Data Privacy

The most important cross-sector legislation is the Personal Information Protection Law 2021, which sets forth comprehensive requirements for personal information (PI) protection. Other notable laws relevant to the governance of PI include:

• the Cybersecurity Law 2016, which contains requirements concerning:
• • PI protection;
  • network operator responsibilities;
  • network products and services;
  • critical information infrastructure protection;
  • data localisation;
  • cross-border data transfer restrictions; and
  • government security assessments;
• the Provisions on the Online Protection of Personal Information of Children 2019;
• the Civil Code 2020;
• the Law on the Protection of Minors 2020;
• the Data Security Law 2021, which notably:
• • creates the concept of important data;
  • restricts important data exports; and
  • requires data to be protected based on classification;
• the Regulations on Security Protection of Critical Information Infrastructure 2021;
• the Anti-Monopoly Law 2022;
• the Measures for the Security Assessment of Outbound Data Transfers 2022;
• the Regulations on the Protection of Minors Online 2023;
• the Criminal Law 2023;
• the Measures for the Standard Contract for Outbound Transfer of Personal Information 2023;
• the Regulations for Standardising and Promoting Cross-Border Data Flow 2024;
• the Regulations on Network Data Security Management 2025; and
• the Administrative Measures for Personal Information Compliance Audits 2025, effective 1 May 2025.

Many laws and regulations contain detailed requirements for specific sectors or certain data types, including:

• the Regulations for Medical Institutions on Medical Records Management 2013;
• the Administrative Measures for Credit Reporting Business 2021;
• the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Face Recognition Technology to Process Personal Information 2021;
• the Administrative Provisions on Algorithmic Recommendation in Internet-Based Information Services 2021;
• the Several Provisions on Vehicle Data Security Management 2021 (Trial);
• the Interim Rules for Internet Diagnosis and Treatment Supervision 2022;
• the Interim Measures for Scientific and Ethical Review 2023;
• the Interim Measures for the Management of Generative Artificial Intelligence Services 2023; and
• the Measures for Data Security Management of Banking and Insurance Institutions 2024.

The above list is not exhaustive.

China has not yet concluded any international data protection frameworks or agreements on PI protection.

China’s PI protection laws are enforced by the Cyberspace Administration of China (CAC) and sector-specific regulators, such as:

• the Civil Aviation Administration of China;
• the Ministry of Civil Affairs;
• the Ministry of Health;
• the Ministry of Industry and Information Technology (MIIT), whose jurisdiction includes the technology and telecommunications sectors, making it a particularly important PI protection regulator;
• the Ministry of Public Security;
• the National Financial Regulator Administration;
• the State Administration for Market Regulation, whose jurisdiction includes consumer protection issues; and
• the Supreme People’s Procuratorate

The powers of the CAC include:

• questioning anyone to investigate PI processing activities in any circumstances;
• accessing and copying documents (eg, contracts, records, data mapping) related to PI processing activities;
• conducting on-site inspections to check for illegal data processing activities;
• checking equipment or items used for PI processing; and
• seizing evidence of illegal PI processing activity.

All parties concerned must cooperate and cannot obstruct or refuse to assist the CAC in its duties.

The powers of other regulators to regulate PI processing within their areas of competence are similar to those of the CAC. However, the Ministry of Public Security and the Supreme People’s Procuratorate have additional powers in relation to investigating and prosecuting criminal acts involving PI.

Apart from laws and regulations, China also has recommended national standards (GB/T), technical guidance documents (GB/Z) and regulatory guidelines currently in place to support the governance of PI. These standards and guidelines are not mandatory but serve as highly respected resources that support businesses to enhance their PI protection.

Key national standards include the following:

• Personal Information Security Specification (GB/T 35273-2020): This standard is used by regulators for:
• • PI classification; and
  • the identification of sensitive PI.
• Some of its suggested practices are now quite commonly observed.
• Data Classification and Grading (GB/T 43697-2024): This provides guidelines for data handlers to comply with their 2021 Data Security Law obligations.

China also has mandatory national and industry standards. However, none have general application to PI protection.

Article 3 of the 2021 Personal Information Protection Law states:

Thus, personal information (PI) will be protected by the 2021 Personal Information Protection Law:

• if it is processed in China (eg, collection, storage, use, processing, transmission, provision, disclosure, deletion);
• if it is processed outside China to:
• • provide a product or service to an individual in China; or
  • analyse or assess the behaviour of an individual in China; or
• in other situations stipulated in the law.

Article 72 of the 2021 Personal Information Protection Law states:

The precise scope of Article 72(1) is unclear. However, given the typical conservative approach adopted by Chinese regulators, a narrow and literal understanding should be adopted.

As for Article 72(2), it applies only to activities organised or conducted by the Chinese government.

Yes.

The 2021 Personal Information Protection Law applies not only to PI processing within China but also to processing activities conducted outside of China:

• where the PI of individuals located in China is being processed;
• where the processing is carried out to provide products or services to or analyse or assess the behaviour of individuals located in China; and
• in other circumstances defined in laws and administrative regulations.

