthening of cybersecurity reviews of key entities, and the investigation of security risks relating to important data, thereby comprehensively enhancing the rigidity and deterrent effect of the overall regulatory framework.<\/p>\n<p>Furthermore, in accordance with regulations such as the Administrative Measures for the Compliance Audit of Personal Information Protection, compliance audits for PI protection are now being implemented, while audits specifically for the protection of minors\u2019 PI have already begun to be submitted.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Cybersecurity Multi-Level Protection Scheme (MLPS) under the CSL<\/strong><\/p>\n<p>The CSL establishes the Cybersecurity Multi-Level Protection Scheme (MLPS), which applies to network operators that build, operate, maintain, or use networks within China. For networks classified at Level 2 or above, network operators are required to complete record-filing procedures with the competent public security authorities. Failure to comply with this requirement may result in administrative penalties or criminal liability.<\/p>\n<p><strong>Algorithm and AI Model Filing<\/strong><\/p>\n<p>Under Article 24 of the Administrative Provisions on Algorithm Recommendation for Internet Information Services, entities that provide algorithm recommendation services with \u201cpublic opinion attributes or social mobilization capabilities\u201d must complete filing procedures with the local CAC.\u00a0 Services confirmed to lack such attributes, or that are not provided to the public, are exempt from this filing requirement.<\/p>\n<p>For generative AI services, under the Interim Measures for the Management of Generative Artificial Intelligence Services, providers offering generative AI services to the public within China must conduct a security assessment and complete algorithm filing procedures if they possess the above attributes. Furthermore, entities that have self-developed or re-developed large models must complete a dedicated large model filing procedure with the national CAC. By contrast, entities that use the application programming interfaces (APIs) of already-filed large models to provide generative AI services to the public are required to complete a function-call registration procedure with the relevant authorities.<\/p>\n<p><strong>CBDT Mechanisms<\/strong><\/p>\n<p>Key registration and filing requirements under the PIPL primarily apply to entities engaging in CBDT activities. The PIPL establishes three principal pathways, each with its own scope of application.<\/p>\n<ul>\n<li><strong>Security Assessment (organized by CAC):<\/strong> mandatory for (i) Critical Information Infrastructure Operators (CIIOs) transferring PI or important data, and (ii) PI handlers transferring PI of more than 1 million individuals, or transferring sensitive personal information (SPI) of more than 10,000 individuals, calculated from January 1 of the relevant year. This includes applying for the CAC security assessment.<\/li>\n<li><strong>Standard Contract:<\/strong> applicable to PI handlers that do not meet the thresholds for mandatory security assessment and do not qualify for the exemptions.<\/li>\n<li><strong>Personal Information Protection Certification:<\/strong> a voluntary, market-oriented mechanism conducted by qualified certification bodies, applicable to PI handlers that do not meet the thresholds for mandatory security assessment and do not qualify for the exemptions.<\/li>\n<li><strong>Exemptions<\/strong><strong>: <\/strong>Pursuant to the Regulations on Promoting and Regulating Cross-Border Data Flow, data export activities that meet specific conditions, such as necessity for contract performance, cross-border human resources management, emergency protection of individuals, or circumstances where the cumulative volume of PI exported since January 1 of the relevant year does not exceed 100,000 individuals, are exempt from the security assessment, standard contract, and certification requirements, provided that such activities do not involve important data or CIIO data.<\/li>\n<\/ul>\n<p><strong>Important Data Risk Assessment Reports<\/strong><\/p>\n<p>For the protection of important data, Article 30 of the DSL imposes an obligation on data handlers to regularly assess the risks associated with the processing of important data and to submit the relevant reports to the competent authorities. Certain sectors have already established more detailed reporting regimes. For example, the financial and automotive sectors have introduced specialized reporting requirements under their respective regulations.<\/p>\n<p><strong>Other Specific Licensing and Filing Obligations<\/strong><\/p>\n<p>Article 34 of the DSL provides that where laws and administrative regulations require administrative licences for the provision of services relating to data processing, the service provider must obtain the relevant licence or licences in accordance with law. Article 25 of the DSL further aligns with export control laws by providing that data relating to the safeguarding of national security and interests that falls within controlled items is subject to export control laws. Under the List of Technologies Prohibited or Restricted from Export (2025), the export of restricted technologies, including certain AI interface technologies, requires an export licence from MOFCOM.<\/p>\n<p>PI handlers located overseas that process PI of natural persons in China for the purpose of offering products or services or analysing their behaviour are subject to the PIPL. Such overseas entities are required to establish a special agency or appoint a representative within China and register it with the local CAC. In addition, under the Administrative Provisions on the Application Security of Facial Recognition Technology (the \u201cFacial Recognition Provisions\u201d), jointly issued by the CAC and the Ministry of Public Security (MPS) on March 13, 2025, with an effective date of June 1, 2025, a PI handler that stores facial information of more than 100,000 individuals is required to file with the local CAC.<\/p>\n<p>Failure to comply with the above registration, filing, and licensing requirements will primarily result in administrative penalties imposed by the relevant regulatory authorities, such as CAC, public security organs, and market regulators. Depending on the violated law and the severity of the circumstances, such penalties may include: orders to rectify or cease violations, warnings and confiscation of illegal gains, monetary fines, and suspension or revocation of permits or licences.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Article 4 of the PIPL, PI is defined as \u201cvarious kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, excluding information that has been anonymized.\u201d According to Article 73 of the PIPL, \u201cAnonymization\u201d refers to processing PI in such a way that a specific natural person cannot be identified and the information cannot be restored. Anonymized information is not regarded as PI.<\/p>\n<p>This definition broadly includes information relating to all identifiable natural persons. It does not exclude information concerning individuals acting in a business, commercial, or professional capacity.<\/p>\n<p>However, Article 72 of the PIPL provides an exclusion. It states that the PIPL does not apply to the processing of PI by natural persons for personal household affairs. Accordingly, purely personal or domestic processing falls outside the scope of the law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Certain categories of PI are subject to heightened requirements under China\u2019s data protection framework. The principal category is SPI under the PIPL. SPI, as defined in Article 28 of the PIPL, means PI that, once leaked or illegally used, is likely to cause detriment to the dignity of a natural person or damage to personal or property safety. This includes biometric identification, religious beliefs, specific identities, medical health, financial accounts, whereabouts and tracks, as well as the PI of minors under the age of 14.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PIPL sets out a comprehensive set of principles governing PI processing, which apply throughout the entire lifecycle of PI processing activities. In this respect, the PIPL is broadly similar to the GDPR. The key principles include:<\/p>\n<table>\n<thead>\n<tr>\n<td width=\"269\"><strong>PIPL<\/strong><\/td>\n<td width=\"283\"><strong>GDPR (Art.5)<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"269\"><strong>Lawfulness, legitimacy, necessity and good faith (Art.5)<\/strong><\/td>\n<td width=\"283\">Lawfulness, fairness and transparency<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>Purpose limitation (Art.6)<\/strong><\/td>\n<td width=\"283\">Purpose limitation<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>Data minimization (Art.6)<\/strong><\/td>\n<td width=\"283\">Data minimization<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>Transparency (Art.7)<\/strong><\/td>\n<td width=\"283\">Lawfulness, fairness and transparency<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>PI quality (Art.8)<\/strong><\/td>\n<td width=\"283\">Accuracy<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>Accountability (Art.9)<\/strong><\/td>\n<td width=\"283\">Accountability<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>Data security (Art.9)<\/strong><\/td>\n<td width=\"283\">Integrity and confidentiality<\/td>\n<\/tr>\n<tr>\n<td width=\"269\"><strong>\/1<\/strong><\/td>\n<td width=\"283\">Storage limitation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Chart 1. Principles (PIPL v. GDPR)<\/p>\n<p><em>[1] Though the PIPL, as opposed to the GDPR, does not include storage limitation in the principles relating to PI processing, it specifies in its Art.19 that PI shall be kept for the minimum period necessary for achieving the purpose of processing, unless as otherwise stipulated by laws and administrative regulations.<\/em><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Article 13 of the PIPL, there are seven legal bases for PI processing:<\/p>\n<ul>\n<li>consent;<\/li>\n<li>necessity for the performance of a contract or for human resource management;<\/li>\n<li>necessity for the performance of statutory obligations;<\/li>\n<li>protection of vital interests in public health incidents or emergencies;<\/li>\n<li>public interests;<\/li>\n<li>utilization of publicly disclosed PI; and<\/li>\n<li>other circumstances prescribed by laws and administrative regulations.<\/li>\n<\/ul>\n<p>In general, consent is typically required where the processing is not solely intended for the provision of services or products and no other legal basis applies. For example, consent is normally required for targeted advertising and promotional marketing purposes.<\/p>\n<p>Articles 14 and 15 of the PIPL provide that valid consent must be fully informed, freely given, explicit, and easy to withdraw. Where PI processing is based on consent, individuals have the right to withdraw that consent, and PI handlers must provide a convenient withdrawal channel. The validity of processing activities carried out prior to withdrawal is not affected. It is prohibited to tie consent mandatorily to the provision of services or products. Article 22 of the Regulations on the Administration of Network Data Security further sets out detailed requirements on consent, including that consent must not be requested repeatedly after an individual has explicitly rejected the processing of his or her PI.<\/p>\n<p>The PIPL further requires \u201cseparate consent\u201d for certain processing activities, including the provision of PI to other PI handlers, the provision of PI to an overseas party, the disclosure of PI, and the processing of SPI. The Measures for the Standard Contract for Outbound Transfer of Personal Information further clarifies that the separate-consent requirement for the provision of PI to an overseas party applies only where consent is the legal basis for the underlying PI processing activity, which sheds light on the relationship between separate consent and other legal bases under the PIPL. To satisfy the requirement to obtain separate consent, PI handlers must at least ensure that individuals are permitted to consent to particular processing activities separately, rather than being required to provide bundled consent.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As a general rule, the processing of SPI triggers heightened obligations, including:<\/p>\n<ul>\n<li>obtaining separate consent, unless another applicable legal basis exists;<\/li>\n<li>satisfying enhanced informing obligations, including clear notice of the necessity of the processing and its potential impact on individuals\u2019 rights and interests; and<\/li>\n<li>implementing stricter protective security measures.