Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAWS

General · 通用.

76 entries. The economy-wide regime that applies across every sector — PIPL, the Data Security Law, the Cybersecurity Law, and the regulations, departmental rules, standards, and judicial interpretations built on them: personal information, data security and classification, cross-border transfer, and the data-element market.

← All sectors / 全部分区

§ REFERENCE HANDBOOKS

Reference Handbooks .

权威实务手册 · institutional handbooks and joint guides

  • § 01 · CN-SG Joint Guide

    China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter

    中国—新加坡联合数据合规指引:实务手册(中国篇)

    A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime.

    Shenzhen Data Exchange · Asian Business Law Institute (Singapore) · Authority of Qianhai · Shenzhen Bureau of Justice Effective 2025-08-01
§ LAWS

Laws .

法律 · National People's Congress

  • § 01 · PIPL

    Personal Information Protection Law of the People's Republic of China

    中华人民共和国个人信息保护法

    PIPL is China's comprehensive personal-information protection regime. It is structured around the concept of the personal information handler — a Chinese-law term that should not be flattened to GDPR's data controller. PIPL governs consent, sensitive personal information, cross-border transfer, and the rights of individuals, with extraterritorial reach to handlers outside China that target domestic natural persons.

    National People's Congress Standing Committee Effective 2021-11-01
  • § 02 · DSL

    Data Security Law of the People's Republic of China

    中华人民共和国数据安全法

    The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval.

    National People's Congress Standing Committee Effective 2021-09-01
  • § 03 · CSL · AMENDED

    Cybersecurity Law of the People's Republic of China (2025 Amendment)

    中华人民共和国网络安全法(2025 修正)

    The Cybersecurity Law is the earliest of the three foundational data-protection statutes. It establishes the Multi-Level Protection Scheme (MLPS), the Critical Information Infrastructure regime, network-operator obligations, and the cybersecurity review framework. The current text incorporates the 2025 amendment, which takes effect January 1, 2026.

    National People's Congress Standing Committee Effective 2017-06-01
  • § 04 · Civil Code (PI Chapter)

    Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information

    中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章

    Articles 1032–1039 of the Civil Code's Personality Rights Book establish the civil-law foundation for privacy and personal-information protection in China. The chapter defines the right of privacy, the scope of personal information, principles for handling, statutory defenses, individuals' rights of access and correction, processor obligations, and confidentiality duties of State organs. Civil-law remedies under this chapter operate alongside the public-law PIPL regime — neither displaces the other.

    National People's Congress Effective 2021-01-01
  • § 05 · AUCL

    Anti-Unfair Competition Law of the People's Republic of China

    中华人民共和国反不正当竞争法

    National People's Congress Standing Committee Effective 2025-10-15
  • § 06 · ATFL

    Anti-Telecom and Online Fraud Law of the People's Republic of China

    中华人民共和国反电信网络诈骗法

    National People's Congress Standing Committee
  • § 07 · Minors Protection Law

    Law on the Protection of Minors

    中华人民共和国未成年人保护法

    The umbrella statute for the protection of minors in China. Its 2020 revision added a dedicated 'Network Protection' chapter that anchors the entire minors-online-protection regime: internet-literacy education duties for the state, society, schools, and families (Art. 64); school management of smartphones and smart terminals (Art. 70); mandatory school bullying prevention-and-control systems with reporting duties for serious incidents (Art. 39); and school duties to notify parents and intervene when students show internet addiction (Art. 71). The Regulations on the Protection of Minors in Cyberspace (2024) implement the chapter at administrative-regulation level, and the MOE's Provisions on the Protection of Minors by Schools implement the school-facing duties.

    Standing Committee of the National People's Congress Effective 2021-06-01
§ ADMINISTRATIVE REGULATIONS

Administrative Regulations .

行政法规 · State Council

  • § 01 · CII Regulations

    Security Protection Regulations for Critical Information Infrastructure

    关键信息基础设施安全保护条例

    These Regulations operationalize the Critical Information Infrastructure (CII) regime under CSL Articles 31–39. They define CII identification rules, set out CIIO obligations (specialized security body, annual testing and risk assessment, security review of network products, breach reporting), and establish the inter-agency coordination structure under CAC + Ministry of Public Security.

    State Council Effective 2021-09-01
  • § 02 · Data Twenty Opinions

    Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements

    中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见

    The foundational 20-article policy directive jointly issued by the CPC Central Committee and the State Council laying out China's national data basic system: data property rights structural subdivision (holding right / processing right / operation right), classified-and-graded right confirmation for public/enterprise/personal data, the on-floor + over-the-counter trading framework, the income distribution mechanism for data elements, and a multi-party governance model. This is the policy text that informs subsequent national-level legislation and rules on data assets, public data, and data property rights registration.

    CPC Central Committee and State Council Effective 2022-12-02
  • § 03

    Regulation on Network Data Security Management

    网络数据安全管理条例

    The Network Data Security Management Regulation is the State Council's overarching implementing regulation for the three foundational data-protection statutes (CSL, DSL, PIPL). It consolidates network-data security obligations, important-data identification and classification, cross-border transfer rules, security-incident reporting, and operator obligations for large data handlers and internet platforms. Promulgated as State Council Decree No. 790.

    State Council Effective 2025-01-01
  • § 04

    Regulations on the Protection of Minors in Cyberspace

    未成年人网络保护条例

    Implementing regulation for the protection of minors under PIPL and CSL. Covers age-appropriate content, online education, addiction-prevention regimes for video games and short videos, sensitive personal information of minors (under 14), parental consent mechanisms, and platform obligations for products targeting or accessible to minors.

    State Council Effective 2024-01-01
  • § 05

    Regulations on the Sharing of Government Data

    政务数据共享条例

    The first comprehensive State Council regulation specifically governing the sharing of government data across agencies. Establishes the unified national government-data sharing platform, defines responsibilities of the National Data Administration, sets data quality and security requirements, and addresses personal-information and important-data handling within the government-data context.

    State Council Effective 2025-08-01
  • § 06

    Administrative Measures for Internet Information Services (2024 Revision)

    互联网信息服务管理办法(2024 修订)

    The foundational regulation of Internet Information Services (ICP) in China — the regulatory baseline beneath nearly every later data-protection rule. Establishes the ICP licensing regime (operational vs. non-operational), platform compliance obligations, content management, and the role of telecommunications and cyberspace administrative authorities. The 2024 revision aligns the regulation with CSL, DSL, PIPL, and the post-2022 platform rules.

    State Council Effective 2025-01-20
  • § 07 · PVISR

    Administrative Regulation for Public Security Video Image Information Systems

    公共安全视频图像信息系统管理条例

    The State Council's overarching regulation for public security video image information systems (公共安全视频系统) in public places. Distinguishes three operator types: government-led, public-private partnership, and private-led, and applies graduated obligations depending on the operator type. Implements PIPL Article 26 for video-image capture in public places, including filing obligations, mandatory signage, retention, and security duties. Read with the 2025 FRT Measures (Decree No. 19) for facial-recognition deployments.

