General · 通用.
76 entries. The economy-wide regime that applies across every sector — PIPL, the Data Security Law, the Cybersecurity Law, and the regulations, departmental rules, standards, and judicial interpretations built on them: personal information, data security and classification, cross-border transfer, and the data-element market.
Reference Handbooks .
权威实务手册 · institutional handbooks and joint guides
- § 01 · CN-SG Joint Guide
China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter
中国—新加坡联合数据合规指引:实务手册(中国篇)
A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime.
Laws .
法律 · National People's Congress
- § 01 · PIPL
Personal Information Protection Law of the People's Republic of China
中华人民共和国个人信息保护法
PIPL is China's comprehensive personal-information protection regime. It is structured around the concept of the personal information handler — a Chinese-law term that should not be flattened to GDPR's data controller. PIPL governs consent, sensitive personal information, cross-border transfer, and the rights of individuals, with extraterritorial reach to handlers outside China that target domestic natural persons.
- § 02 · DSL
Data Security Law of the People's Republic of China
中华人民共和国数据安全法
The Data Security Law is the second of China's three foundational data statutes (alongside CSL and PIPL). It governs all data processing activities — not just personal information — and establishes the data classification and grading regime, the 'important data' and 'national core data' categories, security obligations for data handlers, the cross-border transfer restrictions on important data, and the prohibition on providing data to foreign judicial or enforcement bodies without approval.
- § 03 · CSL · AMENDED
Cybersecurity Law of the People's Republic of China (2025 Amendment)
中华人民共和国网络安全法(2025 修正)
The Cybersecurity Law is the earliest of the three foundational data-protection statutes. It establishes the Multi-Level Protection Scheme (MLPS), the Critical Information Infrastructure regime, network-operator obligations, and the cybersecurity review framework. The current text incorporates the 2025 amendment, which takes effect January 1, 2026.
- § 04 · Civil Code (PI Chapter)
Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information
中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章
Articles 1032–1039 of the Civil Code's Personality Rights Book establish the civil-law foundation for privacy and personal-information protection in China. The chapter defines the right of privacy, the scope of personal information, principles for handling, statutory defenses, individuals' rights of access and correction, processor obligations, and confidentiality duties of State organs. Civil-law remedies under this chapter operate alongside the public-law PIPL regime — neither displaces the other.
- § 05 · AUCL
Anti-Unfair Competition Law of the People's Republic of China
中华人民共和国反不正当竞争法
- § 06 · ATFL
Anti-Telecom and Online Fraud Law of the People's Republic of China
中华人民共和国反电信网络诈骗法
- § 07 · Minors Protection Law
Law on the Protection of Minors
中华人民共和国未成年人保护法
The umbrella statute for the protection of minors in China. Its 2020 revision added a dedicated 'Network Protection' chapter that anchors the entire minors-online-protection regime: internet-literacy education duties for the state, society, schools, and families (Art. 64); school management of smartphones and smart terminals (Art. 70); mandatory school bullying prevention-and-control systems with reporting duties for serious incidents (Art. 39); and school duties to notify parents and intervene when students show internet addiction (Art. 71). The Regulations on the Protection of Minors in Cyberspace (2024) implement the chapter at administrative-regulation level, and the MOE's Provisions on the Protection of Minors by Schools implement the school-facing duties.
Administrative Regulations .
行政法规 · State Council
- § 01 · CII Regulations
Security Protection Regulations for Critical Information Infrastructure
关键信息基础设施安全保护条例
These Regulations operationalize the Critical Information Infrastructure (CII) regime under CSL Articles 31–39. They define CII identification rules, set out CIIO obligations (specialized security body, annual testing and risk assessment, security review of network products, breach reporting), and establish the inter-agency coordination structure under CAC + Ministry of Public Security.
- § 02 · Data Twenty Opinions
Opinions of the CPC Central Committee and the State Council on Building a Basic Data System to Better Play the Role of Data Elements
中共中央 国务院关于构建数据基础制度更好发挥数据要素作用的意见
The foundational 20-article policy directive jointly issued by the CPC Central Committee and the State Council laying out China's national data basic system: data property rights structural subdivision (holding right / processing right / operation right), classified-and-graded right confirmation for public/enterprise/personal data, the on-floor + over-the-counter trading framework, the income distribution mechanism for data elements, and a multi-party governance model. This is the policy text that informs subsequent national-level legislation and rules on data assets, public data, and data property rights registration.
- § 03
Regulation on Network Data Security Management
网络数据安全管理条例
The Network Data Security Management Regulation is the State Council's overarching implementing regulation for the three foundational data-protection statutes (CSL, DSL, PIPL). It consolidates network-data security obligations, important-data identification and classification, cross-border transfer rules, security-incident reporting, and operator obligations for large data handlers and internet platforms. Promulgated as State Council Decree No. 790.
- § 04
Regulations on the Protection of Minors in Cyberspace
未成年人网络保护条例
Implementing regulation for the protection of minors under PIPL and CSL. Covers age-appropriate content, online education, addiction-prevention regimes for video games and short videos, sensitive personal information of minors (under 14), parental consent mechanisms, and platform obligations for products targeting or accessible to minors.
- § 05
Regulations on the Sharing of Government Data
政务数据共享条例
The first comprehensive State Council regulation specifically governing the sharing of government data across agencies. Establishes the unified national government-data sharing platform, defines responsibilities of the National Data Administration, sets data quality and security requirements, and addresses personal-information and important-data handling within the government-data context.
- § 06
Administrative Measures for Internet Information Services (2024 Revision)
互联网信息服务管理办法(2024 修订)
The foundational regulation of Internet Information Services (ICP) in China — the regulatory baseline beneath nearly every later data-protection rule. Establishes the ICP licensing regime (operational vs. non-operational), platform compliance obligations, content management, and the role of telecommunications and cyberspace administrative authorities. The 2024 revision aligns the regulation with CSL, DSL, PIPL, and the post-2022 platform rules.
- § 07 · PVISR
Administrative Regulation for Public Security Video Image Information Systems
公共安全视频图像信息系统管理条例
The State Council's overarching regulation for public security video image information systems (公共安全视频系统) in public places. Distinguishes three operator types: government-led, public-private partnership, and private-led, and applies graduated obligations depending on the operator type. Implements PIPL Article 26 for video-image capture in public places, including filing obligations, mandatory signage, retention, and security duties. Read with the 2025 FRT Measures (Decree No. 19) for facial-recognition deployments.