<\/li>\n<\/ul>\n<p>China does not have a list of prohibited categories of PI. However, sector-specific rules may restrict or prohibit the collection, disclosure, or other processing of certain categories of PI. For example, the Regulations on the Administration of Credit Investigation prohibit credit investigation entities from collecting an individual\u2019s religious beliefs, genes, fingerprints, blood types, diseases, or medical history information, except as otherwise provided by law.<\/p>\n<p>For the special rules applicable to minors\u2019 PI, see <strong>Q10<\/strong>. For the special rules applicable to biometric data and facial recognition, see <strong>Q25<\/strong>.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s data protection laws impose enhanced obligations for the processing of minors\u2019 personal information, and in particular children under 14, whose personal information is expressly classified as sensitive personal information (SPI) under the PIPL. The primary legal basis is the PIPL, supplemented by the Regulations on the Protection of Minors Online and the Provisions on the Cyber Protection of Children\u2019s Personal Information.<\/p>\n<p>In addition to the general rules applicable to personal information processing, PI handlers must comply with the following requirements when processing children\u2019s personal information:<\/p>\n<ul>\n<li>obtaining the separate consent of the minor\u2019s parent or guardian;<\/li>\n<li>establishing and publishing specialized PI processing rules for children;<\/li>\n<li>adhering strictly to the principle of minimum necessity, with processing purposes required to be specific, legitimate, and limited;<\/li>\n<li>ensuring that the use of the relevant PI does not exceed the scope agreed with the parent or guardian;<\/li>\n<li>implementing stricter security measures, including access controls based on the principle of least privilege, encryption, and regular risk assessments;<\/li>\n<li>conducting regular compliance audits regarding the protection of minors\u2019 information; and<\/li>\n<li>complying with additional sector-specific rules in areas such as online services, online gaming, and education.<\/li>\n<\/ul>\n<p>For the general SPI framework, see <strong>Q9<\/strong>. Where biometric data or facial recognition information of minors is involved, see <strong>Q25<\/strong>.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The PIPL and the Regulations on the Administration of Network Data Security do not apply to the processing of PI by a natural person for his or her personal or family affairs. In addition, where laws contain specific provisions on the processing of PI in the context of statistical and archive administration organized and implemented by governments at all levels and their relevant departments, those specific provisions prevail.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s data protection framework requires privacy risk or impact assessments in certain circumstances and also imposes compliance-audit obligations in relation to PI processing activities. In addition, the broader CBDT framework requires security assessment in specified outbound transfer scenarios.<\/p>\n<p><strong>PI Protection Impact Assessment<\/strong><\/p>\n<p>Under Article 55 of the PIPL, a PI handler must conduct a PI protection impact assessment (PIA) before processing in the following circumstances:<\/p>\n<ul>\n<li>processing SPI;<\/li>\n<li>use of PI for automated decision-making;<\/li>\n<li>entrusting the processing of PI to an entrusted party, provision of PI to other PI handlers, or public disclosure of PI;<\/li>\n<li>cross-border transfer of PI; or<\/li>\n<li>other PI processing activities that may have a significant impact on the rights and interests of individuals.<\/li>\n<\/ul>\n<p>Under Article 56 of the PIPL, the PIA must address:<\/p>\n<ul>\n<li>whether the purpose and method of the processing activities are lawful, legitimate, and necessary;<\/li>\n<li>the impact on the rights and interests of individuals and the relevant security risks; and<\/li>\n<li>whether the protection measures adopted are lawful, effective, and proportionate to the degree of risk.<\/li>\n<\/ul>\n<p>Where the PIA is triggered by the processing of facial information through facial recognition technology, the assessment must additionally address the risks of breach, tampering, loss, damage, or illegal acquisition, sale, or use of facial information, as well as the possible resulting harm, in accordance with Article 9 of the Facial Recognition Provisions. For the applicable rules relating to facial information, see Q25.<\/p>\n<p>PIA reports and related documentation must be retained for at least three years. In the context of cross-border PI transfers conducted on the basis of the Measures for the Standard Contract for Outbound Transfer of Personal Information, the PIA report must also be filed with the local CAC together with the executed standard contract. For the applicable CBDT mechanisms, see Q28.<\/p>\n<p><strong>PI Protection Compliance Audits<\/strong><\/p>\n<p>Article 54 of the PIPL requires PI handlers to conduct regular compliance audits of their PI processing activities. The Administrative Measures for the Compliance Audit of Personal Information Protection, issued by CAC and effective from May 1, 2025, further provide that PI handlers processing the PI of more than 10 million individuals must conduct such audits at least once every two years.<\/p>\n<p>PI handlers may conduct the audit themselves or entrust a professional organization to do so. In certain circumstances, such as where PI processing activities present significant security risks or cause harm to the rights and interests of individuals, regulatory authorities may require the PI handler to entrust a professional organization to conduct the audit. Such audits must be carried out by reference to the audit guidance officially attached to the Administrative Measures for the Compliance Audit of Personal Information Protection.<\/p>\n<p><strong>CAC Security Assessment for CBDT<\/strong><\/p>\n<p>The CSL, the DSL, and the PIPL together establish the broader CBDT regulatory framework in China. PI and important data generated and collected in China by CIIOs during their operations, as well as PI generated and collected by PI handlers in China that reaches the threshold prescribed by CAC, must in principle be stored in China and, where it is genuinely necessary to transfer such data outside China, must pass the CAC security assessment. For the applicable CBDT framework, see Q28.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. In China, specific requirements applicable to PI processing are set out not only in laws and administrative regulations, but also in supporting regulatory documents, national standards, and cybersecurity standard guidelines addressing particular types of processing activities. These include, for example, the Regulations on the Protection of Minors Online, the Provisions on the Cyber Protection of Children\u2019s Personal Information, and the Facial Recognition Provisions. In addition, national standards and cybersecurity standard guidelines issued by the National Technical Committee 260 on Cybersecurity of the Standardization Administration of China (TC260) also address particular data processing activities. Examples include the national standard GB\/T 45574-2025, Information Security Technology \u2014 Security Requirements for Processing of Sensitive Personal Information and TC260-PG-20251A, Cybersecurity Standard Guideline \u2014 Requirements for the Security Protection of Personal Information in Facial Recognition Payment Scenarios.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Organisations are required, or at least strongly expected, to maintain certain records of their data processing activities and related internal documentation. The CSL requires network operators to maintain records of network operation status and security incidents, with relevant network logs preserved for at least six months. Failure to comply may result in rectification orders, warnings, administrative fines, or even suspension, termination of related business operations, or revocation of related business licences.<\/p>\n<p>The PIPL further requires PI handlers to retain PIA reports and related documentation for at least three years. Article 12 of the Regulations on the Administration of Network Data Security additionally provides that records of processing activities relating to PI and important data that are provided to other PI handlers or entrusted to entrusted parties must be retained for at least three years. For the applicable PIA requirements, see Q12.<\/p>\n<p>In addition, GB\/T 35273-2020, Information Security Technology \u2014 Personal Information Security Specification recommends that PI handlers establish, maintain, and update records of processing activities. Such records may include:<\/p>\n<ul>\n<li>the type, volume, and source of the PI involved;<\/li>\n<li>the purpose or purposes and business scenarios of the PI processing activities, including whether they involve entrusting processing to an entrusted party, joint processing, provision of PI to other third parties, or cross-border transfer of PI; and<\/li>\n<li>the information systems, organizations, or personnel related to the processing activities.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes.<\/p>\n<p>The core framework is established by the PIPL, with more specific periods prescribed under sectoral regulations. Article 19 of the PIPL provides that the retention period of PI must be the minimum period necessary to achieve the purpose of processing, unless otherwise stipulated by laws or administrative regulations. The Regulations on the Administration of Network Data Security further provides that, where it is difficult to specify a fixed retention period, the PI handler must inform the individual of the method used to determine that retention period.<\/p>\n<p>Article 47 of the PIPL requires PI handlers to delete PI in specified circumstances, including where the purpose of processing has been fulfilled, the retention period has expired, the individual has withdrawn consent, or the processing is unlawful. Where deletion is technically impossible, the PI handler must cease all processing other than storage and necessary security protection.<\/p>\n<p>More specific periods are prescribed under sectoral regulations. For example, under the Regulations on the Administration of Credit Investigation, personal negative information must generally be retained for five years from the date of termination of the relevant event.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Unlike the GDPR, the PIPL does not establish a mandatory prior consultation mechanism. Nor do the CSL, the DSL, or related administrative regulations impose a general obligation to consult with data protection regulators in advance.<\/p>\n<p>However, in practice, companies may conduct prior consultations or enquiries with competent authorities in relation to specific compliance matters, such as the application of the cybersecurity review regime or licensing requirements for particular data processing activities. Such consultations are typically undertaken to facilitate compliance and to ensure alignment with regulatory expectations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s data protection laws impose differentiated requirements for the appointment of responsible personnel, depending on the scale of PI processing and the type of data involved. The principal legal bases are the PIPL, the DSL, and supporting regulations.<\/p>\n<p><strong>Responsible Person for PI Protection<\/strong><\/p>\n<p>PI handlers that, since January 1 of the relevant year, have processed the PI of more than 1 million individuals are required to appoint a responsible person for PI protection. This role is broadly analogous to a data protection officer under the GDPR. The PI handler must publicly disclose that person\u2019s contact details and submit his or her name and contact information to the relevant competent authorities. In practice, the filing of the responsible person\u2019s information is a common focus in compliance audits and in reporting obligations associated with mechanisms such as standard contract filings and security assessment declarations. Regulators also examine whether the appointed person is effectively discharging his or her duties.<\/p>\n<p><strong>Responsible Person for Data Security<\/strong><\/p>\n<p>Data handlers of important data are required to designate a person or persons responsible for data security, as well as a management body responsible for fulfilling data security protection duties. The Regulations on the Administration of Network Data Security further provides that such person should possess relevant professional knowledge, have management experience, and be a member of the data handler\u2019s management team.