    State Council Effective 2025-04-01
  • § 08 · Shenzhen Data Regulations

    Shenzhen Special Economic Zone Data Regulations

    深圳经济特区数据条例

    China's first comprehensive local data law, adopted by the Standing Committee of the Shenzhen Municipal People's Congress on 29 June 2021 and effective 1 January 2022. The Regulations pioneered express recognition of 'data rights and interests' (数据权益) — conferring personality-rights interests on individuals over their personal data and property-rights interests on lawful data processors over their data products — and introduced China's most detailed consent-and-notice regime for personal data at the time, including an explicit prohibition on big-data price discrimination against existing users (大数据杀熟). It established a public data sharing-as-default framework, a data factor market chapter with fair-competition rules, and comprehensive data security obligations including mandatory cross-border transfer security assessments. As the first sub-national regulation to span personal data, public data, the data factor market, and data security in a single instrument, Shenzhen's Regulations served as an influential drafting model ahead of PIPL (2021) and the Data Security Law (2021) and remain directly applicable to businesses operating in Shenzhen; overseas counsel should note that penalties for unlawful data trading can reach RMB 1 million, and anticompetitive data-market conduct can attract fines of up to 5% of prior-year revenue or RMB 50 million.

    Standing Committee of the Shenzhen Municipal People's Congress Effective 2022-01-01
§ DEPARTMENTAL RULES

Departmental Rules .

部门规章 · CAC, MIIT, MPS and others

  • § 01

    Measures for the Security Assessment of Data Export

    数据出境安全评估办法

    The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds.

    Cyberspace Administration of China (CAC) Effective 2022-09-01
  • § 02

    Provisions on Promoting and Regulating Cross-border Data Flows

    促进和规范数据跨境流动规定

    The 2024 Cross-border Data Flow Provisions are CAC's relaxation package on outbound data transfer. They introduce thresholds and exemptions for the security assessment, standard contract, and certification pathways, plus a free trade zone (FTZ) negative-list mechanism. For overseas counsel, this is the regulation that practically determines whether a routine cross-border transfer needs to clear formal CAC review or not.

    Cyberspace Administration of China (CAC) Effective 2024-03-22
  • § 03

    Data Property Rights Registration Work Guide (Trial)

    数据产权登记工作指引(试行)

    NDA's first national framework for the registration of Data Property Rights — the rights to hold, use, and operate data established under the Data 20 Articles policy. Issued by the NDA Comprehensive Department on July 1, 2026 as the Trial Work Guide, it sets out registration institutions, the registration procedure (application, acceptance, review, public announcement, objection handling, evidence preservation, certificate issuance), the ownership-clarity rules that determine who can register which right over which data, the five registration types (initial, transfer, change, renewal, deregistration), and liability for institutions and applicants. Compared with the April 2026 consultation draft, the final text tightens security/public-interest gates, adds a definition of derived data, shifts the national platform terminology to a service system, strengthens provincial management and institution-exit rules, narrows public-data registration from mandatory to conditional/voluntary wording, and moves certificate validity from issuance to evidence-preservation completion.

    National Data Administration (NDA), Comprehensive Department
  • § 04 · SCC Measures

    Measures on the Standard Contract for the Outbound Transfer of Personal Information

    个人信息出境标准合同办法

    The second of CAC's three cross-border transfer pathways: signing a CAC-prescribed Standard Contract with the overseas recipient and filing it with the provincial CAC. Used by handlers below the Security Assessment thresholds. The Measures establish eligibility criteria, the filing procedure, ongoing obligations after filing, and the CAC's right to invalidate the contract on the recipient side. The Standard Contract template itself is annexed.

    Cyberspace Administration of China (CAC) Effective 2023-06-01
  • § 05 · Network Data Risk Assessment Measures

    Measures for Network Data Security Risk Assessment

    网络数据安全风险评估办法

    The first dedicated, cross-sector implementing rule for the annual network-data risk-assessment obligation created by the Network Data Security Management Regulation (State Council Decree No. 790). Jointly issued by the CAC, MIIT and the Ministry of Public Security as Order No. 24, it requires every important-data handler to conduct a risk assessment each year — and again whenever a material change in the security status of important data may adversely affect security — to retain the report for at least three years, and to submit it to the competent authority within 20 working days; general-data handlers are encouraged to assess at least once every three years. It builds the regime for third-party assessment institutions: voluntary certification, a ban on sub-entrustment, a no-more-than-three-consecutive-years rotation rule, and confidentiality and deletion duties. Regulators may compel a certified-institution assessment after a high-risk finding or a breach involving important data or large-scale personal information, and may order an important-data handler to stop processing important data where activities endanger national security or the public interest. Adopted June 1, 2026; promulgated June 18, 2026; effective August 20, 2026.

    Cyberspace Administration of China; Ministry of Industry and Information Technology; Ministry of Public Security Effective 2026-08-20
  • § 06

    Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition)

    个人信息出境标准合同备案指南(第一版)

    CAC's procedural guide accompanying the SCC Measures. Specifies the filing materials required, where to file (provincial CAC), online filing system mechanics, materials acceptance and review timeline, and standardized templates for the power of attorney, the letter of commitment, the Standard Contract itself, and the Personal Information Protection Impact Assessment Report. Read together with the SCC Measures for the operational filing path.

    Cyberspace Administration of China (CAC) Effective 2023-05-30
  • § 07 · Data Terms Batch 1

    Explanation of Common Terms in the Field of Data (First Batch)

    数据领域常用名词解释(第一批)

    The first installment of official terminology explanations issued by the National Data Administration. Establishes authoritative Chinese government definitions for 40 foundational data-field concepts including data, primary data, data resources, data elements, data products and services, data assets, data handling, data handler, commissioned data handler, data circulation, data transaction, data governance, data security, public data, digital industrialization, industrial digitalization, metadata, structured/semi-structured/unstructured data, privacy-protective computation (secure multi-party computing, federated learning, trusted execution environment, cryptographic computing), and blockchain.

    National Data Administration Effective 2024-12-30
  • § 08 · Data Terms Batch 2

    Explanation of Common Terms in the Field of Data (Second Batch)

    数据领域常用名词解释(第二批)

    The second installment of official terminology explanations issued by the National Data Administration, continuing the consensus-building effort that began with the First Batch in December 2024. The 20 terms in this batch focus on data property rights vocabulary (Data Property Rights, Data Property Rights Registration, Right to Hold Data, Right to Use Data, Right to Operate Data, derived data, enterprise data); data trading institutions and market structure (data trading institution, on-exchange data trading, off-exchange data trading, data trading matching, data third-party professional service institution); the data industry and data labeling sub-industry; trusted data space and data use control; data infrastructure; and computing-power scheduling and pooling. DCC translation, cross-checked against the glossary for consistency with the public-data property-rights registration documents.

    National Data Administration Effective 2025-03-29
  • § 09

    Measures for the Certification of the Cross-border Provision of Personal Information

    个人信息出境认证办法

    The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways.

    Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR) Effective 2026-01-01
  • § 10

    Cybersecurity Review Measures

    网络安全审查办法

    The 2021 update to the cybersecurity review regime, expanded after the Didi enforcement action. Applies to (i) CIIO procurement of network products/services that may affect national security, and (ii) network platforms holding personal information of more than one million users when seeking an overseas listing. Sets the procedure, factors considered, and outcomes (no-action, conditional approval, prohibition).