- § 08 · Shenzhen Data Regulations
Shenzhen Special Economic Zone Data Regulations
深圳经济特区数据条例
China's first comprehensive local data law, adopted by the Standing Committee of the Shenzhen Municipal People's Congress on 29 June 2021 and effective 1 January 2022. The Regulations pioneered express recognition of 'data rights and interests' (数据权益) — conferring personality-rights interests on individuals over their personal data and property-rights interests on lawful data processors over their data products — and introduced China's most detailed consent-and-notice regime for personal data at the time, including an explicit prohibition on big-data price discrimination against existing users (大数据杀熟). It established a public data sharing-as-default framework, a data factor market chapter with fair-competition rules, and comprehensive data security obligations including mandatory cross-border transfer security assessments. As the first sub-national regulation to span personal data, public data, the data factor market, and data security in a single instrument, Shenzhen's Regulations served as an influential drafting model ahead of PIPL (2021) and the Data Security Law (2021) and remain directly applicable to businesses operating in Shenzhen; overseas counsel should note that penalties for unlawful data trading can reach RMB 1 million, and anticompetitive data-market conduct can attract fines of up to 5% of prior-year revenue or RMB 50 million.
Departmental Rules .
部门规章 · CAC, MIIT, MPS and others
- § 01
Measures for the Security Assessment of Data Export
数据出境安全评估办法
The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds.
- § 02
Provisions on Promoting and Regulating Cross-border Data Flows
促进和规范数据跨境流动规定
The 2024 Cross-border Data Flow Provisions are CAC's relaxation package on outbound data transfer. They introduce thresholds and exemptions for the security assessment, standard contract, and certification pathways, plus a free trade zone (FTZ) negative-list mechanism. For overseas counsel, this is the regulation that practically determines whether a routine cross-border transfer needs to clear formal CAC review or not.
- § 03
Data Property Rights Registration Work Guide (Trial)
数据产权登记工作指引(试行)
NDA's first national framework for the registration of Data Property Rights — the rights to hold, use, and operate data established under the Data 20 Articles policy. Issued by the NDA Comprehensive Department on July 1, 2026 as the Trial Work Guide, it sets out registration institutions, the registration procedure (application, acceptance, review, public announcement, objection handling, evidence preservation, certificate issuance), the ownership-clarity rules that determine who can register which right over which data, the five registration types (initial, transfer, change, renewal, deregistration), and liability for institutions and applicants. Compared with the April 2026 consultation draft, the final text tightens security/public-interest gates, adds a definition of derived data, shifts the national platform terminology to a service system, strengthens provincial management and institution-exit rules, narrows public-data registration from mandatory to conditional/voluntary wording, and moves certificate validity from issuance to evidence-preservation completion.
- § 04 · SCC Measures
Measures on the Standard Contract for the Outbound Transfer of Personal Information
个人信息出境标准合同办法
The second of CAC's three cross-border transfer pathways: signing a CAC-prescribed Standard Contract with the overseas recipient and filing it with the provincial CAC. Used by handlers below the Security Assessment thresholds. The Measures establish eligibility criteria, the filing procedure, ongoing obligations after filing, and the CAC's right to invalidate the contract on the recipient side. The Standard Contract template itself is annexed.
- § 05 · Network Data Risk Assessment Measures
Measures for Network Data Security Risk Assessment
网络数据安全风险评估办法
The first dedicated, cross-sector implementing rule for the annual network-data risk-assessment obligation created by the Network Data Security Management Regulation (State Council Decree No. 790). Jointly issued by the CAC, MIIT and the Ministry of Public Security as Order No. 24, it requires every important-data handler to conduct a risk assessment each year — and again whenever a material change in the security status of important data may adversely affect security — to retain the report for at least three years, and to submit it to the competent authority within 20 working days; general-data handlers are encouraged to assess at least once every three years. It builds the regime for third-party assessment institutions: voluntary certification, a ban on sub-entrustment, a no-more-than-three-consecutive-years rotation rule, and confidentiality and deletion duties. Regulators may compel a certified-institution assessment after a high-risk finding or a breach involving important data or large-scale personal information, and may order an important-data handler to stop processing important data where activities endanger national security or the public interest. Adopted June 1, 2026; promulgated June 18, 2026; effective August 20, 2026.
- § 06
Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition)
个人信息出境标准合同备案指南(第一版)
CAC's procedural guide accompanying the SCC Measures. Specifies the filing materials required, where to file (provincial CAC), online filing system mechanics, materials acceptance and review timeline, and standardized templates for the power of attorney, the letter of commitment, the Standard Contract itself, and the Personal Information Protection Impact Assessment Report. Read together with the SCC Measures for the operational filing path.
- § 07 · Data Terms Batch 1
Explanation of Common Terms in the Field of Data (First Batch)
数据领域常用名词解释(第一批)
The first installment of official terminology explanations issued by the National Data Administration. Establishes authoritative Chinese government definitions for 40 foundational data-field concepts including data, primary data, data resources, data elements, data products and services, data assets, data handling, data handler, commissioned data handler, data circulation, data transaction, data governance, data security, public data, digital industrialization, industrial digitalization, metadata, structured/semi-structured/unstructured data, privacy-protective computation (secure multi-party computing, federated learning, trusted execution environment, cryptographic computing), and blockchain.
- § 08 · Data Terms Batch 2
Explanation of Common Terms in the Field of Data (Second Batch)
数据领域常用名词解释(第二批)
The second installment of official terminology explanations issued by the National Data Administration, continuing the consensus-building effort that began with the First Batch in December 2024. The 20 terms in this batch focus on data property rights vocabulary (Data Property Rights, Data Property Rights Registration, Right to Hold Data, Right to Use Data, Right to Operate Data, derived data, enterprise data); data trading institutions and market structure (data trading institution, on-exchange data trading, off-exchange data trading, data trading matching, data third-party professional service institution); the data industry and data labeling sub-industry; trusted data space and data use control; data infrastructure; and computing-power scheduling and pooling. DCC translation, cross-checked against the glossary for consistency with the public-data property-rights registration documents.
- § 09
Measures for the Certification of the Cross-border Provision of Personal Information
个人信息出境认证办法
The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways.
- § 10
Cybersecurity Review Measures
网络安全审查办法
The 2021 update to the cybersecurity review regime, expanded after the Didi enforcement action. Applies to (i) CIIO procurement of network products/services that may affect national security, and (ii) network platforms holding personal information of more than one million users when seeking an overseas listing. Sets the procedure, factors considered, and outcomes (no-action, conditional approval, prohibition).
- § 11
Administrative Measures for Personal Information Protection Compliance Audits
个人信息保护合规审计管理办法
These Measures implement the compliance-audit obligation in PIPL Article 54. Self-audit is required at least every two years for handlers of more than 10 million people's personal information; CAC-directed audits by a third-party specialized agency are triggered by significant risk, large-scale infringement, or major security incidents. The Measures are accompanied by a 27-section Guidelines annex that lays out exactly what auditors should examine — effectively a regulator-issued checklist for personal-information compliance.