<\/p>\n<p><strong>Responsible Person for Automotive Data Security Management<\/strong><\/p>\n<p>Automotive data handlers handling important data must appoint a responsible person for automotive data security management, together with a User Rights Affairs Contact. The names and contact details of these appointees must be included in the annual data security management report submitted to the provincial-level CAC.<\/p>\n<p><strong>Representative for Overseas PI Handlers<\/strong><\/p>\n<p>Overseas PI handlers that are subject to the PIPL, such as those offering products or services to individuals in China, must establish a dedicated agency or appoint a representative within China. The designated agency or representative must be registered with the competent provincial-level CAC, and its name and contact information must be provided.<\/p>\n<p>The core responsibilities of these designated persons or roles generally include:<\/p>\n<ul>\n<li>supervising PI or data processing activities and the implementation of protection measures;<\/li>\n<li>organizing and taking responsibility for compliance audits relating to PI protection or data security;<\/li>\n<li>serving as the point of contact for individuals and regulatory authorities, and receiving related complaints and reports; and<\/li>\n<li>in the case of the person responsible for data security, directly reporting the data security situation to the competent authorities.<\/li>\n<\/ul>\n<p>Failure to appoint the required responsible person or persons, or failure to ensure the effective performance of their duties, constitutes non-compliance. The organization may be subject to administrative penalties. In addition, the person directly in charge and other directly responsible personnel, which will typically include the appointed responsible person or persons, may also be subject to administrative fines and, in serious cases, potential criminal liability.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Chinese data protection laws impose both general and specific obligations in relation to employee training on data protection and data security. Under Article 27 of the DSL, entities engaging in data processing activities are required to conduct data security education and training to safeguard data security. Article 30 of the Regulations on the Administration of Network Data Security further provides that the management body responsible for network data security must regularly organize education activities on network data security. Failure to comply may result in rectification orders, warnings, administrative fines, suspension or termination of relevant business operations, and even revocation of relevant business licences or permits.<\/p>\n<p>More specifically, Article 51 of the PIPL requires PI handlers to conduct regular education and training for employees in relation to PI security and protection. In addition, Items 19 and 21 of the audit guidance attached to the Administrative Measures for the Compliance Audit of Personal Information Protection recommend that PI handlers establish and implement a security education and training programme tailored to management personnel, technical personnel, operators, and other employees, and also assess the awareness and skills of relevant personnel in relation to PI protection. The content, method, target audience, and frequency of such training should be designed to meet the needs of PI protection.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The PIPL establishes transparency as a core principle and requires PI handlers to provide clear, comprehensive, and timely notice to individuals regarding their PI processing activities. In practice, these requirements are generally implemented through online privacy policies or notices.<\/p>\n<p>Articles 7 and 17 of the PIPL lay down the basic notice requirements. Before processing any PI of an individual, the PI handler must provide clear, accurate, and complete information about the processing activities, including:<\/p>\n<ul>\n<li>the name and contact details of the PI handler;<\/li>\n<li>the purpose and method of processing, and the categories of PI processed;<\/li>\n<li>the retention period of PI and the disposal method upon expiry; and<\/li>\n<li>the methods and procedures by which individuals may exercise their rights in relation to their PI.<\/li>\n<\/ul>\n<p>Additional disclosure obligations apply in specific scenarios, including where PI is provided to other PI handlers, where SPI is processed, or where PI is transferred overseas.<\/p>\n<p>Article 21 of the Regulations on the Administration of Network Data Security further requires the rules governing PI processing to be displayed in a centralized and public manner that is easily accessible and placed in a conspicuous position. The content must be clear, specific, and easy to understand. The privacy policy must be delivered to each individual in a noticeable manner, such as by means of a tick box or pop-up window on the account registration page, before any PI is collected, and must remain easily accessible thereafter, for example on a website homepage or in an APP\u2019s user settings section.<\/p>\n<p>When auditing compliance with notice obligations, both the content and the method of delivery will be audited. Key audit points include:<\/p>\n<ul>\n<li>whether all required information is provided truthfully, accurately, and completely;<\/li>\n<li>whether the collected information is listed clearly, for example by category;<\/li>\n<li>whether the stated purposes are directly related to the relevant processing and the methods used are the least intrusive;<\/li>\n<li>whether retention periods and the methods for exercising rights are clearly stated;<\/li>\n<li>whether notice is provided in a conspicuous manner and in clear language before processing;<\/li>\n<li>whether text size, font, and color facilitate reading;<\/li>\n<li>whether effective online and offline delivery methods are used; and<\/li>\n<li>whether individuals are informed of changes to the processing rules.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s data protection laws distinguish between the responsibilities of a PI handler and those of an entrusted party. The PIPL defines a PI handler under Article 73, which is broadly analogous to a controller under the GDPR, as any organization or individual that independently determines the purpose and method of processing in PI processing activities. By contrast, entrusted parties are entities that process PI on behalf of a PI handler and strictly in accordance with the PI handler\u2019s instructions.<\/p>\n<p>Under the PIPL, PI handlers bear primary responsibility for the lawfulness of processing and for overall compliance. Article 59 of the PIPL provides that entrusted parties must take necessary measures, in accordance with laws and relevant administrative regulations, to ensure the security of the processed PI and to assist the PI handler in fulfilling its obligations under the PIPL.<\/p>\n<p>Article 21 of the PIPL further requires that where a PI handler entrusts another party with PI processing, the parties must agree on the purpose, duration, and method of the entrusted processing, the type of PI involved, the protection measures to be adopted, and the respective rights and obligations of both parties. The entrusted party must process PI in accordance with that agreement and may not process PI beyond the agreed purpose or method. If the entrustment agreement becomes ineffective, invalid, revoked, or terminated, the entrusted party must return the PI to the PI handler or delete it, and must not retain it. In addition, the entrusted party may not sub-entrust the processing without the prior consent of the PI handler.<\/p>\n<p>The PI handler is also required to conduct a PIA and oversee the entrusted party\u2019s activities to ensure that the entrusted party has the necessary data security capabilities and complies with applicable legal requirements. For the applicable PIA requirements, see Q12.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Article 73 of the PIPL, automated decision-making means the activity of automatically analyzing and evaluating an individual\u2019s behavioral habits, interests and preferences, or their financial, health and credit status, among others, by way of computer programs, and making decisions accordingly.<\/p>\n<p>Under Article 24 of the PIPL, automated decision-making must be transparent and fair. Individuals are entitled to request an explanation and to refuse decisions that have a significant impact on their rights and interests. In addition, where automated decision-making is used for commercial advertising or the pushing of notices, PI handlers must provide a non-personalized option or a convenient means for individuals to refuse such personalization.<\/p>\n<p>Article 42 of the Regulations on the Administration of Network Data Security further provides that, where network platform service providers push notices to individuals through automated decision-making, the option to disable personalized recommendations must be easy to understand, access, and operate. Such providers must also provide users with functions enabling them to refuse pushed information and to delete user tags targeted at their personal characteristics. Automated decision-making, including algorithm recommendation technologies, has accordingly become a focus of regulatory scrutiny in China.<\/p>\n<p>The national standard GB\/T 45392-2025, Data Security Technology \u2014 Security Requirements for Automated Decision-Making Based on Personal Information further sets out detailed technical and management requirements, including:<\/p>\n<ul>\n<li>conducting a security impact assessment before deployment;<\/li>\n<li>ensuring the explainability of the decision logic and results;<\/li>\n<li>providing effective channels for human intervention; and<\/li>\n<li>implementing data security measures throughout the automated decision-making lifecycle.<\/li>\n<\/ul>\n<p>Under the CSL and the PIPL framework, tracking technologies such as cookies are not prohibited as such. However, data collected through cookies, such as web browsing records, click records, and favorites, constitutes PI and is therefore subject to China\u2019s data protection laws. In light of the applicable legal requirements and prevailing industry practice, PI handlers should inform individuals of the use of cookies, particularly third-party cookies, for example through cookie policies, obtain prior consent, especially for targeting or advertising cookies, and provide an opt-out mechanism that is as convenient as the mechanism for granting consent.<\/p>\n<p>It is also necessary to take into account the governance of software development kits (SDKs), which are widely used in APP development. Where SDKs are embedded in APPs and involve PI processing, they are likewise subject to China\u2019s data protection regime. MIIT has imposed requirements on SDK operators, including the obligation to provide PI processing rules and to ensure that PI processing activities are carried out lawfully. APP operators are in turn responsible for managing the use of SDKs within their APPs, including assessing the PI protection capabilities of SDKs, displaying centrally the names, functions, and PI processing rules of embedded SDKs, and ensuring that this information is updated in a timely manner.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>China has not issued specific or explicit rules governing technologies such as cookies. Nevertheless, the use of cookies, pixels, online tracking technologies, and targeted advertising is comprehensively regulated under the general framework of PI protection laws, primarily the PIPL, supplemented by advertising and consumer protection rules. The regulatory approach focuses on the nature of the data collected and the relevant processing activities, rather than on the specific tracking technology itself.<\/p>\n<p>Behavioral advertising, which is largely based on profiling and targeted analysis of data collected from users, is subject to both PI protection laws and advertising regulations. PI must not be collected or used for behavioral advertising unless individuals have given explicit consent. Under Article 24 of the PIPL, where business marketing or information pushes are conducted toward an individual through automated decision-making, the individual must be provided with an option not targeting his or her personal characteristics, or with an easy means to refuse such targeting. For the applicable automated decision-making rules, see Q21.