    CAC + 12 ministries (NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, NRTA, CSRC, SSA, SCA) Effective 2022-02-15
  • § 11

    Administrative Measures for Personal Information Protection Compliance Audits

    个人信息保护合规审计管理办法

    These Measures implement the compliance-audit obligation in PIPL Article 54. Self-audit is required at least every two years for handlers of more than 10 million people's personal information; CAC-directed audits by a third-party specialized agency are triggered by significant risk, large-scale infringement, or major security incidents. The Measures are accompanied by a 27-section Guidelines annex that lays out exactly what auditors should examine — effectively a regulator-issued checklist for personal-information compliance.

    Cyberspace Administration of China (CAC) Effective 2025-05-01
  • § 12 · Incident Reporting Measures

    Measures for the Administration of National Cybersecurity Incident Reporting

    国家网络安全事件报告管理办法

    Issued by the CAC on September 11, 2025 and effective November 1, 2025, these Measures establish a unified national workflow for cybersecurity incident reporting, triggered whenever an incident is graded 'relatively significant' or above under the annexed Classification Guidelines (which track GB/T 20986-2023). Reporting clocks are calibrated by operator type: critical information infrastructure (CII) operators must report within one hour, central and state organs within two hours, and all other network operators within four hours, with tighter escalation windows for major and especially major incidents. Each report must cover eight specified elements — including, for ransomware, the ransom amount and payment deadline — and a comprehensive 30-day summary report is required after incident handling concludes; the 12387 hotline serves as the central intake. Article 11 creates an explicit safe harbour for operators that prepared adequately, responded under their emergency plan, and reported in good time, while Article 10 subjects late, false, or concealed reporting that causes serious harm to heavier penalties for both the entity and responsible individuals — a combination that overseas counsel should factor into incident-response playbooks for any China-nexus operation.

    Cyberspace Administration of China (CAC) Effective 2025-11-01
  • § 13 · Children's PI Provisions

    Provisions on the Online Protection of Children's Personal Information

    儿童个人信息网络保护规定

    China's first dedicated rule for children's personal information online, issued by the CAC in 2019 and effective October 1, 2019. It fixes 14 as the age of childhood, requires verifiable guardian consent before a network operator collects, stores, uses, transfers, or discloses a child's personal information, and imposes a guardian-facing notice-and-refusal regime, data-minimization and storage-limitation duties, encrypted storage, minimum-authorization access controls, entrustment and transfer safeguards, deletion and correction rights, and breach notification to guardians. It predates PIPL but is read together with PIPL Article 28 (which treats the personal information of minors under 14 as sensitive personal information) and the Regulations on the Protection of Minors in Cyberspace.

    Cyberspace Administration of China (CAC) Effective 2019-10-01
  • § 14 · App PI Identification Method

    Method for Identifying the Unlawful Collection and Use of Personal Information by Apps

    App违法违规收集使用个人信息行为认定方法

    Issued jointly in November 2019 by the CAC Secretariat, MIIT, MPS, and SAMR under Document No. 国信办秘字〔2019〕191号, this instrument provides the operational six-category test that regulators use to determine whether an app's collection and use of personal information is unlawful or excessive: (1) failure to publicly disclose collection and use rules; (2) failure to clearly state the purpose, method, and scope of collection; (3) collection without user consent; (4) collection beyond what is necessary for the service; (5) sharing personal information with third parties without consent; and (6) failure to provide deletion or correction functions or complaint channels. The method underpins the national App special-governance campaign and is the direct basis for app-store removal orders issued by regulators. Overseas counsel advising Chinese-market apps or cross-border data-sharing arrangements must treat compliance with each of the six categories as a threshold checklist, as a single identified violation can trigger mandatory rectification and removal.

    Secretariat of the Cyberspace Administration of China, General Office of MIIT, General Office of the Ministry of Public Security, and General Office of SAMR Effective 2019-11-28
  • § 15 · Necessary PI Scope Provisions

    Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications

    常见类型移动互联网应用程序必要个人信息范围规定

    These Provisions, issued jointly by the CAC, MIIT, MPS, and SAMR in March 2021 and effective May 1, 2021, define 'necessary personal information' as the minimum data indispensable for an app's basic functional service to operate — and expressly prohibit operators from refusing basic service to users who decline to provide non-necessary personal information. The Provisions enumerate 39 common mobile app categories (including map navigation, ride-hailing, instant messaging, online shopping, mobile banking, and more), specifying the precise personal information each category may require; 12 of the 39 categories — including browsers, input methods, news apps, and short-video apps — require no personal information at all for basic use. Overseas counsel advise on these Provisions when auditing the data-collection practices of apps distributed in China, assessing whether consent gates or account-wall practices are lawful, and preparing for MIIT or CAC enforcement inspections targeting excessive or non-necessary data collection.

    Secretariat of the Cyberspace Administration of China, General Office of MIIT, General Office of the Ministry of Public Security, and General Office of SAMR Effective 2021-05-01
  • § 16 · Platform Rules Measures

    Measures for the Supervision and Administration of Online Trading Platform Rules

    网络交易平台规则监督管理办法

    Departmental rule (SAMR/CAC Order No. 116) governing how online trading platform operators formulate, amend and enforce their platform rules (service agreements, in-platform management rules, dispute-handling rules, personal-information protection rules, IP rules, etc.). It requires conspicuous publication, comment solicitation, advance notice before changes take effect, retention of historical versions, and an appeals channel including human review where decisions are made solely by AI. Separate chapters address information/network/data security (including minors' protection and personal-information allocation between platforms and in-platform operators), protection of in-platform operators against unreasonable restrictions and fees, and consumer protection against discriminatory pricing and unilateral membership changes. Effective February 1, 2026.

    State Administration for Market Regulation; Cyberspace Administration of China Effective 2026-02-01
  • § 17 · CII Commercial Cryptography Provisions

    Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure

    关键信息基础设施商用密码使用管理规定

    Departmental rule (State Cryptography Administration / CAC / Ministry of Public Security Order No. 5) requiring operators of critical information infrastructure (CII) to use commercial cryptography to protect their CII, and to plan, build and operate commercial-cryptography assurance systems concurrently with the CII itself. It mandates commercial-cryptography application security assessments at the planning, construction and operation stages (at least annually once in operation), requires the use of certified commercial-cryptography products and State-vetted algorithms, sets staffing and funding requirements (key administrators, cipher operators, security auditors), imposes annual reporting duties, and provides penalties of up to RMB 1,000,000. Effective August 1, 2025.