- § 12 · Incident Reporting Measures
Measures for the Administration of National Cybersecurity Incident Reporting
国家网络安全事件报告管理办法
Issued by the CAC on September 11, 2025 and effective November 1, 2025, these Measures establish a unified national workflow for cybersecurity incident reporting, triggered whenever an incident is graded 'relatively significant' or above under the annexed Classification Guidelines (which track GB/T 20986-2023). Reporting clocks are calibrated by operator type: critical information infrastructure (CII) operators must report within one hour, central and state organs within two hours, and all other network operators within four hours, with tighter escalation windows for major and especially major incidents. Each report must cover eight specified elements — including, for ransomware, the ransom amount and payment deadline — and a comprehensive 30-day summary report is required after incident handling concludes; the 12387 hotline serves as the central intake. Article 11 creates an explicit safe harbour for operators that prepared adequately, responded under their emergency plan, and reported in good time, while Article 10 subjects late, false, or concealed reporting that causes serious harm to heavier penalties for both the entity and responsible individuals — a combination that overseas counsel should factor into incident-response playbooks for any China-nexus operation.
- § 13 · Children's PI Provisions
Provisions on the Online Protection of Children's Personal Information
儿童个人信息网络保护规定
China's first dedicated rule for children's personal information online, issued by the CAC in 2019 and effective October 1, 2019. It fixes 14 as the age of childhood, requires verifiable guardian consent before a network operator collects, stores, uses, transfers, or discloses a child's personal information, and imposes a guardian-facing notice-and-refusal regime, data-minimization and storage-limitation duties, encrypted storage, minimum-authorization access controls, entrustment and transfer safeguards, deletion and correction rights, and breach notification to guardians. It predates PIPL but is read together with PIPL Article 28 (which treats the personal information of minors under 14 as sensitive personal information) and the Regulations on the Protection of Minors in Cyberspace.
- § 14 · App PI Identification Method
Method for Identifying the Unlawful Collection and Use of Personal Information by Apps
App违法违规收集使用个人信息行为认定方法
Issued jointly in November 2019 by the CAC Secretariat, MIIT, MPS, and SAMR under Document No. 国信办秘字〔2019〕191号, this instrument provides the operational six-category test that regulators use to determine whether an app's collection and use of personal information is unlawful or excessive: (1) failure to publicly disclose collection and use rules; (2) failure to clearly state the purpose, method, and scope of collection; (3) collection without user consent; (4) collection beyond what is necessary for the service; (5) sharing personal information with third parties without consent; and (6) failure to provide deletion or correction functions or complaint channels. The method underpins the national App special-governance campaign and is the direct basis for app-store removal orders issued by regulators. Overseas counsel advising Chinese-market apps or cross-border data-sharing arrangements must treat compliance with each of the six categories as a threshold checklist, as a single identified violation can trigger mandatory rectification and removal.
- § 15 · Necessary PI Scope Provisions
Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications
常见类型移动互联网应用程序必要个人信息范围规定
These Provisions, issued jointly by the CAC, MIIT, MPS, and SAMR in March 2021 and effective May 1, 2021, define 'necessary personal information' as the minimum data indispensable for an app's basic functional service to operate — and expressly prohibit operators from refusing basic service to users who decline to provide non-necessary personal information. The Provisions enumerate 39 common mobile app categories (including map navigation, ride-hailing, instant messaging, online shopping, mobile banking, and more), specifying the precise personal information each category may require; 12 of the 39 categories — including browsers, input methods, news apps, and short-video apps — require no personal information at all for basic use. Overseas counsel advise on these Provisions when auditing the data-collection practices of apps distributed in China, assessing whether consent gates or account-wall practices are lawful, and preparing for MIIT or CAC enforcement inspections targeting excessive or non-necessary data collection.
- § 16 · Platform Rules Measures
Measures for the Supervision and Administration of Online Trading Platform Rules
网络交易平台规则监督管理办法
Departmental rule (SAMR/CAC Order No. 116) governing how online trading platform operators formulate, amend and enforce their platform rules (service agreements, in-platform management rules, dispute-handling rules, personal-information protection rules, IP rules, etc.). It requires conspicuous publication, comment solicitation, advance notice before changes take effect, retention of historical versions, and an appeals channel including human review where decisions are made solely by AI. Separate chapters address information/network/data security (including minors' protection and personal-information allocation between platforms and in-platform operators), protection of in-platform operators against unreasonable restrictions and fees, and consumer protection against discriminatory pricing and unilateral membership changes. Effective February 1, 2026.
- § 17 · CII Commercial Cryptography Provisions
Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure
关键信息基础设施商用密码使用管理规定
Departmental rule (State Cryptography Administration / CAC / Ministry of Public Security Order No. 5) requiring operators of critical information infrastructure (CII) to use commercial cryptography to protect their CII, and to plan, build and operate commercial-cryptography assurance systems concurrently with the CII itself. It mandates commercial-cryptography application security assessments at the planning, construction and operation stages (at least annually once in operation), requires the use of certified commercial-cryptography products and State-vetted algorithms, sets staffing and funding requirements (key administrators, cipher operators, security auditors), imposes annual reporting duties, and provides penalties of up to RMB 1,000,000. Effective August 1, 2025.
- § 18 · PI Certification Rules
Implementation Rules for Personal Information Protection Certification
个人信息保护认证实施规则
The Implementation Rules for Personal Information Protection Certification, issued as the annex to SAMR and CAC Joint Announcement No. 37 of 2022 on November 18, 2022, operationalize the certification pathway that PIPL Article 38(2) authorizes for cross-border transfers of personal information and that simultaneously governs domestic personal information protection certification. The Rules establish a three-stage certification model — technical verification, on-site audit, and post-certification supervision — grounded in GB/T 35273 (Personal Information Security Specification) for all personal information handlers, with the additional requirement that handlers engaged in cross-border processing activities comply with TC260-PG-20222A (Security Certification Specification for Cross-border Personal Information Processing Activities). Certification certificates are valid for three years, subject to ongoing supervisory audits, and may be suspended or revoked for non-compliance; certified handlers may display the corresponding certification mark (with a distinct cross-border variant). The Rules were subsequently supplemented by the Measures for the Certification of the Cross-border Provision of Personal Information (effective January 1, 2026), which specifically governs the cross-border certification route; overseas counsel advising on cross-border transfers should read the two instruments together, as the Implementation Rules set the foundational procedural framework that the 2026 Measures build upon.