<\/p>\n<p>With reference to GB\/T 35273-2020, Information Security Technology \u2014 Personal Information Security Specification, where targeted profiling is used for behavioral advertising, such profiling should avoid labels involving obscenity, violence, or discrimination based on nationality, ethnicity, or religion. In addition, where PI is provided to business partners or other third parties involved in cross-contextual behavioral advertising, the parties must comply with the PIPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Chinese data protection laws strictly prohibit the unlawful sale of PI. Article 46 of the CSL provides that no individual or organization may unlawfully sell or provide PI to others. The unlawful sale of PI may result in confiscation of illegal gains by public security authorities and a concurrent fine of more than one time but less than ten times the illegal gains, or a fine of less than RMB 1 million where there are no illegal gains. Such conduct may also constitute a criminal offence.<\/p>\n<p>Article 253 of the Criminal Law of the People&#8217;s Republic of China (2023) establishes the crime of infringing citizens\u2019 PI. According to the relevant judicial interpretation, this offence may be constituted, among other circumstances, where:<\/p>\n<ul>\n<li>50 or more items of location information, communication information, or property information are involved;<\/li>\n<li>500 or more items of accommodation information, health information, or other information that may affect citizens\u2019 health or property safety are involved;<\/li>\n<li>5,000 or more items of other PI are involved; or<\/li>\n<li>illegal income exceeds RMB 5,000.<\/li>\n<\/ul>\n<p>A person convicted of the crime of infringing citizens\u2019 PI may be sentenced to imprisonment of up to three years or criminal detention, and may also be fined or solely fined. In especially serious cases, the sentence may be imprisonment of more than three years but not more than seven years, together with a fine.<\/p>\n<p>Although there is no standalone statutory definition of a \u201cdata broker,\u201d activities involving the intermediation or facilitation of data transactions are regulated under the broader frameworks for data security and PI protection, as well as under specific rules applicable to data transaction intermediaries and data circulation service institutions. In particular, Article 33 of the DSL requires providers of data transaction intermediary services to verify the identities of both the data provider and the data recipient, require the provider to explain the source of the data, and retain the relevant review and transaction records.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. In China, marketing and electronic communications are specifically regulated under a combination of advertising, telecommunications, and data protection rules. The Advertising Law of the People&#8217;s Republic of China (2021) is the principal law governing advertising activities. Other key applicable instruments include the Measures for the Administration of Internet Advertising, effective from May 1, 2023, and the Provisions on the Administration of Text Message and Voice Call Services (Draft for Comments), released by MIIT in August 2020.<\/p>\n<p>\u201cInternet advertising\u201d refers to commercial advertising that directly or indirectly promotes goods or services through websites, webpages, internet applications, and other internet media, using formats such as text, images, audio, and video. Before sending any advertisement, companies must obtain the recipient\u2019s consent to, or request for, receiving such advertisement. They must also disclose their true identity, contact details, and the opt-out method for advertisements sent by electronic means.<\/p>\n<p>Advertisements published or disseminated through the internet must not interfere with users\u2019 normal use of the network. Advertisements presented in the form of pop-up windows must prominently display a close sign and ensure that the window can be closed with one click. In addition, GB\/T 35273-2020, Information Security Technology \u2014 Personal Information Security Specification recommends avoiding the use of direct profiling capable of identifying specific individuals for direct marketing purposes and requires PI handlers to ensure that individuals have the right to refuse receiving commercial advertisements based on their PI.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s data protection laws regulate biometric information, including facial recognition, through the general SPI regime under the PIPL (see <strong>Q9<\/strong><strong>) <\/strong>and more specific rules applicable to facial recognition technology. The regulatory focus is on unique biometric identifiers that can, alone or in combination with other information, identify a specific natural person, rather than on biometric measurements that cannot be linked to an identified or identifiable individual.<\/p>\n<p>With respect to facial recognition technology, the judicial interpretation issued by the Supreme People\u2019s Court (SPC) in August 2021 clarifies that the processing of facial recognition information must be sufficiently necessary. PI handlers must obtain the individual\u2019s consent to process his or her facial recognition information, unless such processing is necessary for the provision of products or services.<\/p>\n<p>In addition, The Facial Recognition Provisions impose further limitations on the processing of facial information. These include:<\/p>\n<ul>\n<li>not using facial recognition as the sole method of identity verification where alternative non-facial-recognition methods can achieve the same purpose or satisfy the same business needs;<\/li>\n<li>providing other reasonable and convenient alternatives where an individual refuses to verify his or her identity through facial recognition;<\/li>\n<li>storing facial information locally on facial recognition equipment and, unless otherwise provided by laws or administrative regulations or unless separate consent has been obtained, not transmitting it externally over the internet; where separate consent permits transmission, encryption is required;<\/li>\n<li>refraining from installation in private spaces such as hotel rooms, public bathrooms, and changing rooms; and<\/li>\n<li>filing with the provincial-level CAC within 30 working days once the stored facial information of individuals reaches 100,000.<\/li>\n<\/ul>\n<p>In addition, TC260 has issued specific guidance, TC260-PG-20251A, addressing the protection of facial information in facial recognition payment scenarios.<a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. In 2023, a systematic regulatory framework for AI was established and implemented.The governance framework extends beyond data protection to encompass content security, ethical review, and technical standards across the entire AI lifecycle.<\/p>\n<p>The Interim Measures for the Management of Generative Artificial Intelligence Services, which came into effect on August 15, 2023, expressly set out the regulatory framework for generative AI, covering stages such as application deployment, model training and optimization, and the respective roles of content producers, service providers, and service users. GB\/T 45654-2025, Cybersecurity Technology \u2014 Basic Security Requirements for Generative Artificial Intelligence Services, specifies comprehensive security requirements for training data, models, and security measures for generative AI services.<\/p>\n<p>Additional rules addressing particular aspects of AI governance have since been successively developed, including but not limited to:<\/p>\n<ul>\n<li><strong>Content labeling requirements:<\/strong> in line with the Interim Measures for the Management of Generative Artificial Intelligence Services and other applicable provisions, CAC and other authorities issued the Measures for Labeling AI-Generated or Composed Content on March 7, 2025, effective from September 1, 2025. These Measures clarify the obligations of providers of generation or synthesis services, users, internet application distribution platforms, and internet information content dissemination service providers to ensure effective content security management through labeling. They require both explicit labels to be added to content and implicit labels to be embedded in file metadata. These Measures are also accompanied by the mandatory national standard GB 45438-2025, Cybersecurity Technology \u2014 Labeling Method for Content Generated by Artificial Intelligence, which specifies labeling methods for various forms of AI-generated content, including text, images, and video.<\/li>\n<li><strong>Training data management:<\/strong> national standards such as GB\/T 45652-2025, Cybersecurity Technology \u2014 Security Specification for Generative Artificial Intelligence Pre-training and Fine-tuning Data, and GB\/T 45674-2025, Cybersecurity Technology \u2014 Security Specification for Generative Artificial Intelligence Data Annotation, have been issued to regulate the security of data used for pre-training, fine-tuning, and annotation of AI models.<\/li>\n<\/ul>\n<p>In August 2025, multiple ministries, including MIIT, released the Administrative Service Measures for the Management of Artificial Intelligence Science and Technology Ethics (for Trial Implementation, Draft for Comments) for public consultation. This draft sets out specialized and operational ethical review requirements for AI research and development activities, focusing on fairness, controllability, transparency, traceability, and personnel qualifications. Other legislative efforts also continue to advance, including the Interim Administrative Measures for the Management of Anthropomorphic Interactive AI Services (Draft for Comments), which were released for public comment in December 2025.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Chinese law imposes explicit data localization requirements on certain entities and categories of data.<\/p>\n<ul>\n<li><strong>CIIOs:<\/strong> pursuant to Article 39 of the CSL, CIIOs are required to store within the territory of the People\u2019s Republic of China the PI and important data collected and generated during their operations.<\/li>\n<li><strong>Large-scale PI handlers:<\/strong> Article 40 of the PIPL provides that PI handlers whose processing of PI reaches the threshold specified by CAC must store within China the PI collected and generated within China.<\/li>\n<li><strong>Important data and core data:<\/strong> the DSL establishes a classified and graded protection system. Although it does not expressly impose localization for all data, it sets out the principle that important data and core data should be stored within China. Specific catalogs of important data are formulated by relevant regions and departments.<\/li>\n<li>Certain regulated industries are also subject to their own stringent data residency requirements. A prominent example is the credit reporting sector. For example, Article 24 of the Regulations on the Administration of the Credit Investigation Industry requires that the collation, preservation, and processing of information collected within China by credit reporting agencies be conducted within China.<\/li>\n<\/ul>\n<p>These localization requirements establish local storage as the default rule. The transfer of such data abroad is treated as an exception and is permitted only within a structured regulatory framework. For the applicable CBDT mechanisms, see Q28.<\/p>\n<p>Notably, Article 42 of the PIPL authorizes CAC to place overseas organizations or individuals that infringe the PI rights and interests of Chinese citizens, or endanger national security or the public interest, on a Restricted or Prohibited PI Provision List, and to adopt corresponding restrictive measures. However, as of March 2026, no such official list had been publicly announced. Enforcement remains active, with regulatory authorities focusing on compliance in key sectors and in relation to important categories of data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The cross-border transfer of PI is subject to stringent regulation under China\u2019s cybersecurity and data protection laws.<\/p>\n<p><strong>General Requirements<\/strong><\/p>\n<p>Companies engaging in the cross-border transfer of PI must take necessary measures to ensure that the PI processing activities of overseas recipients meet the PI protection standards prescribed by the PIPL. In practice, this substantive requirement is commonly addressed through contractual arrangements, regular reviews and audits, and technical monitoring. In addition, PI handlers must comply with transparency requirements by providing adequate information concerning the transfer, such as the name and contact details of the overseas recipient, the purpose and method of processing, and the type of PI involved, as required by Article 39 of the PIPL. PI handlers must also conduct a PIA before initiating any cross-border transfer of PI. The separate-consent requirement applies only where the underlying PI was originally processed on the basis of consent, for example in the context of targeted advertising.