    State Cryptography Administration; Cyberspace Administration of China Effective 2025-08-01
  • § 18 · PI Certification Rules

    Implementation Rules for Personal Information Protection Certification

    个人信息保护认证实施规则

    The Implementation Rules for Personal Information Protection Certification, issued as the annex to SAMR and CAC Joint Announcement No. 37 of 2022 on November 18, 2022, operationalize the certification pathway that PIPL Article 38(2) authorizes for cross-border transfers of personal information and that simultaneously governs domestic personal information protection certification. The Rules establish a three-stage certification model — technical verification, on-site audit, and post-certification supervision — grounded in GB/T 35273 (Personal Information Security Specification) for all personal information handlers, with the additional requirement that handlers engaged in cross-border processing activities comply with TC260-PG-20222A (Security Certification Specification for Cross-border Personal Information Processing Activities). Certification certificates are valid for three years, subject to ongoing supervisory audits, and may be suspended or revoked for non-compliance; certified handlers may display the corresponding certification mark (with a distinct cross-border variant). The Rules were subsequently supplemented by the Measures for the Certification of the Cross-border Provision of Personal Information (effective January 1, 2026), which specifically governs the cross-border certification route; overseas counsel advising on cross-border transfers should read the two instruments together, as the Implementation Rules set the foundational procedural framework that the 2026 Measures build upon.

    State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC) Effective 2022-11-18
  • § 19 · PI Certification Announcement

    Announcement on the Implementation of Personal Information Protection Certification

    关于实施个人信息保护认证的公告

    The November 2022 joint announcement by SAMR and CAC (Announcement No. 37 of 2022) formally launched the Personal Information Protection Certification scheme, designating approved certification bodies to conduct certification activities in accordance with the Implementation Rules for Personal Information Protection Certification and, for cross-border processing activities, the TC260 standard TC260-PG-20222A. Participation is voluntary: the announcement encourages personal information handlers to obtain certification as a means of demonstrating and improving their personal information protection capabilities. The announcement is short — one operative paragraph — and works in tandem with the accompanying Implementation Rules (attached to the announcement) and the subsequently issued Measures for the Certification of the Cross-border Provision of Personal Information (2026). For overseas counsel, the scheme provides a third compliance pathway alongside the Security Assessment and the Standard Contract for cross-border transfers of personal information.

    State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC) Effective 2022-11-04
  • § 20 · Telecom & Internet User PI Provisions

    Provisions on Protecting the Personal Information of Telecommunications and Internet Users

    电信和互联网用户个人信息保护规定

    Issued by the Ministry of Industry and Information Technology (MIIT) in July 2013 and effective 1 September 2013, these Provisions are the principal sector-specific rule governing the collection and use of users' personal information by telecommunications business operators and internet information service providers operating in China. They establish consent and notice requirements before collection, data-minimisation and purpose-limitation duties, strict confidentiality obligations, mandatory security safeguards (including access controls, breach reporting, annual self-audits, and staff training), and a two-tier penalty regime enforced by MIIT and its provincial communications-administration bureaus. Predating the Personal Information Protection Law (PIPL) by eight years, the Provisions remain in force as a sectoral antecedent and continue to bind telecom and ISP licensees directly through the licence-review process; overseas counsel advising clients who hold or apply for Chinese ICP or telecom value-added service licences must treat these Provisions as the operative data-protection floor alongside PIPL.

    Ministry of Industry and Information Technology (MIIT) Effective 2013-09-01
  • § 21 · Children in Distress PI Measures

    Working Measures for the Protection of the Personal Information of Children in Distress

    困境儿童个人信息保护工作办法

    Working measures (Min Fa [2024] No. 67) jointly issued by the Ministry of Civil Affairs and seventeen other central authorities and mass organizations to regulate the use and protection of the personal information of children in distress. Following the principle of 'whoever is in charge / whoever processes is responsible', the measures assign protection duties across the civil-affairs, education, health, judicial, publicity, cyberspace, culture-and-tourism and broadcasting systems, as well as trade unions, the Communist Youth League, women's federations and disabled persons' federations. They require consent of parents or guardians for processing the information of children under 14 (and consent of the child plus notice to guardians for those 14 and over), prohibit labeling, traffic-chasing and using such information for fundraising or live-stream commerce, and grant children and their guardians a right to inquire about and object to processing. Effective November 18, 2024.

    Ministry of Civil Affairs; Publicity Department of the CPC Central Committee; Commission for Political and Legal Affairs of the CPC Central Committee; Cyberspace Administration of China; Supreme People's Court; Supreme People's Procuratorate; Ministry of Education; Ministry of Public Security; Ministry of Justice; Ministry of Culture and Tourism; National Health Commission; National Radio and Television Administration; Office of the National Working Committee on Children and Women under the State Council; All-China Federation of Trade Unions; Central Committee of the Communist Youth League; All-China Women's Federation; China Disabled Persons' Federation; National Working Committee on Caring for the Next Generation Effective 2024-11-18
  • § 22 · Mobile App Information Services Provisions

    Provisions on the Administration of Mobile Internet Application Information Services (2022 Revision)

    移动互联网应用程序信息服务管理规定(2022 修订)

    The 2022 revision of the CAC's flagship app-governance rule, effective 1 August 2022, imposes dual-track obligations on app providers and app distribution platforms (including app stores, mini-program platforms, and browser plug-in platforms). App providers must verify users' real identity information via mobile-phone number, identity-document number, or unified social credit code before enabling publication or messaging features, and must comply with personal information minimization requirements — including a prohibition on denying core service functionality solely because a user declines to supply non-essential personal information. App distribution platforms must register with provincial-level CAC offices within 30 days of going live, implement multi-factor real identity verification of every app provider seeking to list on the platform, and conduct substantive pre-listing and ongoing review of apps for legal compliance, data security risks, and illegal or excessive collection and use of personal information. Overseas counsel advise on these provisions because they set the compliance baseline that any foreign app operator — whether publishing directly or distributing through Chinese app stores — must satisfy before reaching Chinese users.

    Cyberspace Administration of China (CAC) Effective 2022-08-01
  • § 23 · School Protection Provisions

    Provisions on the Protection of Minors by Schools

    未成年人学校保护规定

    MOE Order No. 50, the school-facing implementing rule under the Law on the Protection of Minors. For the online-protection regime its load-bearing provision is Article 21: teachers and staff who discover students fabricating facts to defame others, spreading rumors or false information, or maliciously disseminating others' private information through networks or other means must stop it promptly — the hook that turns online defamation and privacy-spreading incidents among students into a school management duty, with civil supplementary liability under Civil Code Article 1201 if the school fails to act.

    Ministry of Education (MOE) Effective 2021-09-01
  • § 24 · Data Export Declaration Guide (v3)

    Guidelines for the Declaration of Data Export Security Assessment (Third Edition)

    数据出境安全评估申报指南(第三版)

    The CAC's third-edition procedural guide — issued and effective 27 June 2025 — sets out in detail who must file a Data Export Security Assessment declaration, the step-by-step filing process through the online declaration system (sjcj.cac.gov.cn), the eight categories of required materials (including the self-assessment report and the legally binding contract with the overseas recipient), and the newly introduced procedure for applying to extend an approved assessment's validity period. It supersedes the first and second editions, streamlines the documentary requirements, and clarifies the conditions (capped volume increases of no more than 20 % over the prior three-year approval period) and timeline (60 working days before expiry) for extension applications. Overseas counsel advising on cross-border data transactions need this guide to prepare compliant declaration packages and to structure the legal agreement with the overseas recipient so that it satisfies the mandatory contractual checklist in the self-assessment report template.

