China Data Privacy Laws

Consult an Expert

Learn how we can help you start, manage, and grow your business in China. 

Share this article

In recent years, China has enforced new laws that significantly impact data privacy and security. These laws affect companies in China that utilize user data, ensuring they comply with regulations on handling, storing, using, and transferring personal information. Implementing these laws affects all e-commerce businesses in China and any other business that collects user data online.

China’s Data Privacy Laws: The Personal Information Protection Law and Data Security Law

Data Security Law (DSL)

The DSL categorizes user data collection and storage based on its potential security and economic impact on China. Regulations on the storage or transfer of data depend on its classification level.

Personal Information Protection Law (PIPL)

The PIPL regulates collecting and protecting personal information obtained by organizations operating in China. Personal information is “any information related to identified or identifiable natural persons stored in electronic or any other format.” The scope of the PIPL covers the collection, reorganization, storage, usage, transmission, disclosure, provision, and deletion of personal information.

Send us your question and we will answer within 24 hours. Message  →

Reasons for Creating New Regulations on Data Privacy

These laws’ primary goal is to protect individuals’ privacy rights and limit companies’ power over personal data. They set conditions for companies to use, collect, store, secure, and transfer personal data, including obtaining consent before collecting personal information. These regulations aim to regulate cyberspace, monitor company compliance, and address public complaints about data misuse.

Impact on Foreign Companies in China

Foreign businesses in China that process local’ data must comply with the PIPL and DSL. This includes appointing local representatives to file for compliance. Non-compliance can result in blacklisting, preventing the processing of personal data in China. Notable examples include LinkedIn and Yahoo!, which ceased operations in China due to the challenging legal environment.

Framework of the Data Security Law

CategoryDescription
Core DataData concerning national and economic security, citizens, and public interests, given the highest security level and strictest regulation.
Important DataUndefined specifics, with scope identification assigned to relevant national, regional, and sector authorities.

Data Transfer

  • CIIOs: Must ensure data is generated and safeguarded in China. Conduct security self-assessments before sending data overseas.
  • Non-CIIOs: Forbidding sending data stored in China to foreign law enforcement or judicial bodies without PRC approval.

Downstream Data

Intermediaries using data for commercial purposes must verify the legality of the data they receive and maintain identification and transaction records for auditing.

Security

Companies must update and improve data security systems, designate responsible teams for data security, and regularly submit risk assessments to authorities.

The framework of the Personal Information Protection Law

Data Localization and Deletion

Data handlers must delete personal data after its purpose is achieved if it no longer serves the disclosed purpose, the service is no longer available, the retention period lapses, the user withdraws consent, or data processing violates laws.

Restrictions on Data Transfer

Data handlers must obtain user consent before forwarding personal information to third parties and ensure the recipient enforces data protection security and compliance.

User Consent

Businesses must obtain user consent before collecting data, especially sensitive information. They should disclose the necessity and specific purpose of data collection.

Compliance

Companies must conduct self-audits to identify potential security risks and ensure regulatory compliance. Algorithms used for data analysis must follow fairness and transparency clauses.

Implications of the Implementation

Companies must assess whether their systems comply with the DSL and PIPL, potentially reorganizing operations based on the level of personal data they handle. Legal advice from local PRC counsel is recommended for companies dealing with data export.

Comparison Between GDPR and Chinese Privacy Laws

The PIPL and GDPR allow individuals to access, correct, delete, or rescind consent for their data. However, the PIPL is enforced by the Cyberspace Administration of China (CAC), whereas GDPR is handled by independent regulators in each country. Non-compliance with PIPL can result in blacklisting, unlike GDPR, which imposes financial penalties.

Potential Market Restrictions

The PIPL regulates marketing activities and automated systems using personal data, requiring national security reviews for international data transfers. Companies must submit contracts detailing the necessity, type, and risks of data transfer abroad.

Adhering to data privacy laws is essential for companies operating in China to avoid issues. Contact us to set up or improve your business operations in China with the help of our consultants.