<\/p>\n<p><strong>CBDT Mechanisms<\/strong><\/p>\n<p>Article 38 of the PIPL requires PI handlers transferring PI overseas to adopt one of three CBDT mechanisms:<\/p>\n<ul>\n<li><strong>CAC security assessment: <\/strong><strong>the Measures for Security Assessment of Data Outbound Transfer, formulated by CAC in accordance with the CSL, the DSL, and the PIPL, took effect on September 1, 2022, and certain provisions were subsequently adjusted by the Regulations on Promoting and Regulating Cross-Border Data Flow. The Regulations on Promoting and Regulating Cross-Border Data Flow specify the mandatory triggering circumstances for CAC security assessment, namely:<\/strong>\n<ul>\n<li>where a CIIO provides PI or important data overseas, regardless of volume;<\/li>\n<li>where a non-CIIO data handler provides important data overseas; or<\/li>\n<li>where a non-CIIO PI handler has provided overseas, since January 1 of the current year, PI of more than 1 million individuals, excluding SPI, or SPI of more than 10,000 individuals.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The CAC security assessment ordinarily takes 45 working days, or longer in complicated cases or where the submitted materials require correction or supplementation, and its validity period is three years.<\/p>\n<ul>\n<li><strong>Standard contract:<\/strong> where CAC security assessment is not triggered, Article 38 of the PIPL permits PI handlers to enter into contracts with overseas recipients in accordance with the Measures for the Standard Contract for Outbound Transfer of Personal Information and to file the executed contract with the local CAC. The standard contract was officially issued and became effective on June 1, 2023. It must be concluded strictly in the form published by CAC, although CAC may revise it in light of actual circumstances.<\/li>\n<li><strong>Certification:<\/strong> PI protection certification by designated institutions is another CBDT mechanism under Article 38 of the PIPL. It is available on a voluntary basis where CAC security assessment is not triggered. CAC has clarified that, when applying for certification, PI handlers conducting CBDT activities should refer to TC260-PG-20222A, Security Certification Specifications for Cross-border Personal Information Processing Activities, to determine the applicable certification type. The Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information, effective from January 1, 2026, further refine this process. The certification application must be assisted by, and filed through, the specialized agency or designated representative established within China, which will itself be subject to supervision by the competent authorities and the certification body.<\/li>\n<\/ul>\n<p><strong>Exempt Scenarios<\/strong><\/p>\n<p>The Regulations on Promoting and Regulating Cross-Border Data Flow, issued by CAC on March 22, 2024, introduce several scenarios exempt from the CBDT application procedures. These include:<\/p>\n<ul>\n<li>transfers that do not involve PI or important data;<\/li>\n<li>situations where a data handler transfers overseas PI collected and generated outside China after domestic processing, provided that no domestic PI or important data is involved in the processing;<\/li>\n<li>transfers necessary for the conclusion or performance of contracts to which individuals are parties;<\/li>\n<li>transfers necessary for cross-border human resources management based on lawfully formulated labor rules and collective contracts;<\/li>\n<li>transfers necessary in emergency situations to protect the life, health, or property safety of natural persons; and<\/li>\n<li>transfers by a non-CIIO PI handler, since January 1 of the current year, of PI of fewer than 100,000 individuals, excluding SPI, to overseas recipients.<\/li>\n<\/ul>\n<p>In general, the Regulations on Promoting and Regulating Cross-Border Data Flow reflect a policy trend toward stabilizing foreign investment and promoting economic development, and they send a positive signal for multinational companies.<\/p>\n<p><strong>Local Facilitation Measures<\/strong><\/p>\n<p>Article 6 of the Regulations on Promoting and Regulating Cross-Border Data Flow permits pilot free trade zones (FTZs) to formulate their own negative lists identifying categories of CBDT within the zone that remain subject to regulation, while transfers outside those negative lists may be exempted. In this context, FTZs in Shanghai, Beijing, Jiangsu, Chongqing, Fujian, Zhejiang Province, and other regions have successively introduced negative lists, mainly tailored to particular scenarios within specific industries. Beyond identifying restricted data fields or characteristics, these negative lists have also, in some instances, adjusted the outbound data volume thresholds otherwise generally applicable under the CBDT mechanisms, thereby further facilitating cross-border data flows. Notably, rules established by one FTZ may, under certain conditions or coordination arrangements, be mutually recognized or applied across participating FTZs, thereby enhancing regulatory coherence and operational convenience for multinational businesses.<\/p>\n<p>In addition, with respect to CBDT activities within the Guangdong-Hong Kong-Macao Greater Bay Area, significant efforts have been made to facilitate the use of CBDT mechanisms by eligible handlers. These include the issuance of guidance simplifying the filing of the standard contract and the collaborative development, together with the Office of the Privacy Commissioner for Personal Data of Hong Kong, of common protection requirements for CBDT. Companies should continue to monitor these local facilitation measures in order to identify compliant and operationally efficient pathways for carrying out CBDT activities.<\/p>\n<p><strong>Sector-specific Guidance<\/strong><\/p>\n<p>Regulatory authorities in key industries continue to issue detailed compliance guidance. For example, the financial sector has issued the Compliance Guidelines for Promoting and Regulating Cross-border Data Flow in the Financial Industry, while the automotive sector has issued the Guidance for the Security of Cross-border Transfer of Automotive Data (2026 Edition), each providing industry-specific interpretations and implementation pathways for the general CBDT rules.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 44 of the CSL provides that network operators must adopt technical and other necessary measures to safeguard the security of the PI they collect and to prevent leakage, damage, or loss. The DSL further elaborates that entities engaged in data processing activities must establish a data security management system covering the entire lifecycle of data processing and adopt corresponding technical and other necessary measures. Data handlers must also strengthen risk monitoring and, upon discovering any data security vulnerabilities, risks, or incidents, immediately take remedial measures.<\/p>\n<p>Articles 51 to 57 of the PIPL set out comprehensive obligations for PI handlers, requiring companies to establish internal PI protection management systems based on PI security. In particular, Article 51 provides that PI handlers must, taking into account the purpose and method of PI processing, the categories of PI, the impact on personal rights and interests, and the potential security risks, adopt the following measures to ensure PI security:<\/p>\n<ul>\n<li>formulating internal management policies and operating procedures;<\/li>\n<li>implementing categorized management of PI;<\/li>\n<li>adopting corresponding technical security measures, such as encryption and de-identification;<\/li>\n<li>reasonably determining access permissions for PI processing activities and conducting regular security education and training for relevant employees;<\/li>\n<li>formulating and organizing the implementation of emergency plans for PI security incidents; and<\/li>\n<li>taking any other measures required by laws and administrative regulations.<\/li>\n<\/ul>\n<p>Article 9 of the Regulations on the Administration of Network Data Security imposes additional security requirements, requiring network data handlers to establish and improve security management systems and adopt technical measures such as encryption, backup, access control, and security authentication. These measures must also address the handling of network data security incidents, the prevention of illegal and criminal activities targeting or using network data, and the assumption of primary responsibility for the security of the network data they process.<\/p>\n<p>With a specific focus on the protection of important data, Article 31 of the Regulations on the Administration of Network Data Security requires important data handlers to conduct risk assessments before providing important data to others, entrusting others to process it, or jointly processing important data. Such handlers must also conduct annual risk assessments of their network data processing activities and submit the relevant reports to the competent authorities.<\/p>\n<p>With reference to the Guidance on Application of Cross-border Data Transfer Security Assessment (Second Version), data handlers subject to CAC security assessment must evaluate their data security protection capabilities from both management and technical perspectives. The management capability assessment must cover organizational structure and internal policies, including full-process management, data classification and grading, emergency response, risk assessment, and the protection of PI rights and interests. The technical capability assessment must cover the security measures adopted throughout the entire data processing lifecycle, including data collection, storage, use, processing, transfer, provision, disclosure, and deletion. In practice, where a data handler applying for CAC security assessment does not yet satisfy the above requirements, it must set out an improvement plan in the application materials submitted to CAC. This indicates that such data handlers are expected to fulfill these security obligations in order to demonstrate adequate data security capabilities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under China\u2019s current laws and regulations, more specific and more stringent security obligations apply to SPI and to PI processed in certain industries. The key requirements are reflected at the following levels:<\/p>\n<ul>\n<li><strong>General Strict Protection for SPI: <\/strong>The processing of SPI is subject to a comprehensive set of heightened obligations. These include obtaining separate consent before processing, satisfying enhanced informing obligations, adhering to the principles of specific purpose and sufficient necessity, and implementing strict technical and organizational protection measures, such as encryption and access controls. For the applicable detailed rules, definitional scope, valid conditions for consent, and relevant exceptions, see Q6, Q9, Q10, and Q25.<\/li>\n<li><strong>Sector<\/strong><strong>-specific Data Security Regulations: <\/strong>Within the general legal framework, regulators in key industries have issued more detailed rules imposing sector-specific compliance requirements for the handling of particular categories of data within those sectors, often involving highly sensitive PI. Examples include:\n<ul>\n<li><strong>Automotive data:<\/strong> compliance is required with sector-specific rules such as the Several Provisions on the Security Management of Automotive Data (Trial) and the Guidance for the Security of Cross-border Transfer of Automotive Data (2026 Edition). Principles such as non-collection by default and in-vehicle processing apply, and outbound transfer is subject to management mechanisms such as security assessment, standard contract, or certification.<\/li>\n<li><strong>Financial data:<\/strong> compliance is required with industry rules such as the Personal Financial Information Protection Technical Specification (JR\/T 0171-2020) and the Measures for the Security Management of Data in the Business Areas of the People&#8217;s Bank of China. These include strict classification and grading requirements for personal financial information and, in principle, domestic storage requirements.<\/li>\n<li><strong>Human genetic resources and genetic data:<\/strong> compliance is required with strict rules such as the Regulations on the Administration of Human Genetic Resources of the People&#8217;s Republic of China and the relevant implementing rules. A tiered classification management regime applies, together with strict administrative permit or security review requirements for outbound provision.