(a) Data processing

Article 4 of the 2021 Personal Information Protection Law states: “Processing of personal information includes the collection, storage, use, alteration, transmission, provision, disclosure, and deletion of personal information.”

This illustrative list should not be regarded as exhaustive.

(b) Data processor

Entrusted processors are those who process personal information (PI) on behalf of others. ‘Entrusted processors’ are not defined in the 2021 Personal Information Protection Law, but their nature can be discerned in the context of Article 21, which provides as follows:

Given the above, contracts containing the elements described above should be considered a necessary (but not a sufficient) condition for establishing entrusted processing relationships.

(c) Data controller

Article 73 of the 2021 Personal Information Protection Law states: “‘Personal information processor’ refers to any organisation or individual that independently determines the purpose and method of processing in their activities of processing of personal information.”

(d) Data subject

This is not explicitly defined in the 2021 Personal Information Protection Law. However, the Personal Information Security Specification (GB/T 35273-2020), a highly respected recommended national standard, defines a ‘PI subject’ as a “natural person identified by or associated with PI”.

(e) Personal data

Article 4 of the 2021 Personal Information Protection Law states: “Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymised.”

(f) Sensitive personal data

Article 28 of the 2021 Personal Information Protection Law states:

This is a risk-based definition with a non-exhaustive list of examples. As such, and strictly speaking, a case-by-case analysis of data elements should be conducted to ascertain whether they might constitute sensitive PI.

(g) Consent

Consent is not explicitly defined but can be better understood from the wording of Article 14 of the 2021 Personal Information Protection Law, which states:

Other key terms include the following:

• “‘De-identification’ refers to the process in which any personal information is processed to the extent that it cannot identify a specific natural person without the help of additional information.”
• “‘Anonymisation’ refers to the process in which any personal information is processed to the extent that it cannot identify a specific natural person and cannot be restored to its original state.”

The key difference between de-identification and anonymisation is restorability. De-identified PI is restorable; anonymised PI is not.

There are no general requirements for the registration of personal information (PI) processors or entrusted processors. However, PI processors outside of China should:

• establish a specialised agency or designate a representative; and
• report the particulars of that entity to the districted city-level cyberspace administration department with geographical jurisdiction over the entity.

There are no general requirements for the registration of PI processors or entrusted processors.

No detailed requirements for registration of PI processors outside of China currently exist.

The particulars of a PI processor and certain recipients of PI should be set out in their publicly disclosed privacy policies.

The legal bases for processing personal information (PI) under the 2021 Personal Information Protection Law are as follows:

• Consent has been obtained from the individual.
• The processing is necessary:
• • for the conclusion or performance of a contract to which the individual is a contracting party; or
  • to carry out human resources management under an employment policy legally established or a collective contract legally concluded.
• The processing is necessary to perform a statutory responsibility or statutory obligation.
• The processing is necessary to:
• • respond to a public health emergency; or
  • protect the life, health or property of the natural person in case of an emergency.
• The PI is processed within a reasonable scope to carry out:
• • news reporting;
  • supervision by public opinions; or
  • any other activity for public interest purposes.
• PI which has already been disclosed by the individual or which has been otherwise legally disclosed is processed within a reasonable scope and in accordance with the law.
• There exist any other circumstance as provided by law or administrative regulations.

In addition to having a legal basis, separate consent – a form of enhanced consent – is required for:

• transfers of PI to third-party PI processors (PI processors are the functional equivalent of ‘controllers’ under the EU General Data Protection Regulation);
• the use of surveillance footage for purposes other than security;
• the processing of the PI of minors under the age of 14;
• the processing of sensitive PI; and
• cross-border PI transfer out of China.

The basic principles for PI processing under the 2021 Personal Information Protection Law include the following:

• Lawfulness, fairness, necessity and good faith: PI processing must:
• • comply with laws and regulations;
  • be based on necessary and justifiable grounds; and
  • not involve misleading, fraudulent or coercive actions.
• The Cyberspace Administration of China, the primary regulator of PI, often takes a strict approach to necessity and, in the context of PI exports from China, may ask why specific data elements (eg, mobile phone numbers, passport photos, bank account numbers) need to be exported from China.
• Purpose limitation: PI processing purposes should be restricted to the minimal scope needed for providing a service or achieving the processing purpose, conducted non-excessively with minimal impact on personal rights. Often, the purpose must be understood from the perspective of the PI subject, not the PI processor.
• Openness and transparency: Rules for PI processing must be disclosed, with explicit statements about the purpose, method and scope of processing.
• Accuracy and quality: PI quality must be maintained during processing to prevent negative impacts on personal rights due to incorrect or incomplete PI.
• Accountability: Processors:
• • are responsible for their PI processing activities; and
  • must take necessary measures to ensure the security of the PI they handle.

Chinese regulators like straightforward approaches and appear to dislike technical arguments to justify processing activities. As such, it is worthwhile:

• leaving clear paper trails; and
• using explicit language in consent forms, policies and similar.