- § 19 · PI Certification Announcement
Announcement on the Implementation of Personal Information Protection Certification
关于实施个人信息保护认证的公告
The November 2022 joint announcement by SAMR and CAC (Announcement No. 37 of 2022) formally launched the Personal Information Protection Certification scheme, designating approved certification bodies to conduct certification activities in accordance with the Implementation Rules for Personal Information Protection Certification and, for cross-border processing activities, the TC260 standard TC260-PG-20222A. Participation is voluntary: the announcement encourages personal information handlers to obtain certification as a means of demonstrating and improving their personal information protection capabilities. The announcement is short — one operative paragraph — and works in tandem with the accompanying Implementation Rules (attached to the announcement) and the subsequently issued Measures for the Certification of the Cross-border Provision of Personal Information (2026). For overseas counsel, the scheme provides a third compliance pathway alongside the Security Assessment and the Standard Contract for cross-border transfers of personal information.
- § 20 · Telecom & Internet User PI Provisions
Provisions on Protecting the Personal Information of Telecommunications and Internet Users
电信和互联网用户个人信息保护规定
Issued by the Ministry of Industry and Information Technology (MIIT) in July 2013 and effective 1 September 2013, these Provisions are the principal sector-specific rule governing the collection and use of users' personal information by telecommunications business operators and internet information service providers operating in China. They establish consent and notice requirements before collection, data-minimisation and purpose-limitation duties, strict confidentiality obligations, mandatory security safeguards (including access controls, breach reporting, annual self-audits, and staff training), and a two-tier penalty regime enforced by MIIT and its provincial communications-administration bureaus. Predating the Personal Information Protection Law (PIPL) by eight years, the Provisions remain in force as a sectoral antecedent and continue to bind telecom and ISP licensees directly through the licence-review process; overseas counsel advising clients who hold or apply for Chinese ICP or telecom value-added service licences must treat these Provisions as the operative data-protection floor alongside PIPL.
- § 21 · Children in Distress PI Measures
Working Measures for the Protection of the Personal Information of Children in Distress
困境儿童个人信息保护工作办法
Working measures (Min Fa [2024] No. 67) jointly issued by the Ministry of Civil Affairs and seventeen other central authorities and mass organizations to regulate the use and protection of the personal information of children in distress. Following the principle of 'whoever is in charge / whoever processes is responsible', the measures assign protection duties across the civil-affairs, education, health, judicial, publicity, cyberspace, culture-and-tourism and broadcasting systems, as well as trade unions, the Communist Youth League, women's federations and disabled persons' federations. They require consent of parents or guardians for processing the information of children under 14 (and consent of the child plus notice to guardians for those 14 and over), prohibit labeling, traffic-chasing and using such information for fundraising or live-stream commerce, and grant children and their guardians a right to inquire about and object to processing. Effective November 18, 2024.
- § 22 · Mobile App Information Services Provisions
Provisions on the Administration of Mobile Internet Application Information Services (2022 Revision)
移动互联网应用程序信息服务管理规定(2022 修订)
The 2022 revision of the CAC's flagship app-governance rule, effective 1 August 2022, imposes dual-track obligations on app providers and app distribution platforms (including app stores, mini-program platforms, and browser plug-in platforms). App providers must verify users' real identity information via mobile-phone number, identity-document number, or unified social credit code before enabling publication or messaging features, and must comply with personal information minimization requirements — including a prohibition on denying core service functionality solely because a user declines to supply non-essential personal information. App distribution platforms must register with provincial-level CAC offices within 30 days of going live, implement multi-factor real identity verification of every app provider seeking to list on the platform, and conduct substantive pre-listing and ongoing review of apps for legal compliance, data security risks, and illegal or excessive collection and use of personal information. Overseas counsel advise on these provisions because they set the compliance baseline that any foreign app operator — whether publishing directly or distributing through Chinese app stores — must satisfy before reaching Chinese users.
- § 23 · School Protection Provisions
Provisions on the Protection of Minors by Schools
未成年人学校保护规定
MOE Order No. 50, the school-facing implementing rule under the Law on the Protection of Minors. For the online-protection regime its load-bearing provision is Article 21: teachers and staff who discover students fabricating facts to defame others, spreading rumors or false information, or maliciously disseminating others' private information through networks or other means must stop it promptly — the hook that turns online defamation and privacy-spreading incidents among students into a school management duty, with civil supplementary liability under Civil Code Article 1201 if the school fails to act.
- § 24 · Data Export Declaration Guide (v3)
Guidelines for the Declaration of Data Export Security Assessment (Third Edition)
数据出境安全评估申报指南(第三版)
The CAC's third-edition procedural guide — issued and effective 27 June 2025 — sets out in detail who must file a Data Export Security Assessment declaration, the step-by-step filing process through the online declaration system (sjcj.cac.gov.cn), the eight categories of required materials (including the self-assessment report and the legally binding contract with the overseas recipient), and the newly introduced procedure for applying to extend an approved assessment's validity period. It supersedes the first and second editions, streamlines the documentary requirements, and clarifies the conditions (capped volume increases of no more than 20 % over the prior three-year approval period) and timeline (60 working days before expiry) for extension applications. Overseas counsel advising on cross-border data transactions need this guide to prepare compliant declaration packages and to structure the legal agreement with the overseas recipient so that it satisfies the mandatory contractual checklist in the self-assessment report template.
- § 25 · Data Security Certification Announcement
Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China on Carrying Out Data Security Management Certification
国家市场监督管理总局、国家互联网信息办公室关于开展数据安全管理认证工作的公告
Announcement (SAMR/CAC Announcement No. 18 of 2022) launching a voluntary data security management certification scheme that encourages network operators to certify their network-data processing activities (collection, storage, use, processing, transmission, provision, disclosure, etc.) and strengthen network data security protection. The attached Data Security Management Certification Implementation Rules, based on the Regulations on Certification and Accreditation and the standard GB/T 41479 (Information security technology—Security requirements for network data processing), set out a certification mode of 'technical verification + on-site audit + post-certification supervision', the certification procedure, a three-year certificate validity period, and rules on certificates, certification marks and the responsibilities of certification bodies. Effective June 5, 2022.