    Cyberspace Administration of China (CAC) Effective 2025-06-27
  • § 25 · Data Security Certification Announcement

    Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China on Carrying Out Data Security Management Certification

    国家市场监督管理总局、国家互联网信息办公室关于开展数据安全管理认证工作的公告

    Announcement (SAMR/CAC Announcement No. 18 of 2022) launching a voluntary data security management certification scheme that encourages network operators to certify their network-data processing activities (collection, storage, use, processing, transmission, provision, disclosure, etc.) and strengthen network data security protection. The attached Data Security Management Certification Implementation Rules, based on the Regulations on Certification and Accreditation and the standard GB/T 41479 (Information security technology—Security requirements for network data processing), set out a certification mode of 'technical verification + on-site audit + post-certification supervision', the certification procedure, a three-year certificate validity period, and rules on certificates, certification marks and the responsibilities of certification bodies. Effective June 5, 2022.

    State Administration for Market Regulation; Cyberspace Administration of China Effective 2022-06-05
  • § 26 · GBA (Mainland-Macao) SCC Guidelines

    Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao)

    粤港澳大湾区(内地、澳门)个人信息跨境流动标准合同实施指引

    Jointly issued on 10 September 2024 by the CAC, the Economic and Technological Development Bureau of the Macao SAR, and the Personal Data Protection Bureau of the Macao SAR, these Implementation Guidelines establish a bilateral facilitation arrangement that allows eligible personal information handlers registered or located in the nine Guangdong cities of the Greater Bay Area or the Macao SAR to transfer personal information between those two jurisdictions by executing a prescribed Standard Contract and filing it with the applicable local authority within 10 working days, without needing to pass a CAC security assessment — even where data volumes exceed the national thresholds that would otherwise trigger that assessment. The arrangement operates under the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area signed between the CAC and the Economic and Finance Bureau of the Macao SAR. The Guidelines exclude personal information classified as important data and require handlers to complete a Personal Information Protection Impact Assessment (PIPIA) before each cross-border provision. For overseas counsel, the arrangement is significant because it creates a distinct GBA intra-Bay-Area pathway that sits alongside — and in some respects relaxes — the three national cross-border transfer routes under PIPL and the Provisions on Promoting and Regulating Cross-border Data Flows.

    Cyberspace Administration of China and Economic and Technological Development Bureau of the Macao SAR Effective 2024-09-10
  • § 27 · GBA (Mainland-Hong Kong) SCC Guidelines

    Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)

    粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引

    The 2023 GBA Mainland-Hong Kong facilitation arrangement jointly issued by the CAC and Hong Kong's Innovation, Technology and Industry Bureau on 10 December 2023, implementing the bilateral Memorandum of Cooperation on Promoting Cross-Border Data Flows in the Greater Bay Area. It establishes a simplified standard-contract pathway enabling personal information handlers and recipients registered or located in the nine mainland GBA cities (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing) or in Hong Kong SAR to transfer personal information cross-border without triggering the full national-level security assessment regime, subject to a mandatory Personal Information Protection Impact Assessment and filing with the Guangdong CAC or the Hong Kong Office of the Government Chief Information Officer within ten working days of contract entry into force. Personal information that has been notified or publicly released as important data is excluded. This arrangement was the model for the subsequent September 2024 GBA Mainland-Macao version and matters to overseas counsel because it creates a distinct, lighter-touch bilateral track for intra-GBA flows that operates alongside — and does not replace — PIPL's three national-level pathways.

    Cyberspace Administration of China and Innovation, Technology and Industry Bureau of the Hong Kong SAR Effective 2023-12-10
  • § 28 · PIPO Reporting Announcement

    Announcement on Carrying Out the Reporting of Personal Information Protection Officer Information

    关于开展个人信息保护负责人信息报送工作的公告

    The July 2025 CAC announcement operationalises the person-in-charge-of-personal-information-protection (PIPO) designation and filing requirement under PIPL Article 52 and Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits: any personal information handler that processes the personal information of one million or more individuals must report the identity and contact details of its designated person in charge of personal information protection to the municipal-level CAC office where it is registered. Personal information handlers that had already crossed the one-million threshold before 18 July 2025 were given until 29 August 2025 to complete the initial filing; those crossing the threshold after that date must file within 30 business days. Reporting is done exclusively online through the Personal Information Protection Business System (grxxbh.cacdtsc.cn), also reachable from the CAC website's 'National Cyberspace Administration Affairs Hall.' For overseas counsel advising China-facing businesses, this announcement means that any client meeting the PIPL Art. 52 threshold must have a named, reported PIPO on file with the local regulator — failure to do so is an express regulatory violation.

    Cyberspace Administration of China (CAC) Effective 2025-07-18
  • § 29 · Minors PI Audit Reporting Announcement

    Announcement on Submitting Reports on the Compliance Audit of Minors' Personal Information Protection

    关于报送未成年人个人信息保护合规审计情况的公告

    Issued by the CAC on 29 December 2025, this short announcement operationalizes the annual compliance-audit-and-report obligation that Article 37 of the Regulations on the Protection of Minors in Cyberspace imposes on every personal information handler that processes personal information of minors. It fixes the annual reporting deadline (by 31 January of the following year), designates the local prefecture-level cyberspace administration authority as the recipient, mandates online submission through the CAC's Personal Information Protection Business System, and warns that failure to conduct or report the compliance audit will be dealt with under the applicable laws, regulations, and rules. The announcement bridges the PI Audit Measures (effective May 2025) and the minors-protection regime: any handler—regardless of scale—must audit its minors-PI practices each year. Overseas counsel advising multinationals with Chinese apps or platforms that reach minors should ensure clients have a standing annual audit-and-submission process in place before 31 January.

    Cyberspace Administration of China (CAC) Effective 2025-12-29
  • § 30 · FISR Measures

    Measures for the Security Review of Foreign Investments

    外商投资安全审查办法

    The Foreign Investment Security Review (FISR) Measures govern review of foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The test for the security review's bite is actual control — defined broadly to include >50% equity, voting-share thresholds, and other circumstances that materially influence operational decisions, personnel, finance, or technology. These Measures were the legal basis for the April 2026 ban on the Meta–Manus acquisition.

    National Development and Reform Commission (NDRC) and Ministry of Commerce (MOFCOM) Effective 2021-01-18
  • § 31

    Interim Measures for the Registration and Administration of Public Data Resources

    公共数据资源登记管理暂行办法

    The Interim Measures establish a nationally unified registration system for public data resources — data collections produced by Party and government organs and public institutions in the course of performing statutory duties or providing public services. Registration is mandatory for public data resources that fall within authorized-operation scope; voluntary registration is encouraged for other public data resources and for data products and services derived from them. The Measures set the registration procedure (application, acceptance, formal review, public announcement, code issuance), define four registration types (initial, change, correction, deregistration), establish a three-year validity period with renewal, and provide for graded supervision under NDA's overall administration. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists.

