Last review date: 25 January 2026

• The Law on Protection of Rights and Interests of Consumers, the latest amendments of which came into effect on 15 March 2014
• The Interpretations of the Supreme People's Court and the Supreme Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement Upon Personal Information of Citizens which came into effect on 6 January 2017
• The Cybersecurity Law (CSL), which first came into effect on 1 July 2017 and was last amended in October 2025
• The Provisions on Cyber Protection of Personal Information of Children, which came into effect on 1 October 2019
• The Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via Mobile Applications, which came into effect on 28 November 2019
• The Civil Code, which came into effect on 1 January 2021
• The Criminal Code, the latest amendments of which came into effect on 1 March 2021
• The Data Security Law (DSL) which came into effect on 1 September 2021
• The Regulations on Critical Information Infrastructure Security Protection, which came into effect on 1 September 2021
• The Personal Information Protection Law (PIPL), which came into effect on 1 November 2021
• The Cybersecurity Review Measures, which came into effect on 15 February 2022
• The Measures on Security Assessment of Cross-border Data Transfer, which came into effect on 1 September 2022
• The Announcement on the Implementation of Personal Information Protection Certification together with the Rules for the Implementation of Personal Information Protection Certification, which came into effect on 4 November 2022
• The Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation), which came into effect on 1 January 2023
• The Measures for the Standard Contract for Cross-border Transfer of Personal Information, which came into effect on 1 June 2023
• The Regulations on Protection of Minors Online, which came into effect on 1 January 2024
• The Provisions on Facilitating and Standardizing Cross-Border Data Flow, which came into effect on 22 March 2024
• The Regulations on the Administration of Network Data Security, which came into effect on 1 January 2025
• The Measures for the Administration of Compliance Audit of Personal Information Protection, which came into effect on 1 May 2025
• The Measures for the Administration of Application of Facial Recognition Technologies, which came into effect on 1 June 2025
• The State Measures for the Administration of Reporting of Cybersecurity Incidents, which came into effect on 1 November 2025
• The Measures for the Certification of Cross-Border Transfer of Personal Information which came into effect on 1 January 2026

Other than the above laws, regulations and judicial rules, China has also formulated (a) sector-tailored laws and regulations regarding the protection of personal information of customers in certain regulated industries and sectors (such as healthcare, financial services, telecommunications, industrials, automotive, credit-reporting and e-commerce, as enumerated above) and (b) sector-specific regulations and rules regarding the protection of core data and important data in critical sectors (such as energy and mining). Also, there are a number of published national standards that provide detailed recommendations or guidance to network operators (which broadly include any entity conducting business in China) and personal information processors (which refer to any organization or individual that, in the course of personal information processing activities, independently decides on the processing purposes and methods, i.e., a data controller) for the processing of personal information.

Last review date: 26 January 2026

• The Cybersecurity Law (CSL), which first came into effect on 1 July 2017 and was last amended in October 2025
• The Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via Mobile Applications, which came into effect on 28 November 2019
• The Cryptography Law, which came into effect on 1 January 2020
• The Data Security Law (DSL), which came into effect on 1 September 2021
• The Regulations on Critical Information Infrastructure Security Protection, which came into effect on 1 September 2021
• The Provisions on Administration of Security Vulnerabilities in Network Products, which came into effect on 1 September 2021
• The Cybersecurity Review Measures, which came into effect on 15 February 2022
• The Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation), which came into effect on 1 January 2023
• The Regulations on the Administration of Network Data Security which came into effect on 1 January 2025
• The State Measures for the Administration of Reporting of Cybersecurity Incidents, which came into effect on 1 November 2025

Please note that under the PRC's data protection and cybersecurity law regime, many legislations do not always exclusively and specifically deal with cybersecurity matters only, and data protection laws and regulations are not completely segregated from those dealing with cybersecurity matters. Hence, many laws and regulations govern both data protection and cybersecurity areas at the same time (e.g., the CSL and the DSL).

Last review date: 26 January 2026

• The Cybersecurity Law (CSL), which first came into effect on 1 July 2017 and was last amended in October 2025
• The Data Security Law (DSL), which came into effect on 1 September 2021
• The Network Data Security Management Regulations, which came into effect on 1 January 2025

Please note that the legal and regulatory regime over non-personal data in China is still evolving. On the one hand, the laws and legislations currently in force do not exclusively and specifically deal with non-personal data only but oftentimes govern both non-personal data and personal data. On the other hand, the rules in relation to certain non-personal data at the national level are either in the form of high-level policies and principles (e.g., the Opinion on promoting the development and utilization of enterprise data resources issued by the National Data Administration) or in draft form (e.g., the draft regulations concerning the public data resources registration).