- § 26 · GBA (Mainland-Macao) SCC Guidelines
Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao)
粤港澳大湾区(内地、澳门)个人信息跨境流动标准合同实施指引
Jointly issued on 10 September 2024 by the CAC, the Economic and Technological Development Bureau of the Macao SAR, and the Personal Data Protection Bureau of the Macao SAR, these Implementation Guidelines establish a bilateral facilitation arrangement that allows eligible personal information handlers registered or located in the nine Guangdong cities of the Greater Bay Area or the Macao SAR to transfer personal information between those two jurisdictions by executing a prescribed Standard Contract and filing it with the applicable local authority within 10 working days, without needing to pass a CAC security assessment — even where data volumes exceed the national thresholds that would otherwise trigger that assessment. The arrangement operates under the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area signed between the CAC and the Economic and Finance Bureau of the Macao SAR. The Guidelines exclude personal information classified as important data and require handlers to complete a Personal Information Protection Impact Assessment (PIPIA) before each cross-border provision. For overseas counsel, the arrangement is significant because it creates a distinct GBA intra-Bay-Area pathway that sits alongside — and in some respects relaxes — the three national cross-border transfer routes under PIPL and the Provisions on Promoting and Regulating Cross-border Data Flows.
- § 27 · GBA (Mainland-Hong Kong) SCC Guidelines
Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)
粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引
The 2023 GBA Mainland-Hong Kong facilitation arrangement jointly issued by the CAC and Hong Kong's Innovation, Technology and Industry Bureau on 10 December 2023, implementing the bilateral Memorandum of Cooperation on Promoting Cross-Border Data Flows in the Greater Bay Area. It establishes a simplified standard-contract pathway enabling personal information handlers and recipients registered or located in the nine mainland GBA cities (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing) or in Hong Kong SAR to transfer personal information cross-border without triggering the full national-level security assessment regime, subject to a mandatory Personal Information Protection Impact Assessment and filing with the Guangdong CAC or the Hong Kong Office of the Government Chief Information Officer within ten working days of contract entry into force. Personal information that has been notified or publicly released as important data is excluded. This arrangement was the model for the subsequent September 2024 GBA Mainland-Macao version and matters to overseas counsel because it creates a distinct, lighter-touch bilateral track for intra-GBA flows that operates alongside — and does not replace — PIPL's three national-level pathways.
- § 28 · PIPO Reporting Announcement
Announcement on Carrying Out the Reporting of Personal Information Protection Officer Information
关于开展个人信息保护负责人信息报送工作的公告
The July 2025 CAC announcement operationalises the person-in-charge-of-personal-information-protection (PIPO) designation and filing requirement under PIPL Article 52 and Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits: any personal information handler that processes the personal information of one million or more individuals must report the identity and contact details of its designated person in charge of personal information protection to the municipal-level CAC office where it is registered. Personal information handlers that had already crossed the one-million threshold before 18 July 2025 were given until 29 August 2025 to complete the initial filing; those crossing the threshold after that date must file within 30 business days. Reporting is done exclusively online through the Personal Information Protection Business System (grxxbh.cacdtsc.cn), also reachable from the CAC website's 'National Cyberspace Administration Affairs Hall.' For overseas counsel advising China-facing businesses, this announcement means that any client meeting the PIPL Art. 52 threshold must have a named, reported PIPO on file with the local regulator — failure to do so is an express regulatory violation.
- § 29 · Minors PI Audit Reporting Announcement
Announcement on Submitting Reports on the Compliance Audit of Minors' Personal Information Protection
关于报送未成年人个人信息保护合规审计情况的公告
Issued by the CAC on 29 December 2025, this short announcement operationalizes the annual compliance-audit-and-report obligation that Article 37 of the Regulations on the Protection of Minors in Cyberspace imposes on every personal information handler that processes personal information of minors. It fixes the annual reporting deadline (by 31 January of the following year), designates the local prefecture-level cyberspace administration authority as the recipient, mandates online submission through the CAC's Personal Information Protection Business System, and warns that failure to conduct or report the compliance audit will be dealt with under the applicable laws, regulations, and rules. The announcement bridges the PI Audit Measures (effective May 2025) and the minors-protection regime: any handler—regardless of scale—must audit its minors-PI practices each year. Overseas counsel advising multinationals with Chinese apps or platforms that reach minors should ensure clients have a standing annual audit-and-submission process in place before 31 January.
- § 30 · FISR Measures
Measures for the Security Review of Foreign Investments
外商投资安全审查办法
The Foreign Investment Security Review (FISR) Measures govern review of foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The test for the security review's bite is actual control — defined broadly to include >50% equity, voting-share thresholds, and other circumstances that materially influence operational decisions, personnel, finance, or technology. These Measures were the legal basis for the April 2026 ban on the Meta–Manus acquisition.
- § 31
Interim Measures for the Registration and Administration of Public Data Resources
公共数据资源登记管理暂行办法
The Interim Measures establish a nationally unified registration system for public data resources — data collections produced by Party and government organs and public institutions in the course of performing statutory duties or providing public services. Registration is mandatory for public data resources that fall within authorized-operation scope; voluntary registration is encouraged for other public data resources and for data products and services derived from them. The Measures set the registration procedure (application, acceptance, formal review, public announcement, code issuance), define four registration types (initial, change, correction, deregistration), establish a three-year validity period with renewal, and provide for graded supervision under NDA's overall administration. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists.
- § 32
Implementation Specifications for Authorized Operation of Public Data Resources (Trial)
公共数据资源授权运营实施规范(试行)
Companion rule to the Public Data Registration Interim Measures (also NDRC + NDA, January 2025). The Specifications establish the framework for 'authorized operation' (授权运营) of public data resources — the mechanism by which governments at and above the county level, and national sectoral authorities, can authorize qualified operating institutions to develop and operationalize public data resources, deliver data products and services to the market, and share in the revenue. Covers implementing institutions, operating institutions, the implementation plan, the agreement, supervision, anti-monopoly and security duties. The Operating-institution authorization period is capped at five years. Effective March 1, 2025, with a five-year validity period. DCC translation; no official English version exists.
- § 33 · Cybersecurity Label Measures
Measures for the Administration of Cybersecurity Labels
网络安全标识管理办法
A joint CAC–MIIT–MPS rule establishing a voluntary product-certification scheme — the 'China Cybersecurity Label' — for internet-connected products, layered into one/two/three-star tiers (basic, enhanced, and leading cybersecurity capability). Coverage is catalogue-managed: products are added in batches, each with its own implementing rules and technical basis, and critical network equipment and dedicated cybersecurity products already regulated under the 2023 security-management framework are carved out. Three-star products must clear penetration testing by a qualified third-party lab, and every label carries a scannable filing code linking to the test report and the manufacturer's compliance declaration. Misuse — forged or misappropriated labels, false advertising, or fabricated test results — triggers filing revocation, public naming, a one-year bar on re-filing, and entry into the national credit-information system. For overseas counsel, this is a market-facing trust mark rather than a mandatory compliance gate, but it interacts with existing MLPS and product-security obligations and is likely to become a de facto procurement or channel-access signal even though participation is nominally voluntary.