    National Development and Reform Commission (NDRC) and National Data Administration (NDA) Effective 2025-03-01
  • § 32

    Implementation Specifications for Authorized Operation of Public Data Resources (Trial)

    公共数据资源授权运营实施规范(试行)

    Companion rule to the Public Data Registration Interim Measures (also NDRC + NDA, January 2025). The Specifications establish the framework for 'authorized operation' (授权运营) of public data resources — the mechanism by which governments at and above the county level, and national sectoral authorities, can authorize qualified operating institutions to develop and operationalize public data resources, deliver data products and services to the market, and share in the revenue. Covers implementing institutions, operating institutions, the implementation plan, the agreement, supervision, anti-monopoly and security duties. The Operating-institution authorization period is capped at five years. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists.

    National Development and Reform Commission (NDRC) and National Data Administration (NDA) Effective 2025-03-01
  • § 33 · Cybersecurity Label Measures

    Measures for the Administration of Cybersecurity Labels

    网络安全标识管理办法

    A joint CAC–MIIT–MPS rule establishing a voluntary product-certification scheme — the 'China Cybersecurity Label' — for internet-connected products, layered into one/two/three-star tiers (basic, enhanced, and leading cybersecurity capability). Coverage is catalogue-managed: products are added in batches, each with its own implementing rules and technical basis, and critical network equipment and dedicated cybersecurity products already regulated under the 2023 security-management framework are carved out. Three-star products must clear penetration testing by a qualified third-party lab, and every label carries a scannable filing code linking to the test report and the manufacturer's compliance declaration. Misuse — forged or misappropriated labels, false advertising, or fabricated test results — triggers filing revocation, public naming, a one-year bar on re-filing, and entry into the national credit-information system. For overseas counsel, this is a market-facing trust mark rather than a mandatory compliance gate, but it interacts with existing MLPS and product-security obligations and is likely to become a de facto procurement or channel-access signal even though participation is nominally voluntary.

    Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) Effective 2026-07-01
  • § 34 · Trade Secret Protection Provisions

    Provisions on the Protection of Trade Secrets

    商业秘密保护规定

    SAMR's rewrite of China's 1995 trade-secret enforcement rules — issued as Order No. 126 under the Anti-Unfair Competition Law — folds algorithms, data, and source code squarely into the definition of a protectable technical-information trade secret, and for the first time recognizes tiered access, data masking, and audit-log retention as adequate confidentiality measures for remote-work and cross-border collaboration setups. It also names electronic intrusion and unauthorized transfer of files to personal cloud drives or external storage as 'improper means' of misappropriation, giving SAMR an administrative-enforcement path for conduct that would otherwise only surface as a data-security incident or a cybercrime case. For overseas counsel, it matters less as a data-protection instrument than as the rule that now lets an aggrieved company route an insider data-exfiltration episode through market-regulation enforcement rather than the police or the courts alone.

    State Administration for Market Regulation (SAMR) Effective 2026-06-01
  • § 35 · Minors Harmful-Info Classification Measures

    Measures for the Classification of Online Information That May Affect the Physical and Mental Health of Minors

    可能影响未成年人身心健康的网络信息分类办法

    A short but operationally important CAC-led rule that, for the first time, defines and catalogues a middle tier of online content: material that falls short of outright illegal content but may still harm minors' physical or mental health. It sorts this content into four classes — inducements to imitate unsafe or antisocial behavior, content harmful to values, improper use of a minor's image, and improper disclosure or use of a minor's personal information — and requires platforms to label it prominently and keep it out of high-traffic slots like homepages, push notifications, and trending lists when the audience includes minors. For overseas counsel, Article 6's personal-information category is the one to watch: it reaches conduct such as showing an under-14's schooling or daily life in enough detail to expose identifying information without guardian consent, or content that induces minors to disclose their own or others' personal information, layering content-moderation duties on top of existing PIPL and minors-protection consent obligations.

    Cyberspace Administration of China (CAC) and seven other departments Effective 2026-03-01
§ NATIONAL STANDARDS

National Standards .

国家标准 · GB/T, TC260

  • § 01 · GB/T 44297—2024

    GB/T 44297—2024 Data Items of Video and Image Information for Public Security

    GB/T 44297—2024 公共安全视频图像信息数据项

    GB/T 44297—2024 is the national recommended standard that specifies the data items used in public-security video image information systems — the underlying field-level schema that camera systems, video platforms, and analysis tools use to describe and exchange video and image data. It applies to data exchange in networked public-security video applications. The standard catalogs more than twenty top-level data-item groups — covering camera information, system/platform information, equipment status, video clips, images, file objects, persons of interest, vehicles of interest, non-motor vehicles, items, scenes, events, regions, motion targets, subscriptions, feature vectors, organized data libraries, and real-time matching against reference lists — plus a set of normative code tables (Appendix D) used to encode the field values. The standard is technical reference material for system integrators and data engineers operating public-security video systems. Cross-reference to the *Administrative Regulation for Public Security Video Image Information Systems* (State Council Decree No. 799) and the *Facial Recognition Technology Application Measures* (CAC + MPS Decree No. 19), which set the legal duties; this standard tells operators what field-level data to capture and exchange in order to meet those duties.

    Standardization Administration of China (SAC) and State Administration for Market Regulation (SAMR), proposed by Ministry of Public Security (MPS) Effective 2024-08-23
  • § 02 · TC260 Sensitive PI Guide

    Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024)

    网络安全标准实践指南 — 敏感个人信息识别指南 (v1.0-202409)

    TC260's September 2024 practice guide for identifying sensitive personal information under PIPL Article 28. Sets out a four-rule identification framework — damage to personal dignity, to personal safety, to property safety, and aggregation effects — and lists eight common categories of sensitive personal information with illustrative examples in Appendix A. The guide is not a mandatory standard; it is advisory practice guidance issued by the TC260 Secretariat to help organizations operationalize PIPL's sensitive-PI regime. Practical reference for handlers performing the PIPIA required by PIPL Article 55(I) before processing sensitive personal information.

    Secretariat of the National Information Security Standardization Technical Committee (TC260) Effective 2024-09-01
  • § 03 · GB/T 43697

    Data Security Technology — Rules for Data Classification and Grading (GB/T 43697-2024)

    数据安全技术 数据分类分级规则 (GB/T 43697-2024)

    GB/T 43697-2024 is the foundational national standard operationalizing the data classification and grading protection system mandated by DSL Article 21. Issued 15 March 2024 and effective 1 October 2024, it sets out the principles, framework, methods and workflow for classifying data by sector/business attribute and grading it into three tiers — core data (核心数据), important data (重要数据) and general data (一般数据) — and provides an important-data identification guide. It is the reference document that sector regulators use to build sector-specific catalogues and that data processors use to classify and grade their own holdings.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) Effective 2024-10-01
  • § 04 · GB/T 35273

    Information Security Technology — Personal Information Security Specification (GB/T 35273-2020)

    信息安全技术 个人信息安全规范 (GB/T 35273-2020)

    GB/T 35273-2020 is China's foundational recommended national standard on personal information protection. First issued in 2017 and revised in 2020, it predates PIPL and shaped much of its drafting; it sets out detailed good-practice requirements across the full personal-information lifecycle — collection, storage, use, sharing/transfer/disclosure, deletion — plus security incident handling and organizational governance. Although a recommended (non-mandatory) standard, it has long been the operational benchmark Chinese regulators reference, and it remains the most detailed practical gloss on PIPL's principles.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) Effective 2020-10-01
  • § 05 · GB/T 39335

    Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020)

    信息安全技术 个人信息安全影响评估指南 (GB/T 39335-2020)

    GB/T 39335-2020 is the recommended national standard that operationalizes the personal-information security impact assessment (PIA / 个人信息安全影响评估). It sets out the principles, implementation method, working steps and reporting format for assessing the risks that personal-information processing poses to data subjects' rights and interests. Issued in 2020 and effective 1 June 2021, it is the practical reference China's handlers use to conduct the impact assessment that PIPL Article 55 makes mandatory before high-risk processing activities.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) Effective 2021-06-01
  • § 06 · GB/T 41479

    Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022)

    信息安全技术 网络数据处理安全要求 (GB/T 41479-2022)

    GB/T 41479-2022 is the recommended national standard specifying security requirements for the processing of network data — data collected, stored, transmitted, used, provided, disclosed and deleted through networks. It sets lifecycle security requirements for network data processing activities by network operators, organized by processing stage, and serves as a baseline reference for implementing the data-security duties of the Cybersecurity Law and Data Security Law. It applies across general network operations and informs the Network Data Security Management Regulations.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) Effective 2022-11-01
  • § 07 · GB/T 42460

    Information Security Technology — Guide for Evaluation of Personal Information De-identification Effect (GB/T 42460-2023)

    信息安全技术 个人信息去标识化效果评估指南 (GB/T 42460-2023)

    GB/T 42460-2023 is the recommended national standard for evaluating whether a personal-information de-identification process has actually worked. It sets out the goals, principles, evaluation framework and methods for judging re-identification risk in de-identified datasets — covering identifiers, the choice of de-identification models, and how to test residual risk. It complements GB/T 37964 (the de-identification guide) by providing the effectiveness-evaluation half, and supports PIPL's treatment of de-identification and anonymization.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) Effective 2023-12-01
  • § 08 · GB/T 42574

    Information Security Technology — Implementation Guide for Notification and Consent in Personal Information Processing (GB/T 42574-2023)

    信息安全技术 个人信息处理中告知和同意的实施指南 (GB/T 42574-2023)

    GB/T 42574-2023 is the recommended national standard that operationalizes PIPL's notification (告知) and consent (同意) obligations. It gives handlers practical guidance on what to tell data subjects and how, when and in what form to obtain consent — including separate consent, written consent, consent from minors' guardians, and withdrawal of consent — across web, app and other interfaces. It is the implementation manual for PIPL Articles 14–17 and 23/25/29/39, turning the statute's notice-and-consent rules into concrete design requirements.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260) Effective 2023-12-01
  • § 09 · GB/T 44588

    Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024)

    数据安全技术 互联网平台及产品服务个人信息处理规则 (GB/T 44588-2024)

    GB/T 44588-2024 is a recommended national standard setting personal-information processing rules tailored to internet platforms and their products and services. It addresses how platform operators — and the products, services and third-party providers within their ecosystems — should handle personal information consistently with PIPL, including the heightened 'gatekeeper' obligations PIPL imposes on large platforms. It is one of the 2024 'Data Security Technology' series standards that build sector- and scenario-specific guidance on top of PIPL's general framework.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)
  • § 10 · GB/T 45574

    Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025)

    数据安全技术 敏感个人信息处理安全要求 (GB/T 45574-2025)

    GB/T 45574-2025 is a recommended national standard setting security requirements for processing sensitive personal information (敏感个人信息) as defined by PIPL Article 28. It addresses the heightened safeguards that attach across the lifecycle when handling sensitive PI — separate (and where required written) consent, specific-purpose and strict-necessity limits, intensified impact assessment, and enhanced technical and organizational controls. It complements the TC260 sensitive-PI identification guide by specifying how, once identified, sensitive PI must be protected.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)
  • § 11 · GB/T 45577

    Data Security Technology — Data Security Risk Assessment Method (GB/T 45577-2025)

    数据安全技术 数据安全风险评估方法 (GB/T 45577-2025)

    GB/T 45577-2025 is a recommended national standard specifying a method for assessing data security risk. It provides the principles, framework, process and assessment content for identifying and evaluating risks to data across its lifecycle — covering data assets, threats, vulnerabilities, existing safeguards and potential impact — and for rating overall data-security risk. It is a 2025 'Data Security Technology' series standard supporting the risk-assessment duties of the Data Security Law and the network-data regime.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)
  • § 12 · GB/T 46068

    Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025)

    数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025)

    GB/T 46068-2025 is a recommended national standard setting the security requirements for certifying cross-border processing of personal information — the personal-information protection certification route that PIPL Article 38 offers as one lawful basis for transferring personal information abroad. It specifies the requirements that handlers and overseas recipients must meet to be certified, including legally binding agreements, organizational and technical safeguards, and protection of data subjects' rights. It elevates and complements the earlier TC260 certification specification.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)
  • § 13 · GB/T 46071

    Data Security Technology — Guide to Social Responsibility for Data Security and Personal Information Protection (GB/T 46071-2025)

    数据安全技术 数据安全和个人信息保护社会责任指南 (GB/T 46071-2025)

    GB/T 46071-2025 is a recommended national standard offering guidance on social responsibility in data security and personal information protection. It frames data security and PI protection as elements of organizational social responsibility, providing principles and guidance for organizations to take responsibility toward data subjects, society and the public — covering governance, transparency, stakeholder engagement and accountability. It is a 2025 'Data Security Technology' series standard that complements the binding duties of the DSL and PIPL with a responsibility-and-governance framing.

    Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)
  • § 14 · TC260 PI Audit Guide

    Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements

    网络安全标准实践指南 — 个人信息保护合规审计要求

    This TC260 practice guide sets out requirements for conducting the personal-information-protection compliance audit that PIPL Article 54 requires handlers to perform periodically. It provides an audit framework — the matters to examine across a handler's personal-information processing against PIPL obligations — to support both self-audits and audits commissioned to professional bodies under the Administrative Measures for Personal Information Protection Compliance Audits. It is advisory practice guidance, not a mandatory standard.

    National Information Security Standardization Technical Committee (TC260)
  • § 15 · TC260 FRT Payment Guide

    Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios

    网络安全标准实践指南 — 人脸识别支付场景个人信息安全保护要求

    This TC260 practice guide sets personal-information security protection requirements specific to facial-recognition payment (人脸识别支付) scenarios. It addresses how face data should be collected, verified, transmitted, stored and protected when facial recognition is used to authorize payments, with an emphasis on consent, the availability of non-facial alternatives, anti-spoofing and minimization. It is advisory practice guidance complementing the facial-recognition application rules and PIPL's sensitive-PI regime.

    National Information Security Standardization Technical Committee (TC260)
  • § 16 · TC260 QR Ordering Guide

    Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering

    网络安全标准实践指南 — 扫码点餐个人信息保护要求

    This TC260 practice guide sets personal-information protection requirements for QR-code ordering (扫码点餐) in restaurants and similar settings — a response to the common practice of forcing customers to follow accounts, register, or hand over excessive personal information just to view a menu or order. It emphasizes minimum necessity, the availability of order-without-registration options, and no forced follows or over-collection. It is advisory practice guidance applying PIPL's minimum-necessity principle and the app necessary-PI rules to this everyday scenario.