<\/li>\n<li><strong>Health a<\/strong><strong>nd medical data:<\/strong> compliance is required with sector-specific norms such as the Measures for the Security Management of Data and Personal Information Protection in Medical and Health Institutions (Trial), issued in February 2026. These rules require health and medical big data to be managed as important data or core data, with classification, grading, and full-lifecycle security control, and with storage in China required in principle.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s data protection laws impose specific obligations in the event of security breaches affecting PI. Article 57 of the PIPL provides that, where PI has been or may be leaked, tampered with, or lost, PI handlers must immediately take remedial measures. These circumstances are generally treated as PI security incidents. The Measures for the Standard Contract for Outbound Transfer of Personal Information further categorize PI security incidents to include tampering, destruction, leakage, loss, unauthorized use, unauthorized provision, and unauthorized access.<\/p>\n<p>Article 57 of the PIPL further requires that, where PI has been or may be leaked, tampered with, or lost, PI handlers must notify the competent authorities and the affected individuals. The notification must include the following information:<\/p>\n<ul>\n<li>the types of PI involved, or potentially involved, in the leakage, tampering, or loss, together with the reasons for, and possible harm arising from, the leakage, tampering, or loss;<\/li>\n<li>the remedial measures taken by the PI handler and the measures that individuals may take themselves to mitigate harm; and<\/li>\n<li>the contact details of the PI handler.<\/li>\n<\/ul>\n<p>Where the PI handler has taken measures that effectively avoid damage resulting from the leakage, tampering, or loss, it may elect not to notify the affected individuals. However, where the competent authorities consider that damage may still arise, they may require the PI handler to notify the affected individuals.<\/p>\n<p>The reporting of PI breaches is also integrated into the broader national cybersecurity incident response system. The National Administrative Measures for Cybersecurity Incident Reporting establish a severity-based classification regime. A data breach involving PI is classified and reported according to its scale. For example, an incident resulting in the leakage of more than 1 million individuals\u2019 PI is generally classified as a relatively significant cybersecurity incident or above. For relatively significant incidents and above, the initial report must generally be made to the relevant industry regulator and the CAC within 24 hours of discovery.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Chapter IV of the PIPL grants individuals a set of specific rights in relation to the processing of their PI. These rights broadly correspond to, but are not identical to, those recognized under the GDPR.<\/p>\n<table width=\"87%\">\n<thead>\n<tr>\n<td width=\"48%\"><strong>PIPL<\/strong><\/td>\n<td width=\"51%\"><strong>GDPR<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"48%\">right to know (Art.44)<\/td>\n<td width=\"51%\">information to be provided<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to decide (Art.44)<\/td>\n<td width=\"51%\">\/<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to restrict (Art.44)<\/td>\n<td width=\"51%\">right to restriction of processing<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to refuse (Art.44)<\/td>\n<td width=\"51%\">right to object<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to access (Art.45)<\/td>\n<td width=\"51%\">right of access<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to copy (Art.45)<\/td>\n<td width=\"51%\">right of access<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to data portability (Art.45)<\/td>\n<td width=\"51%\">right to data portability<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to rectify (Art.46)<\/td>\n<td width=\"51%\">right to rectification<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">right to delete (Art.47)<\/td>\n<td width=\"51%\">right to erasure (\u2018right to be forgotten\u2019)<\/td>\n<\/tr>\n<tr>\n<td width=\"48%\">related rights in automated decision making (Art.24)<\/td>\n<td width=\"51%\">related rights in automated decision making<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Chart 2. Individual privacy rights (PIPL v. GDPR)<\/p>\n<p>Article 49 of the PIPL further provides that, after the death of a natural person, his or her close relatives may exercise rights such as access, copying, rectification, and deletion of the deceased\u2019s PI for the purpose of their own lawful and legitimate interests, unless the deceased had made alternative arrangements before death.<\/p>\n<p>Article 50 of the PIPL requires PI handlers to establish a convenient response mechanism for individuals seeking to exercise their rights. Where a PI handler refuses such a request, it must explain the reasons. The individual may then bring proceedings before a People\u2019s Court in accordance with law.<\/p>\n<p>PI handlers must respond to individuals\u2019 requests to exercise their rights unless otherwise provided by laws or administrative regulations. With reference to GB\/T 35273-2020, Information Security Technology \u2014 Personal Information Security Specification, the principal exceptions include circumstances:<\/p>\n<ul>\n<li>connected with the PI handler\u2019s performance of obligations under laws and regulations;<\/li>\n<li>directly related to national security or national defence;<\/li>\n<li>directly related to public security, public health, or major public interests;<\/li>\n<li>directly related to criminal investigations, prosecutions, trials, or the enforcement of court decisions;<\/li>\n<li>necessary to safeguard the life, property, or other significant lawful rights and interests of the individual or others, where obtaining the individual\u2019s consent is difficult;<\/li>\n<li>where the PI has been proactively disclosed to the public by the individual; or<\/li>\n<li>where the PI has been collected from legally and publicly disclosed sources, such as lawful news reports or government information disclosure.<\/li>\n<\/ul>\n<p>Article 25 of the Regulations on the Administration of Network Data Security further sets out the conditions for the exercise of the right to data portability. Where an individual\u2019s request to transfer PI satisfies the following conditions, the network data handler must provide channels enabling the PI handler designated by the individual to access or obtain the relevant PI:<\/p>\n<ul>\n<li>the true identity of the requesting person can be verified;<\/li>\n<li>the PI requested for transfer is PI that the individual agreed to provide, or PI collected on the basis of a contract;<\/li>\n<li>the transfer is technically feasible; and<\/li>\n<li>the transfer does not prejudice the legitimate rights and interests of others.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes.<\/p>\n<p><strong>Legal Basis and Applicable Circumstances for Private Actions<\/strong><\/p>\n<p>The Civil Code of the People&#8217;s Republic of China provides the civil-law foundation for the protection of PI through its dedicated chapter on privacy rights and PI protection. The PIPL also provides that, where a PI handler refuses an individual\u2019s request to exercise his or her rights, the individual may bring proceedings before a People\u2019s Court in accordance with law. In addition, pursuant to the amendment to the Provisions on the Cause of Action for Civil Cases issued by the SPC, a dispute over PI protection is recognized as an independent cause of action.<\/p>\n<p>Article 69 of the PIPL further provides that, where a PI handler infringes PI rights and causes harm, it shall bear tort liability, including damages, unless it can prove that it is not at fault. This rule lowers the evidential burden for individuals, particularly in relation to non-pecuniary harm such as infringements of privacy and dignity.<\/p>\n<p><strong>PI Protection Public Interest Litigation<\/strong><\/p>\n<p>Article 70 of the PIPL provides that, where a PI handler processes PI in violation of the PIPL and thereby infringes the rights and interests of a large number of individuals, the People\u2019s Procuratorate, consumer organizations prescribed by law, and organizations designated by CAC may bring proceedings before a People\u2019s Court in accordance with law. In August 2021, the Supreme People\u2019s Procuratorate (SPP) issued the Notice on Implementing the Personal Information Protection Law and Promoting the Procuratorial Work of Public-interest Litigation for Personal Information Protection, requiring procuratorial organs to intensify case-handling efforts and promote the implementation of the public-interest litigation provisions of the PIPL.<\/p>\n<p>Generally, the following categories of violations present a materially higher risk of private actions, collective litigation, or public-interest litigation:<\/p>\n<ul>\n<li>unlawful processing of SPI;<\/li>\n<li>large-scale data breach incidents;<\/li>\n<li>infringements arising from automated decision-making; and<\/li>\n<li>misuse of biometric information, including facial recognition information.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Individuals may recover monetary damages or compensation where their PI rights and interests are infringed. The amount of damages is determined primarily by reference to the losses suffered by the individual concerned or the benefits obtained by the PI handler. Where the individual\u2019s losses or the PI handler\u2019s gains are difficult to determine, the amount of damages is to be determined in light of the actual circumstances.<\/p>\n<p>In addition, where the infringement of PI rights and interests causes serious injury to an individual\u2019s mental well-being, that individual is entitled to claim compensation for mental distress. Accordingly, compensation is not limited to actual pecuniary or material loss; sufficiently serious non-material harm, such as emotional or psychological injury, may also support a claim.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>1) Administrative regulation. Privacy and data protection enforcement has been tightening.<\/strong><\/p>\n<ul>\n<li><strong>Comprehensive supervision of PI protection.<\/strong> Various regulatory authorities, including CAC, public security authorities, communications authorities, and market regulation authorities, have conducted supervisory and enforcement activities from different angles. These activities typically include handling complaints, conducting routine inspections, holding interviews, providing ongoing guidance and supervision for rectification, and imposing administrative penalties. Penalties are commonly imposed for issues such as the unauthorized collection or misuse of PI and inadequate security measures. In addition, regulators frequently launch special enforcement campaigns focused on key issues.<\/li>\n<li><strong>Cybersecurity review.<\/strong> The Cybersecurity Review Office of CAC is responsible for organizing cybersecurity reviews of the purchase of network products or services by CIIOs, as well as data processing activities conducted by network platform operators that affect or may affect national security. Several large network platforms in China have undergone cybersecurity review and have been subjected to severe penalties. In addition, network platform operators holding the PI of more than 1 million users that seek an overseas listing must proactively apply for cybersecurity review, during which the authorities examine the compliance and security of their data processing activities.<\/li>\n<li><strong>APP supervision.<\/strong> With respect to the unlawful collection and use of PI by APPs, CAC, MIIT, and other competent authorities have conducted continuous inspections, focusing on issues including the collection and processing of PI beyond the agreed purposes or without prior valid consent, as well as the failure to provide users with a means to withdraw consent. CAC and other authorities have issued implementing measures, including the relevant Rules, which are of significant reference value both for regulatory supervision and for companies\u2019 internal compliance reviews.<\/li>\n<li><strong>Algorithm and AI supervision.<\/strong> The CAC has released several rounds of domestic filing information for deep synthesis service algorithms. Meanwhile, Chinese regulators, including the CAC, have carried out targeted enforcement actions against algorithms and AI \u2014 such as the 2025 special campaign to curb the abuse of AI technologies.<\/li>\n<\/ul>\n<p><strong>2) Private right of action and Public-interest litigation.