- § 34 · Trade Secret Protection Provisions
Provisions on the Protection of Trade Secrets
商业秘密保护规定
SAMR's rewrite of China's 1995 trade-secret enforcement rules — issued as Order No. 126 under the Anti-Unfair Competition Law — folds algorithms, data, and source code squarely into the definition of a protectable technical-information trade secret, and for the first time recognizes tiered access, data masking, and audit-log retention as adequate confidentiality measures for remote-work and cross-border collaboration setups. It also names electronic intrusion and unauthorized transfer of files to personal cloud drives or external storage as 'improper means' of misappropriation, giving SAMR an administrative-enforcement path for conduct that would otherwise only surface as a data-security incident or a cybercrime case. For overseas counsel, it matters less as a data-protection instrument than as the rule that now lets an aggrieved company route an insider data-exfiltration episode through market-regulation enforcement rather than the police or the courts alone.
- § 35 · Minors Harmful-Info Classification Measures
Measures for the Classification of Online Information That May Affect the Physical and Mental Health of Minors
可能影响未成年人身心健康的网络信息分类办法
A short but operationally important CAC-led rule that, for the first time, defines and catalogues a middle tier of online content: material that falls short of outright illegal content but may still harm minors' physical or mental health. It sorts this content into four classes — inducements to imitate unsafe or antisocial behavior, content harmful to values, improper use of a minor's image, and improper disclosure or use of a minor's personal information — and requires platforms to label it prominently and keep it out of high-traffic slots like homepages, push notifications, and trending lists when the audience includes minors. For overseas counsel, Article 6's personal-information category is the one to watch: it reaches conduct such as showing an under-14's schooling or daily life in enough detail to expose identifying information without guardian consent, or content that induces minors to disclose their own or others' personal information, layering content-moderation duties on top of existing PIPL and minors-protection consent obligations.
National Standards .
国家标准 · GB/T, TC260
- § 01 · GB/T 44297—2024
GB/T 44297—2024 Data Items of Video and Image Information for Public Security
GB/T 44297—2024 公共安全视频图像信息数据项
GB/T 44297—2024 is the national recommended standard that specifies the data items used in public-security video image information systems — the underlying field-level schema that camera systems, video platforms, and analysis tools use to describe and exchange video and image data. It applies to data exchange in networked public-security video applications. The standard catalogs more than twenty top-level data-item groups — covering camera information, system/platform information, equipment status, video clips, images, file objects, persons of interest, vehicles of interest, non-motor vehicles, items, scenes, events, regions, motion targets, subscriptions, feature vectors, organized data libraries, and real-time matching against reference lists — plus a set of normative code tables (Appendix D) used to encode the field values. The standard is technical reference material for system integrators and data engineers operating public-security video systems. Cross-reference to the *Administrative Regulation for Public Security Video Image Information Systems* (State Council Decree No. 799) and the *Facial Recognition Technology Application Measures* (CAC + MPS Decree No. 19), which set the legal duties; this standard tells operators what field-level data to capture and exchange in order to meet those duties.
- § 02 · TC260 Sensitive PI Guide
Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024)
网络安全标准实践指南 — 敏感个人信息识别指南 (v1.0-202409)
TC260's September 2024 practice guide for identifying sensitive personal information under PIPL Article 28. Sets out a four-rule identification framework — damage to personal dignity, to personal safety, to property safety, and aggregation effects — and lists eight common categories of sensitive personal information with illustrative examples in Appendix A. The guide is not a mandatory standard; it is advisory practice guidance issued by the TC260 Secretariat to help organizations operationalize PIPL's sensitive-PI regime. Practical reference for handlers performing the PIPIA required by PIPL Article 55(I) before processing sensitive personal information.
- § 03 · GB/T 43697
Data Security Technology — Rules for Data Classification and Grading (GB/T 43697-2024)
数据安全技术 数据分类分级规则 (GB/T 43697-2024)
GB/T 43697-2024 is the foundational national standard operationalizing the data classification and grading protection system mandated by DSL Article 21. Issued 15 March 2024 and effective 1 October 2024, it sets out the principles, framework, methods and workflow for classifying data by sector/business attribute and grading it into three tiers — core data (核心数据), important data (重要数据) and general data (一般数据) — and provides an important-data identification guide. It is the reference document that sector regulators use to build sector-specific catalogues and that data processors use to classify and grade their own holdings.
- § 04 · GB/T 35273
Information Security Technology — Personal Information Security Specification (GB/T 35273-2020)
信息安全技术 个人信息安全规范 (GB/T 35273-2020)
GB/T 35273-2020 is China's foundational recommended national standard on personal information protection. First issued in 2017 and revised in 2020, it predates PIPL and shaped much of its drafting; it sets out detailed good-practice requirements across the full personal-information lifecycle — collection, storage, use, sharing/transfer/disclosure, deletion — plus security incident handling and organizational governance. Although a recommended (non-mandatory) standard, it has long been the operational benchmark Chinese regulators reference, and it remains the most detailed practical gloss on PIPL's principles.
- § 05 · GB/T 39335
Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020)
信息安全技术 个人信息安全影响评估指南 (GB/T 39335-2020)
GB/T 39335-2020 is the recommended national standard that operationalizes the personal-information security impact assessment (PIA / 个人信息安全影响评估). It sets out the principles, implementation method, working steps and reporting format for assessing the risks that personal-information processing poses to data subjects' rights and interests. Issued in 2020 and effective 1 June 2021, it is the practical reference China's handlers use to conduct the impact assessment that PIPL Article 55 makes mandatory before high-risk processing activities.
- § 06 · GB/T 41479
Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022)
信息安全技术 网络数据处理安全要求 (GB/T 41479-2022)
GB/T 41479-2022 is the recommended national standard specifying security requirements for the processing of network data — data collected, stored, transmitted, used, provided, disclosed and deleted through networks. It sets lifecycle security requirements for network data processing activities by network operators, organized by processing stage, and serves as a baseline reference for implementing the data-security duties of the Cybersecurity Law and Data Security Law. It applies across general network operations and informs the Network Data Security Management Regulations.
- § 07 · GB/T 42460
Information Security Technology — Guide for Evaluation of Personal Information De-identification Effect (GB/T 42460-2023)
信息安全技术 个人信息去标识化效果评估指南 (GB/T 42460-2023)
GB/T 42460-2023 is the recommended national standard for evaluating whether a personal-information de-identification process has actually worked. It sets out the goals, principles, evaluation framework and methods for judging re-identification risk in de-identified datasets — covering identifiers, the choice of de-identification models, and how to test residual risk. It complements GB/T 37964 (the de-identification guide) by providing the effectiveness-evaluation half, and supports PIPL's treatment of de-identification and anonymization.
- § 08 · GB/T 42574
Information Security Technology — Implementation Guide for Notification and Consent in Personal Information Processing (GB/T 42574-2023)
信息安全技术 个人信息处理中告知和同意的实施指南 (GB/T 42574-2023)
GB/T 42574-2023 is the recommended national standard that operationalizes PIPL's notification (告知) and consent (同意) obligations. It gives handlers practical guidance on what to tell data subjects and how, when and in what form to obtain consent — including separate consent, written consent, consent from minors' guardians, and withdrawal of consent — across web, app and other interfaces. It is the implementation manual for PIPL Articles 14–17 and 23/25/29/39, turning the statute's notice-and-consent rules into concrete design requirements.
- § 09 · GB/T 44588
Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024)
数据安全技术 互联网平台及产品服务个人信息处理规则 (GB/T 44588-2024)
GB/T 44588-2024 is a recommended national standard setting personal-information processing rules tailored to internet platforms and their products and services. It addresses how platform operators — and the products, services and third-party providers within their ecosystems — should handle personal information consistently with PIPL, including the heightened 'gatekeeper' obligations PIPL imposes on large platforms. It is one of the 2024 'Data Security Technology' series standards that build sector- and scenario-specific guidance on top of PIPL's general framework.
- § 10 · GB/T 45574
Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025)
数据安全技术 敏感个人信息处理安全要求 (GB/T 45574-2025)
GB/T 45574-2025 is a recommended national standard setting security requirements for processing sensitive personal information (敏感个人信息) as defined by PIPL Article 28. It addresses the heightened safeguards that attach across the lifecycle when handling sensitive PI — separate (and where required written) consent, specific-purpose and strict-necessity limits, intensified impact assessment, and enhanced technical and organizational controls. It complements the TC260 sensitive-PI identification guide by specifying how, once identified, sensitive PI must be protected.
- § 11 · GB/T 45577
Data Security Technology — Data Security Risk Assessment Method (GB/T 45577-2025)
数据安全技术 数据安全风险评估方法 (GB/T 45577-2025)
GB/T 45577-2025 is a recommended national standard specifying a method for assessing data security risk. It provides the principles, framework, process and assessment content for identifying and evaluating risks to data across its lifecycle — covering data assets, threats, vulnerabilities, existing safeguards and potential impact — and for rating overall data-security risk. It is a 2025 'Data Security Technology' series standard supporting the risk-assessment duties of the Data Security Law and the network-data regime.
- § 12 · GB/T 46068
Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025)
数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025)
GB/T 46068-2025 is a recommended national standard setting the security requirements for certifying cross-border processing of personal information — the personal-information protection certification route that PIPL Article 38 offers as one lawful basis for transferring personal information abroad. It specifies the requirements that handlers and overseas recipients must meet to be certified, including legally binding agreements, organizational and technical safeguards, and protection of data subjects' rights. It elevates and complements the earlier TC260 certification specification.
- § 13 · GB/T 46071
Data Security Technology — Guide to Social Responsibility for Data Security and Personal Information Protection (GB/T 46071-2025)
数据安全技术 数据安全和个人信息保护社会责任指南 (GB/T 46071-2025)
GB/T 46071-2025 is a recommended national standard offering guidance on social responsibility in data security and personal information protection. It frames data security and PI protection as elements of organizational social responsibility, providing principles and guidance for organizations to take responsibility toward data subjects, society and the public — covering governance, transparency, stakeholder engagement and accountability. It is a 2025 'Data Security Technology' series standard that complements the binding duties of the DSL and PIPL with a responsibility-and-governance framing.
- § 14 · TC260 PI Audit Guide
Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements
网络安全标准实践指南 — 个人信息保护合规审计要求
This TC260 practice guide sets out requirements for conducting the personal-information-protection compliance audit that PIPL Article 54 requires handlers to perform periodically. It provides an audit framework — the matters to examine across a handler's personal-information processing against PIPL obligations — to support both self-audits and audits commissioned to professional bodies under the Administrative Measures for Personal Information Protection Compliance Audits. It is advisory practice guidance, not a mandatory standard.
- § 15 · TC260 FRT Payment Guide
Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios
网络安全标准实践指南 — 人脸识别支付场景个人信息安全保护要求
This TC260 practice guide sets personal-information security protection requirements specific to facial-recognition payment (人脸识别支付) scenarios. It addresses how face data should be collected, verified, transmitted, stored and protected when facial recognition is used to authorize payments, with an emphasis on consent, the availability of non-facial alternatives, anti-spoofing and minimization. It is advisory practice guidance complementing the facial-recognition application rules and PIPL's sensitive-PI regime.
- § 16 · TC260 QR Ordering Guide
Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering
网络安全标准实践指南 — 扫码点餐个人信息保护要求
This TC260 practice guide sets personal-information protection requirements for QR-code ordering (扫码点餐) in restaurants and similar settings — a response to the common practice of forcing customers to follow accounts, register, or hand over excessive personal information just to view a menu or order. It emphasizes minimum necessity, the availability of order-without-registration options, and no forced follows or over-collection. It is advisory practice guidance applying PIPL's minimum-necessity principle and the app necessary-PI rules to this everyday scenario.
- § 17 · TC260 Data Risk Assessment Guide
Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment
网络安全标准实践指南 — 网络数据安全风险评估实施指引
This TC260 practice guide gives step-by-step implementation guidelines for conducting a network data security risk assessment. It walks organizations through preparing for, executing and reporting an assessment of data-security risks across the data lifecycle — identifying assets, threats, vulnerabilities and impacts and rating overall risk — in support of the assessment duties created by the Network Data Security Management Regulations. It is the practice-oriented companion to the GB/T 45577 risk-assessment method, and is advisory rather than mandatory.
- § 18 · GB/T 46901-2025 (PI Portability)
Data Security Technology — Requirements for Personal Information Transfer Based on Individual Requests (GB/T 46901—2025)
数据安全技术 基于个人请求的个人信息转移要求(GB/T 46901—2025)
The first national standard implementing the personal-information-portability right in PIPL Article 45, effective July 1, 2026. It sets out two transfer models (subject-as-intermediary and processor-as-intermediary), scopes the portable-data boundary to actively-provided information and service-usage records — expressly excluding derived data such as profiling tags and friend graphs, network logs, trade secrets, and anonymized data — and fixes three preconditions: a consent-or-contract-necessity legal basis, no harm to third-party rights, and requests kept within reasonable limits (indicatively no more than twice a year). It prescribes a five-step process (initiation, verification, processing, export, import) with 15-working-day response times, mandatory structured and machine-readable export formats (CSV/JSON/XML), and dedicated rules for minors under 14, third-party data caught up in a transfer, and overseas recipients. Any consumer-facing personal information handler now has a concrete technical and procedural playbook to build against.