    National Information Security Standardization Technical Committee (TC260)
  • § 17 · TC260 Data Risk Assessment Guide

    Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment

    网络安全标准实践指南 — 网络数据安全风险评估实施指引

    This TC260 practice guide gives step-by-step implementation guidelines for conducting a network data security risk assessment. It walks organizations through preparing for, executing and reporting an assessment of data-security risks across the data lifecycle — identifying assets, threats, vulnerabilities and impacts and rating overall risk — in support of the assessment duties created by the Network Data Security Management Regulations. It is the practice-oriented companion to the GB/T 45577 risk-assessment method, and is advisory rather than mandatory.

    National Information Security Standardization Technical Committee (TC260)
  • § 18 · GB/T 46901-2025 (PI Portability)

    Data Security Technology — Requirements for Personal Information Transfer Based on Individual Requests (GB/T 46901—2025)

    数据安全技术 基于个人请求的个人信息转移要求(GB/T 46901—2025)

    The first national standard implementing the personal-information-portability right in PIPL Article 45, effective July 1, 2026. It sets out two transfer models (subject-as-intermediary and processor-as-intermediary), scopes the portable-data boundary to actively-provided information and service-usage records — expressly excluding derived data such as profiling tags and friend graphs, network logs, trade secrets, and anonymized data — and fixes three preconditions: a consent-or-contract-necessity legal basis, no harm to third-party rights, and requests kept within reasonable limits (indicatively no more than twice a year). It prescribes a five-step process (initiation, verification, processing, export, import) with 15-working-day response times, mandatory structured and machine-readable export formats (CSV/JSON/XML), and dedicated rules for minors under 14, third-party data caught up in a transfer, and overseas recipients. Any consumer-facing personal information handler now has a concrete technical and procedural playbook to build against.

    State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC) Effective 2026-07-01
§ JUDICIAL INTERPRETATIONS

Judicial Interpretations .

司法解释 · Supreme People's Court

§ DRAFTS IN CONSULTATION

Drafts in Consultation .

征求意见稿

  • § 01 · GB/T 35273 (2026 draft) · DRAFT

    Data Security Technology — Personal Information Security Specification (2026 Draft for Comment)

    数据安全技术 个人信息安全规范(征求意见稿)

    The 2026 draft revision of GB/T 35273 — released by TC260 for public comment on June 17, 2026 (project No. 20260700-T-469; drafting lead CESI) to replace GB/T 35273-2020. It retitles the standard 'Data Security Technology — Personal Information Security Specification', expands normative references from one standard to eight, and recasts China's most-cited personal information benchmark from a consent/notice manual into a full-lifecycle governance framework. Headline additions: a Chapter 5 lawful-basis chapter importing PIPL Art. 13's seven bases with hard per-basis boundaries; a sensitive-PI redefinition aligned to PIPL Art. 28 with an aggregation rule; a 'separate consent' definition; a new eighth 'quality assurance' principle; dedicated AI/generative-AI clauses (6.7, 6.1, 8.4, 8.5.4); unified-account (8.6) and terminal/IoT (6.8) collection clauses; a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (person in charge, records, PIPIA, GB/T 46903 compliance audit). Subject-rights response tightens from 30 days to 15 working days. Comment draft, non-binding and non-final; formal release expected after 2027.

    National Cybersecurity Standardization Technical Committee (TC260); drafting lead: China Electronics Standardization Institute (CESI)
  • § 02 · App PI Collection and Use Provisions (Draft) · DRAFT

    Provisions on the Collection and Use of Personal Information by Internet Applications (Draft for Public Consultation)

    互联网应用程序个人信息收集使用规定(征求意见稿)

    A 39-article CAC draft, opened for comment on January 10, 2026, that consolidates app-privacy regulation into a single instrument covering four classes of actors for the first time: app operators, SDK operators, distribution platforms (app stores, mini-program and quick-app platforms), and smart-terminal/OS makers. It operationalizes minimum-necessary and notice-and-consent principles into granular, engineering-level rules — permission requests tied to the moment of use, scenario-based consent toggles, mandatory system-level storage-access frameworks in place of blanket storage permissions, on-device-only default storage for biometric identifiers, a 15-business-day account-cancellation deadline, and behavioral-audit duties for embedded SDKs. It also builds out platform-level gatekeeping: distribution platforms and terminal makers must vet operator identity before listing or preinstalling an app, refuse apps lacking a privacy policy or deletion/cancellation function, and post risk warnings on apps that regulators have publicly named for violations. For overseas counsel, this draft would sit alongside (and in several respects supersede in practice) the 2019 App PI Identification Method and the 2021 Necessary PI Scope Provisions, raising the bar on SDK due diligence, permission-timing UX, and cross-entity contractual allocation of responsibility across the app supply chain.

    Cyberspace Administration of China (CAC)
  • § 03 · Cybercrime Prevention Law (Draft) · DRAFT

    Cybercrime Prevention Law (Draft for Public Consultation)

    网络犯罪防治法(征求意见稿)

    China's first standalone, comprehensive cybercrime statute, drafted by the Ministry of Public Security with a comment period that closed March 2, 2026. It goes well beyond the Criminal Law's cybercrime provisions to build a full prevention and governance framework: real-name controls over phone cards, bank accounts, and network accounts; a fifteen-item catalogue of prohibited "cybercrime ecosystem" conduct such as technical support, financial support, and personal-information or data misuse; tiered monitoring and reporting duties for ten categories of internet service, including a special obligation for AI service providers to detect and block abuse of their services; and cross-border tools including technical blocking of offshore actors, asset seizure, and entry/exit bans. Overseas counsel should read it closely for Article 2's extraterritorial reach, which extends to any offshore entity serving PRC users whose conduct harms China's national security, public interest, or the lawful rights of PRC citizens or organizations.

    Ministry of Public Security (drafting); for eventual enactment by the NPC Standing Committee
  • § 04 · Small PI Processor Protection Guide (Draft) · DRAFT

    Data Security Technology — Guide for Personal Information Protection by Small Personal Information Processors (Draft for Public Consultation)

    数据安全技术 小型个人信息处理者个人信息保护指南(征求意见稿)

    A TC260 draft national standard implementing PIPL Article 62's mandate to write simplified personal-information rules for small processors — those handling fewer than 100,000 people's personal information, such as small merchants, sole proprietors, and community-service providers. It systematically scales down compliance expectations: oral or posted-notice consent in place of layered privacy policies, a five-year (rather than annual) compliance-audit cycle, a one-page impact-assessment worksheet (Annex D) instead of a formal PIPIA report, and SMS or phone verification for identity checks on rights requests. It also sets out four cross-border exemption scenarios and an audit exemption for processors already holding personal information protection certification. For overseas counsel, this is the practitioner-level document defining what proportionate PIPL compliance looks like at the smallest end of the market — the small merchants, franchisees, and local service providers that portfolio companies and platform counterparties often deal with in China.

    National Information Security Standardization Technical Committee (TC260)
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →