Last review date: 13 January 2025

• omnibus – all personal data

• sector-specific
  Healthcare, financial services, telecommunications, industrials, automotive, credit-reporting and e-commerce

• constitutional

Last review date: 13 January 2025

• The Law on Protection of Rights and Interests of Consumers, the latest amendments of which came into effect on 15 March 2014
• The Interpretations of the Supreme People's Court and the Supreme Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement Upon Personal Information of Citizens which came into effect on 6 January 2017
• The Cybersecurity Law (CSL), which came into effect on 1 July 2017
• The Provisions on Cyber Protection of Personal Information of Children, which came into effect on 1 October 2019
• The Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via Mobile Applications, which came into effect on 28 November 2019
• The Civil Code, which came into effect on 1 January 2021
• The Criminal Code, the latest amendments of which came into effect on 1 March 2021
• The Data Security Law (DSL) which came into effect on 1 September 2021
• The Regulations on Critical Information Infrastructure Security Protection, which came into effect on 1 September 2021
• The Personal Information Protection Law (PIPL), which came into effect on 1 November 2021
• The Cybersecurity Review Measures, which came into effect on 15 February 2022
• The Measures on Security Assessment of Cross-border Data Transfer, which came into effect on 1 September 2022
• The Announcement on the Implementation of Personal Information Protection Certification together with the Rules for the Implementation of Personal Information Protection Certification, which came into effect on 4 November 2022
• The Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation), which came into effect on 1 January 2023
• The Measures for the Standard Contract for Cross-border Transfer of Personal Information, which came into effect on 1 June 2023
• The Regulations on Protection of Minors Online, which came into effect on 1 January 2024
• The Provisions on Facilitating and Standardizing Cross-Border Data Flow, which came into effect on 22 March 2024
• The Regulations on the Administration of Network Data Security, which came into effect on 1 January 2025

Other than the above laws, regulations and judicial rules, China has also formulated sector-tailored laws and regulations regarding the protection of personal information of customers in certain regulated industries and sectors (such as healthcare, financial services, telecommunications, industrials, automotive, credit-reporting and e-commerce, as enumerated above). Also, there are a number of published national standards that provide detailed recommendations or guidance to network operators (which broadly include any entity conducting business in China) and personal information processors (which refer to any organization or individual that, in the course of personal information processing activities, independently decides on the processing purposes and methods, i.e., a data controller) for the processing of personal information.

Last review date: 13 January 2025

• The Cybersecurity Law (CSL), which came into effect on 1 July 2017
• The Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via Mobile Applications, which came into effect on 28 November 2019
• The Cryptography Law, which came into effect on 1 January 2020
• The Data Security Law (DSL), which came into effect on 1 September 2021
• The Regulations on Critical Information Infrastructure Security Protection, which came into effect on 1 September 2021
• The Provisions on Administration of Security Vulnerabilities in Network Products, which came into effect on 1 September 2021
• The Cybersecurity Review Measures, which came into effect on 15 February 2022
• The Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation), which came into effect on 1 January 2023
• The Regulations on the Administration of Network Data Security which came into effect on 1 January 2025

Please note that under the PRC's data protection and cybersecurity law regime, many legislations do not always exclusively and specifically deal with cybersecurity matters only, and data protection laws and regulations are not completely segregated from those dealing with cybersecurity matters. Hence, many laws and regulations govern both data protection and cybersecurity areas at the same time (e.g., the CSL and the DSL).

Last review date: 13 January 2025

• The Data Security Law (DSL), which came into effect on 1 September 2021
• The Network Data Security Management Regulations, which came into effect on 1 January 2025

Please note that the legal and regulatory regime over non-personal data in China is still evolving. On the one hand, the laws and legislations currently in force do not exclusively and specifically deal with non-personal data only but oftentimes govern both non-personal data and personal data. On the other hand, the rules in relation to certain non-personal data at the national level are either in the form of high-level policies and principles (e.g., the Opinion on promoting the development and utilization of enterprise data resources issued by the National Data Administration) or in draft form (e.g., the draft regulations concerning the public data resources registration).

Last review date: 13 January 2025

Yes

Given that the framework of the PRC data protection and cybersecurity law regime is well established under the CSL, DSL, and PIPL, we do not anticipate any material changes to these key data privacy and cybersecurity laws in the near future. That being said, the implementing rules and regulations of the key data privacy and cybersecurity laws in China are still fast evolving and are quite fluid. A series of implementing regulations and rules, as well as judicial interpretations concerning the CSL, the DSL, and the PIPL are expected to be issued by the competent authorities for further implementation of these key data privacy and cybersecurity laws.

These include:

The draft regulations that have been finalized or the new regulations that have been issued since the last update on 2 January 2024:

• The Provisions on Facilitating and Standardizing Cross-Border Data Flow ("New CBDT Rules") were issued on 22 March 2024 and took effect on the same date. The New CBDT Rules significantly relaxed the restrictions on cross-border transfers of data outside of China by adjusting the thresholds that trigger the regulatory formalities for cross-border data transfers and introducing various exemptions.
• Interim Measures for Administration of Data Security of Accounting Firms were issued by the CAC and became effective on 1 October 2024.
• The Regulations on the Administration of Network Data Security ("Network Data Security Regulations") were finalized and released on 30 August 2024 and became effective on 1 January 2025. The Regulations provide more detailed and comprehensive requirements on data protection.

The following regulations are either in draft form or have yet to become effective since the last update on 2 January 2024:

• On 3 January 2025, the CAC issued a draft of the Measures for the Certification of Personal Information Protection for Cross-Border Data Transfers for public consultation. The draft measures proposed a comprehensive framework for certifying the security and compliance of the export of personal data out of China.