Judicial Interpretations .
司法解释 · Supreme People's Court
- § 01 · FRT Judicial Interpretation
Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology to Process Personal Information
最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定
The Supreme People's Court's interpretation of how civil courts should apply law in cases involving facial recognition. Defines what counts as 'processing facial information', enumerates conduct that infringes personality rights, addresses consent validity (mandatory consent through a service agreement is not valid), and sets out remedies and burden-of-proof allocation. Issued before PIPL took effect but designed to interoperate with PIPL's sensitive-personal-information regime.
- § 02 · PI Criminal Interpretation
Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringing upon Citizens' Personal Information
最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释
The principal judicial interpretation governing the crime of infringing upon citizens' personal information under Article 253a of the Criminal Law. It defines 'citizens' personal information', clarifies what constitutes 'providing' and 'illegally obtaining' such information, and sets quantitative thresholds for 'serious circumstances' and 'particularly serious circumstances' (e.g., 50 items of tracking, communication-content, credit-reporting or property information; 500 items of accommodation, communication-record, health or transaction information; 5,000 items of other personal information). It also addresses corporate liability, sentencing for related network crimes, and the determination of fines.
- § 03 · SPP PI Crime Reply
Reply of the Research Office of the Supreme People's Procuratorate on the Solicitation of Opinions Concerning the Application of Law in the Crime of Infringing upon Citizens' Personal Information
最高人民检察院法律政策研究室关于侵犯公民个人信息罪有关法律适用问题征求意见的复函
A short reply letter (Fa Yan [2018] No. 11) addressing whether 'citizens' personal information' under Article 253a of the Criminal Law is confined to the personal information of Chinese nationals. It concludes that the term covers not only the personal information of Chinese citizens but also that of foreign nationals and stateless persons, reasoning from the wording of the statute, legislative intent (equal protection), and judicial practice (excluding foreigners would let offenders escape punishment and be unworkable in mixed-data cases).
Drafts in Consultation .
征求意见稿
- § 01 · GB/T 35273 (2026 draft) · DRAFT
Data Security Technology — Personal Information Security Specification (2026 Draft for Comment)
数据安全技术 个人信息安全规范(征求意见稿)
The 2026 draft revision of GB/T 35273 — released by TC260 for public comment on June 17, 2026 (project No. 20260700-T-469; drafting lead CESI) to replace GB/T 35273-2020. It retitles the standard 'Data Security Technology — Personal Information Security Specification', expands normative references from one standard to eight, and recasts China's most-cited personal information benchmark from a consent/notice manual into a full-lifecycle governance framework. Headline additions: a Chapter 5 lawful-basis chapter importing PIPL Art. 13's seven bases with hard per-basis boundaries; a sensitive-PI redefinition aligned to PIPL Art. 28 with an aggregation rule; a 'separate consent' definition; a new eighth 'quality assurance' principle; dedicated AI/generative-AI clauses (6.7, 6.1, 8.4, 8.5.4); unified-account (8.6) and terminal/IoT (6.8) collection clauses; a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (person in charge, records, PIPIA, GB/T 46903 compliance audit). Subject-rights response tightens from 30 days to 15 working days. Comment draft, non-binding and non-final; formal release expected after 2027.
- § 02 · App PI Collection and Use Provisions (Draft) · DRAFT
Provisions on the Collection and Use of Personal Information by Internet Applications (Draft for Public Consultation)
互联网应用程序个人信息收集使用规定(征求意见稿)
A 39-article CAC draft, opened for comment on January 10, 2026, that consolidates app-privacy regulation into a single instrument covering four classes of actors for the first time: app operators, SDK operators, distribution platforms (app stores, mini-program and quick-app platforms), and smart-terminal/OS makers. It operationalizes minimum-necessary and notice-and-consent principles into granular, engineering-level rules — permission requests tied to the moment of use, scenario-based consent toggles, mandatory system-level storage-access frameworks in place of blanket storage permissions, on-device-only default storage for biometric identifiers, a 15-business-day account-cancellation deadline, and behavioral-audit duties for embedded SDKs. It also builds out platform-level gatekeeping: distribution platforms and terminal makers must vet operator identity before listing or preinstalling an app, refuse apps lacking a privacy policy or deletion/cancellation function, and post risk warnings on apps that regulators have publicly named for violations. For overseas counsel, this draft would sit alongside (and in several respects supersede in practice) the 2019 App PI Identification Method and the 2021 Necessary PI Scope Provisions, raising the bar on SDK due diligence, permission-timing UX, and cross-entity contractual allocation of responsibility across the app supply chain.
- § 03 · Cybercrime Prevention Law (Draft) · DRAFT
Cybercrime Prevention Law (Draft for Public Consultation)
网络犯罪防治法(征求意见稿)
China's first standalone, comprehensive cybercrime statute, drafted by the Ministry of Public Security with a comment period that closed March 2, 2026. It goes well beyond the Criminal Law's cybercrime provisions to build a full prevention and governance framework: real-name controls over phone cards, bank accounts, and network accounts; a fifteen-item catalogue of prohibited "cybercrime ecosystem" conduct such as technical support, financial support, and personal-information or data misuse; tiered monitoring and reporting duties for ten categories of internet service, including a special obligation for AI service providers to detect and block abuse of their services; and cross-border tools including technical blocking of offshore actors, asset seizure, and entry/exit bans. Overseas counsel should read it closely for Article 2's extraterritorial reach, which extends to any offshore entity serving PRC users whose conduct harms China's national security, public interest, or the lawful rights of PRC citizens or organizations.
- § 04 · Small PI Processor Protection Guide (Draft) · DRAFT
Data Security Technology — Guide for Personal Information Protection by Small Personal Information Processors (Draft for Public Consultation)
数据安全技术 小型个人信息处理者个人信息保护指南(征求意见稿)
A TC260 draft national standard implementing PIPL Article 62's mandate to write simplified personal-information rules for small processors — those handling fewer than 100,000 people's personal information, such as small merchants, sole proprietors, and community-service providers. It systematically scales down compliance expectations: oral or posted-notice consent in place of layered privacy policies, a five-year (rather than annual) compliance-audit cycle, a one-page impact-assessment worksheet (Annex D) instead of a formal PIPIA report, and SMS or phone verification for identity checks on rights requests. It also sets out four cross-border exemption scenarios and an audit exemption for processors already holding personal information protection certification. For overseas counsel, this is the practitioner-level document defining what proportionate PIPL compliance looks like at the smallest end of the market — the small merchants, franchisees, and local service providers that portfolio companies and platform counterparties often deal with in China.