<\/strong> See Q33.<\/p>\n<p><strong>3) Criminal charges.<\/strong> Criminal Law Amendment (IX) consolidated the Crime of Selling and Illegally Providing Citizens\u2019 Personal Information and the Crime of Illegally Obtaining Citizens\u2019 Personal Information into the Crime of Infringing Citizens\u2019 Personal Information, thereby expanding the scope of criminal subjects and acts infringing PI.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>China\u2019s data protection laws provide for a broad range of sanctions for violations, including warnings, orders to rectify issued by competent authorities, confiscation of illegal gains, administrative penalties, suspension or termination of relevant business operations, revocation of relevant business permits or licences, and, in serious cases, criminal liability.<\/p>\n<p>Administrative penalties under the PIPL may reach up to RMB 50 million or 5% of the previous year\u2019s turnover for companies, and up to RMB 1 million for the person directly in charge and other directly liable persons. Non-compliance with the DSL, for example failure to comply with CBDT requirements, may result in fines of up to RMB 10 million for companies and up to RMB 1 million for the person directly in charge and other directly liable persons.<\/p>\n<p>Competent authorities and judicial bodies in China have discretion to determine fines on a case-by-case basis, taking into account factors such as the seriousness of the violation, the infringement of individuals\u2019 lawful rights and interests, and adverse social impact. The Provisions on Administrative Law Enforcement Procedure of Cyberspace Administration, effective June 1, 2023, set out important procedural rules, including that:<\/p>\n<ul>\n<li>the same unlawful act must not be punished by more than two fines; and where the act violates multiple legal provisions and fines are applicable, the penalty shall be imposed in accordance with the provision carrying the higher fine; and<\/li>\n<li>administrative penalties may be waived where the violation is a first offence, the harmful consequences are minor, and the unlawful conduct is promptly corrected; penalties may also be waived where the violation is minor, corrected in a timely manner, and causes no harmful consequences.<\/li>\n<\/ul>\n<p>More specifically, the Provisions on the Application of Administrative Penalty Discretion Benchmark by Cyberspace Administration Departments, effective August 1, 2025, provide a more detailed framework for calculating fines within statutory ranges. Article 11 states that:<\/p>\n<ul>\n<li>where a fine is subject to a statutory range, it shall be divided into lenient punishment, general punishment, and severe punishment within the corresponding range;<\/li>\n<li>the amount of a lenient fine shall be less than 30% of the span between the statutory minimum and statutory maximum, or the relevant multiple interval;<\/li>\n<li>the amount of a general fine shall be between 30% and 70% of that span or interval; and<\/li>\n<li>the amount of a severe fine shall exceed 70% of that span or interval.<\/li>\n<\/ul>\n<p>When determining the specific penalty amount, factors such as the nature and circumstances of the unlawful act and the local socio-economic development level must be considered comprehensively. Based on enforcement practice and decided cases, the percentages referred to above may be adjusted upward or downward by ten percentage points.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Enforcement decisions are open to challenge in China. A citizen, legal person, or other organization may first apply to the relevant administrative authority for administrative reconsideration. If dissatisfied with the reconsideration decision, that party may then bring proceedings before a People\u2019s Court.<\/p>\n<p>A party may also bring proceedings directly before a People\u2019s Court, unless the relevant law requires administrative reconsideration to be exhausted before judicial review may be sought. Article 44 of the Administrative Procedure Law of the People&#8217;s Republic of China (as amended in 2017) sets out this framework.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The CSL establishes a tiered framework of cybersecurity obligations, imposing baseline risk-management requirements on all network operators and enhanced obligations on CIIOs. In addition, regulators in a range of key sectors have issued more detailed cybersecurity and data security rules that impose stricter or more specific obligations in particular industries.<\/p>\n<p><strong>General Obligations Applicable to All Network Operators<\/strong><\/p>\n<p>The CSL defines network operators broadly to include network owners, managers, and network service providers.<\/p>\n<ul>\n<li>The MLPS remains the cornerstone of China\u2019s cybersecurity compliance framework. In January 2026, the MPS issued two new public-security industry standards focusing on data security within the MLPS framework, namely GA\/T 2380-2026, Basic Requirements for Data Security of Cybersecurity Multi-Level Protection, and GA\/T 2381-2026, Capability Requirements for Data Security Assessment Institutions of Cybersecurity Multi-Level Protection, both effective from June 1, 2026.<\/li>\n<\/ul>\n<p>Besides, under Article 23 of the CSL, network operators must protect network and data security in accordance with the Cybersecurity MLPS, so as to ensure that their networks are protected against interference, disruption, or unauthorized access, and to prevent network data from being disclosed, stolen, or tampered with. In particular, network operators must:<\/p>\n<ul>\n<li>formulate internal security management rules and operating procedures, and designate a person responsible for cybersecurity to implement cybersecurity accountability;<\/li>\n<li>adopt technical measures to prevent computer viruses, cyberattacks, network intrusions, and other activities endangering cybersecurity;<\/li>\n<li>adopt technical measures to monitor and record network operation status and cybersecurity incidents, and preserve the relevant network logs for not less than six months;<\/li>\n<li>adopt measures such as classification, backup, and encryption with respect to important data; and<\/li>\n<li>perform any other obligations required by relevant laws and administrative regulations.<\/li>\n<\/ul>\n<p><strong>Enhanced Obligations for CIIOs<\/strong><\/p>\n<p>The CSL imposes additional obligations on CIIOs. Under Article 36, CIIOs must provide regular cybersecurity education, technical training, and skills assessments for relevant personnel, and implement disaster-recovery backup arrangements for important systems and databases. Under Article 40, CIIOs must also conduct at least annual assessments of cybersecurity and potential risks, and submit the results together with improvement measures to the competent authorities.<\/p>\n<p><strong>Network Information Security Management Responsibilities<\/strong><\/p>\n<p>The CSL also imposes network information security management obligations on network operators. Where a network operator discovers that information published or transmitted by users is prohibited by laws or administrative regulations, it must immediately stop transmission and take measures such as deletion to prevent further dissemination. Network operators must also establish complaint and reporting mechanisms for network information security and publish the relevant complaint and reporting channels.<\/p>\n<p>Key regulated sectors, including finance, securities and futures, healthcare, automotive, and energy and power, are also subject to their own detailed cybersecurity and data security rules, which often impose stricter or more specific obligations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Audit Requirements<\/strong><\/p>\n<p>There is currently no law requiring all network operators to conduct a generalized cybersecurity audit. However,<\/p>\n<ul>\n<li>Under the CSL and its implementing framework, China applies the Cybersecurity MLPS as a mandatory compliance regime. For network information systems classified at Level 3 or above, operators must commission qualified assessment institutions to conduct MLPS assessments at least once a year in order to verify whether their security protection measures comply with mandatory national standards. In substance, this functions as a mandatory and periodic security-compliance audit.<\/li>\n<li>The Administrative Measures for the Compliance Audit of Personal Information Protection, effective from May 1, 2025, establish a systematic PI protection compliance audit regime whose audit scope substantially covers core cybersecurity technical and organizational measures. According to those Measures and supporting national standards, including GB\/T 46903-2025, Data Security Technology \u2014 Security Requirements for Personal Information Protection Compliance Audits, effective from July 1, 2026, the audit content expressly includes assessing the effectiveness of the security measures adopted by PI handlers. This includes evaluation of the confidentiality, integrity, and availability of PI, the implementation of measures such as encryption and de-identification, and the reasonable allocation of access and operational permissions. PI handlers handling the PI of more than 10 million individuals must conduct such audits at least once every two years, while PI handlers handling minors\u2019 PI must also conduct annual compliance audits and report on the relevant status.<\/li>\n<\/ul>\n<p><strong>Certification Requirements<\/strong><\/p>\n<p>China\u2019s cybersecurity certification system is generally voluntary and encouraged, but in certain contexts it has de facto or expressly mandatory effects. Relevant examples include:<\/p>\n<ul>\n<li><strong>Certification of critical network equipment and specialized cybersecurity products:<\/strong> under Article 25 of the CSL, products included in the national catalog of critical network equipment and specialized cybersecurity products must obtain security certification or pass security testing before they may be sold or supplied. This is a mandatory market-access requirement for those products.<\/li>\n<li><strong>Information security service qualification certification:<\/strong> qualifications issued by the China Cybersecurity Review Technology and Certification Center (CCRC), including qualifications for information security services such as security integration, risk assessment, and cybersecurity audit, are not generally mandated by law. In practice, however, they often become prerequisite qualifications in tenders for third-party security services in key sectors such as government, finance, and energy.<\/li>\n<li><strong>Security certification for cross-border processing of PI:<\/strong> as one of the statutory pathways for outbound transfer of PI, certification conducted in accordance with GB\/T 46068-2025, Data Security Technology \u2014 Security Certification Requirements for Cross-border Processing of Personal Information, effective from March 1, 2026, provides an important compliance option for companies transferring PI overseas. For the applicable CBDT mechanisms, see Q28.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China\u2019s cybersecurity laws impose specific supply-chain and vendor-management requirements, particularly in relation to CIIOs. Under Article 38 of the CSL, when procuring network products and services, CIIOs must enter into agreements with suppliers to clarify their respective security and confidentiality obligations. Where the procurement of network products or services by a CIIO affects or may affect national security, the CIIO must apply for a cybersecurity review. Such a review may also be initiated by the competent authorities.<\/p>\n<p>In addition, Article 25 of the CSL provides that critical network equipment and specialized cybersecurity products sold or supplied within China must pass security certification or security testing conducted by qualified institutions. In practice, companies should therefore verify the relevant certifications or test qualifications when procuring such products.<\/p>\n<p>The revised CSL, effective from January 1, 2026, further strengthens the penalty regime for non-compliance. In particular, it extends regulatory scrutiny to the supply-chain source and imposes higher penalties on both organizations and individuals.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The CSL requires network operators to designate a person responsible for cybersecurity in order to ensure the implementation of cybersecurity responsibilities.