Last review date: 13 January 2025

There is no omnibus data protection authority in China. Instead, multiple authorities are currently vested with the power to implement and enforce compliance with data protection and security laws, which include:

• Cyberspace Administration of China (and its provincial offices)
• National Data Administration (and its local offices/bureaus)
• Ministry of Public Security and the local Public Security Bureaus
• Ministry of Industry and Information Technology (MIIT) (and its local offices)
• State Administration for Market Regulations (and its local offices)
• For specially regulated sectors, data privacy and security matters are also under the supervision of sector-specific regulators.

Last review date: 13 January 2025

• Cyberspace Administration of China (and its provincial offices)
• Ministry of Public Security and the local Public Security Bureaus
• Ministry of Industry and Information Technology (MIIT) (and its local offices)

All of the above authorities are very active

• National Data Administration (and its local offices/bureaus)
• State Administration for Market Regulations (and its local offices)

Not very

For specially regulated sectors, data privacy and security matters are also under the supervision of sector-specific regulators.

Some are moderately active and others are very active.

Last review date: 13 January 2025

In 2024, CAC, as the leading regulator, has been actively focusing on:

• Combating illegal online content and activities (including online infringement of the legitimate rights and interests of minors; Internet trolls; and spreading of online rumors related to public policy, emergencies, and social and livelihood areas)
• Together with MIIT and several other authorities, continuing to regulate recommendation algorithms and deep synthesis in online information services and the provision of generative artificial intelligence by requiring the provision of these functions and services to be subject to registration requirements
• Together with MIIT, continuing their efforts to inspect mobile applications, publishing those found in violation of the relevant data protection laws and ordering the relevant operators to rectify their non-compliance from time to time
• Continuing its cybersecurity review and imposing sanctions on companies that committed serious violations of CSL and the PIPL.

The Ministry of Public Security continued its efforts to crack down on illegal acts jeopardizing national security and public interests (e.g., cyber violence, cyber gray industry), and serious cybersecurity breaches due to the failure to comply with cybersecurity obligations.

Last review date: 13 January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

• Staying the same

Class actions/group actions under data or cyber regulation are:

• Not available in the jurisdiction

Last review date: 13 January 2025

There are:

Administrative remedies / civil penalties applied by regulators and law enforcement

If the processing of personal information violates the requirements in the PIPL, personal information protection authorities may issue an order for rectification, issue warnings and confiscate any unlawful income. Those refusing to rectify will be liable to a fine of up to RMB 1,000,000 (approx. USD 145,204.00). The person in-charge and other personnel who bear direct responsibility will be liable to a fine between RMB 10,000 (approx. USD 1,452.00) and RMB 100,000 (approx. USD 14,520.00).

For cases of a serious nature, personal information protection authorities may issue an order of rectification, confiscate any unlawful income, and impose a fine of up to RMB 50,000,000 (approx. USD 7,260.00) or 5% of a company's annual turnover for the previous year. The personal information protection authorities may also issue an order of suspension of the business or operation for rectification and notify authorities in-charge of the cancellation of business permits or licenses. The person in-charge and other personnel who bear direct responsibility will be liable to a fine between RMB 100,000 (approx. USD 14,520.00) and RMB 1,000,000.00 (approx. USD 145,204.00), and may be barred from serving as director, supervisor, senior officer and personal information protection officer in corporations within a certain period of time.

Criminal penalties from regulators and law enforcement

The penalties are a fixed-term imprisonment of not more than three years or criminal detention and concurrently or separately, sentenced to a fine. Where the violation is very serious, the person will be sentenced to a fixed-term imprisonment of not less than three years but not more than seven years and concurrently sentenced to a fine. Where the violator is an entity, the entity will be sentenced to a fine, while its directly responsible person will be subject to imprisonment, as described above.

A range of factors, including the degree of harm caused by the crime, the amount of illegal gains derived from the crime, the criminal record of the defendant, and the defendant's attitude toward the admission of guilt and repentance, are to be considered when determining the amount of penalty. In general, the amount of penalty will be equal to not less than once but not more than five times the illegal gains (if any).

Private remedies

Tort liabilities which may include:

• Cessation of infringement
• Compensation for losses
• Apology, and
• Elimination of adverse impacts and restoration of reputation

Other

• Notably, it is proposed that an operator's infringement of key data privacy and security requirements will also be recorded in its credit files which will be publicly accessible.

Last review date: 1 January 2024

• individual personal actions
• representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)