<\/p>\n<p>With reference to Article 15 of the Security Protection Regulations for Critical Information Infrastructure, the responsibilities of the cybersecurity responsible person generally include, but are not limited to, the following:<\/p>\n<ul>\n<li>formulating internal cybersecurity management rules and operating procedures;<\/li>\n<li>advancing cybersecurity protection, monitoring, and risk assessment work;<\/li>\n<li>developing emergency response plans for security incidents and organizing regular emergency drills;<\/li>\n<li>organizing cybersecurity review and assessment work, and making recommendations regarding rewards and disciplinary measures;<\/li>\n<li>organizing cybersecurity education and training;<\/li>\n<li>carrying out security management in relation to network design, construction, operation, and maintenance; and<\/li>\n<li>reporting security incidents and other important matters as required by law.<\/li>\n<\/ul>\n<p>The laws and regulations cited above do not, in the text provided, prescribe additional formalities such as board approval, a mandatory reporting-line structure, or a general notification requirement to regulators solely in respect of the appointment itself. However, the designated person must be able to perform the statutory cybersecurity responsibilities in substance.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. China has established a mandatory cybersecurity incident reporting regime under laws and regulations including the CSL, the National Administrative Measures for Cybersecurity Incident Reporting, and the Regulations on the Administration of Network Data Security. This regime classifies incidents according to the harm and impact caused, and the reporting obligation is not contingent on the occurrence of a personal data breach. At the same time, key sectors such as finance are subject to additional sector-specific requirements.<\/p>\n<p><strong>Definition of a Cybersecurity Incident<\/strong><\/p>\n<p>Pursuant to Article 12 of the National Administrative Measures for Cybersecurity Incident Reporting, effective from November 1, 2025, a cybersecurity incident means an event that causes harm to networks and information systems, or to the data and business applications contained therein, and results in adverse impacts on the state, society, or the economy, due to human factors, cyberattacks, vulnerabilities or hidden dangers in networks, software and hardware defects or failures, force majeure, or similar causes.<\/p>\n<p><strong>Incident Classification and Reporting Requirements<\/strong><\/p>\n<p>The National Administrative Measures for Cybersecurity Incident Reporting divide cybersecurity incidents into four levels: extraordinarily significant, significant, relatively significant, and general. The accompanying Guidelines for Grading Cybersecurity Incidents provide quantitative indicators for classification. Under the grading guidelines, relevant factors include system paralysis, business interruption, leakage of core data or important data, economic losses, and broader social impact. The core reporting obligations include:<\/p>\n<ul>\n<li><strong>Immediate initiation of the emergency response plan:<\/strong> upon discovering or becoming aware of a cybersecurity incident involving itself, a network operator must immediately activate its emergency response plan and take corresponding remedial measures.<\/li>\n<li><strong>Graded reporting timelines for relatively significant incidents and above:<\/strong>\n<ul>\n<li><strong>Incidents involving critical information infrastructure:<\/strong> the network operator must report to the protection department and public security authorities at the earliest opportunity and no later than one hour.<\/li>\n<li><strong>Significant or extraordinarily significant incidents:<\/strong> upon receipt of the report, the protection department must report to CAC and the public security department of the State Council at the earliest opportunity and no later than 30 minutes.<\/li>\n<li><strong>Other network operators:<\/strong> they must report to the provincial-level CAC in their locality in a timely manner and no later than four hours after discovery.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Report contents:<\/strong> the report must include the basic information of the entity and system involved, the time, location, type, and classification of the incident, the impact and harm caused, the measures taken, the development trend, the preliminary analysis of the cause, traceability clues, and any further measures planned.<\/li>\n<li><strong>Post-incident summary report:<\/strong> once incident handling has been completed, the network operator must submit a summary report through the original reporting channel within 30 days.<\/li>\n<\/ul>\n<p>In addition, Article 11 of the Regulations on the Administration of Network Data Security provides that, where a network data security incident harms the legitimate rights and interests of individuals or organizations, the network data handler must promptly notify interested parties of the incident, the associated risks, the harm caused, and the remedial measures taken, using methods such as telephone, text message, instant messaging, email, or public announcement. If laws or administrative regulations permit an exception to notification, that exception applies. If, while responding to a network data security incident, the network data handler uncovers evidence of suspected criminal activity, it must report the matter to the public security or state security authorities as required and cooperate with any subsequent investigation, inquiry, and handling.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Where a cybersecurity violation constitutes only an administrative offence and does not cause actual harm or infringe an individual\u2019s lawful rights and interests, individuals are not entitled to bring a private lawsuit. In such cases, only the competent regulatory authorities may impose administrative penalties in accordance with law.<\/p>\n<p>Conversely, individuals may file a civil action where actual harm or infringement has occurred. Additionally, a public-interest litigation mechanism is available for cases involving harm to a large number of individuals. For the applicable private right of action and public-interest litigation framework, see Q33.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity laws in China are enforced through multiple mechanisms, with several regulatory bodies sharing enforcement authority.<\/p>\n<p><strong>Administrative Enforcement<\/strong><\/p>\n<ul>\n<li><strong>Cybersecurity supervision:<\/strong> CAC, communications authorities, public security authorities, and other industry regulators exercise supervisory and enforcement powers from different perspectives. Among them, public security authorities are active in supervising and addressing violations by network operators that affect public security or national security under the CSL, such as failures to adopt effective management or technical measures for cybersecurity protection. Enforcement actions may be triggered by complaints, routine monitoring and detection of cybersecurity threats, or investigations into cybercrime.<\/li>\n<li><strong>Cybersecurity and internet content supervision:<\/strong> CAC, acting under the CSL, has imposed fines on non-compliant entities, including major domestic online forum operators, social media platforms, and online retail operators, for repeated dissemination of information and content prohibited by law, as well as for failures to perform cybersecurity obligations relating to MLPS, system vulnerabilities, and related matters.<\/li>\n<li><strong>Cybersecurity review:<\/strong> where substantial cybersecurity risks arise in connection with the procurement of network products and services by CIIOs, or in the data processing activities of network platform operators, and such risks affect or may affect national security, CAC may initiate a cybersecurity review, conduct inspections, take enforcement measures, and impose penalties for unlawful conduct.<\/li>\n<\/ul>\n<p><strong>Criminal Charges<\/strong><\/p>\n<p>The Criminal Law of the People&#8217;s Republic of China (2023) provides for several crimes relating to cybersecurity, including:<\/p>\n<ul>\n<li>the Crime of Illegally Invading a Computer Information System (Article 285);<\/li>\n<li>the Crime of Illegally Obtaining Data of a Computer Information System or Illegally Controlling a Computer Information System (Article 285);<\/li>\n<li>the Crime of Sabotaging a Computer Information System (Article 286); and<\/li>\n<li>the Crime of Refusal to Fulfil Information Network Security Administration Obligations (Article 286).<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Broadly speaking, Chapter V of the CSL provides for the establishment of a cybersecurity monitoring and early warning mechanism, under which competent authorities are empowered to monitor cybersecurity risks and adopt responsive measures. For example, Article 58 of the CSL provides that, where a material security risk is discovered or a security incident occurs in a network, the authorities responsible for supervision may summon the legal representative or the responsible person of the relevant network operator for an interview. In addition, the MPS issued the Regulations for Internet Security Supervision and Inspection by Public Security Organs in 2018, which specify the objects, scope, and procedures of cybersecurity inspections. In November 2025, the MPS further released the Measures for Cybersecurity Supervision and Inspection by Public Security Authorities (Draft for Comments).<\/p>\n<p>Under the Regulations on the Administration of Network Data Security, competent authorities are responsible for regularly organizing assessments of network data security risks within their respective industries and sectors. During supervision and inspection, regulators may adopt measures such as requiring the data handler to provide explanations, consulting and copying relevant documents and records, and inspecting the operation of security measures.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The revised CSL, effective from January 1, 2026, significantly increases the maximum fines for violations and establishes a tiered penalty system based on both the seriousness of the violation and the status of the operator, namely whether the operator is a general network operator or a CIIO:<\/p>\n<ul>\n<li>General network operators failing to fulfil cybersecurity protection obligations, including obligations under Articles 21, 23, and 27 of the CSL, may be ordered to rectify, given a warning, and fined between RMB 10,000 and RMB 50,000.<\/li>\n<li>Where a general network operator refuses to rectify or causes harm to cybersecurity, the operator may be fined between RMB 50,000 and RMB 500,000, and directly responsible personnel may be fined between RMB 10,000 and RMB 100,000.<\/li>\n<li>CIIOs failing to fulfil their specific cybersecurity protection obligations, including obligations under Articles 34, 35, 36, 38, and 40 of the CSL, may be ordered to rectify, given a warning, and fined between RMB 50,000 and RMB 100,000.<\/li>\n<li>Where a CIIO refuses to rectify or causes harm to cybersecurity, it may be fined between RMB 100,000 and RMB 1,000,000, and directly responsible personnel may be fined between RMB 10,000 and RMB 100,000.<\/li>\n<li>Where the above acts cause serious consequences, such as massive data leakage or partial loss of function of critical information infrastructure, the organization may be fined between RMB 500,000 and RMB 2,000,000, and the relevant personnel may be fined between RMB 50,000 and RMB 200,000.<\/li>\n<li>Where the above acts cause particularly serious consequences, such as major loss of function of critical information infrastructure, the organization may be fined between RMB 2,000,000 and RMB 10,000,000, and the relevant personnel may be fined between RMB 200,000 and RMB 1,000,000.<\/li>\n<li>In addition, where a CIIO uses network products or services that have not passed, or have not undergone, the required security review, the organization may be fined between one and ten times the purchase amount, and directly responsible personnel may be fined between RMB 50,000 and RMB 500,000.<\/li>\n<\/ul>\n<p>More generally, fines are determined by the competent authorities on a case-by-case basis, taking into account factors such as the nature, seriousness, duration, and consequences of the violation, the violator\u2019s attitude toward rectification, and its prior compliance record. For the calculation standards for fines imposed by the CAC, see Q36.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Enforcement decisions are open to challenge in China. For the applicable appeal and review mechanisms, including administrative reconsideration and direct judicial review before a People\u2019s Court, see Q37.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">18135<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}