• Transfers of personal information (PI) due to the merger, division, dissolution or declared bankruptcy of the PI processor or any other reason: Article 22 of the 2021 Personal Information Protection Law provides that the PI processor must inform the PI subject of the name and contact information of the receiving party. The receiving party must continue to perform the obligations of the original PI processor. In case of any change to the original purpose or method of processing, the receiving party must obtain consent anew from the relevant PI subject.
• Transfers of PI to another PI processor: Article 23 of the 2021 Personal Information Protection Law provides that a PI processor must inform PI subjects of:
• • the name and contact information of any receiving party;
  • the purpose and the method of processing; and
  • the type(s) of PI involved.
• Additionally, the PI processor must obtain separate consent from the involved PI subject. The receiving party must process the PI received within the scope of processing. In case of any change to the original purpose or method of processing, the receiving party must obtain consent anew from the relevant PI subject.

The 2021 Personal Information Protection Law and the 2024 Regulations for Standardising and Promoting Cross-Border Data Flow set out three conditions permitting cross-border data transfers (CBDTs), as follows:

• A security assessment organised by the Cyberspace Administration of China (CAC) has been passed;
• A PI protection certification has been issued by a professional institution as per the regulations of the national CAC; or
• A contract in compliance with the standard contract provided by the CAC has been concluded with the overseas recipient and then filed with a provincial branch of the CAC.

The 2024 Regulations for Standardising and Promoting Cross-Border Data Flow set out certain criteria for relevant legal paths, including:

• entity type;
• data type; and
• exported data amount.

These criteria are set out below.

However, the Regulations for Standardising and Promoting Cross-Border Data Flow also establish certain scenarios that are exempt from the CBDT mechanisms, including:

• exporting data other than important data and PI;
• exporting imported overseas PI;
• exporting PI for the signing or performance of a contract to which an individual is a contracting party;
• exporting the PI of employees for the purposes of cross-border human resources management; and
• exporting PI that is necessary to protect the life, health or property of natural persons in the case of an emergency.

• Conduct a personal information protection impact assessment (PIPIA): According to Article 55 of the 2021 Personal Information Protection Law, transferring PI to a third party and transferring PI abroad are processing activities which have a material impact on personal rights and interests. As such, a PI processor should conduct a PIPIA before such transfers.
• Obtain separate consent: According to the 2021 Personal Information Protection Law and the Regulations for Standardising and Promoting Cross-Border Data Flow, if consent serves as the legal basis for processing PI, the PI processor must obtain separate consent from the PI subject before transferring their PI abroad.
• Issue a data transfer notice: Under the 2021 Personal Information Protection Law, whether transferring PI to another PI processor within China or transferring PI abroad, the PI processor must notify the PI subject of:
• • the name and contact information of the receiving party;
  • the purpose and method of processing; and
  • the type of PI involved.
• Additionally, when transferring PI abroad, the PI subject must be informed of how they can exercise their PI rights with the overseas recipient.

Personal information (PI) subjects (‘data’ is a term of art in China and has a wider meaning than PI) have the following rights under the 2021 Personal Information Protection Law:

• the right to withdraw consent (if applicable);
• the right to be informed;
• the right to decide;
• the right to restrict or deny processing;
• the right to access and copy;
• the right to data portability;
• the right to correct and complete information;
• the right to deletion;
• the right to clarify processing activities; and
• the right to access the PI of deceased relatives, unless they have previously objected to this.

PI processors must provide convenient means for exercising these rights (eg, contact details, automated tools or mechanisms outlined in privacy policies).

There is no clearly mandated method for exercising PI rights under the 2021 Personal Information Protection Law.

By law, PI subjects should be provided with the name and contact details of the PI processor before processing. Those contact details can be used to exercise rights.

Additionally, PI processors are expected to establish an accessible mechanism for receiving requests from individuals to exercise their rights. In the context of mobile apps, Chinese regulators often operate something called a ‘four-clicks’ rule: if it takes more than four clicks to access a mechanism for exercising rights, that mechanism will not be considered accessible. As such, businesses cannot impose complicated processes for exercising rights on individuals.

While somewhat dependent on the rights in question, individuals can:

• litigate;
• request the performance of obligations; and
• claim damages.

In the first litigation in China on such matters, the claimant was awarded around RMB 20,000 in damages for violations of the 2021 Personal Information Protection Law involving consent, excessive processing and transparency issues.

Not every PI processor needs to appoint a data protection officer (DPO).

Article 8 of the 2019 Children’s PI Provisions provides that a personal information (PI) processor that processes children’s PI must appoint a dedicated person responsible for protecting children’s PI.

The 2021 Personal Information Protection Law generally requires PI processors that process a large amount of PI to appoint a personal information protection officer (hereinafter ‘DPO’) who is responsible for supervising its PI processing activities. Article 12 of the 2025 Administrative Measures for Personal Information Compliance Audits (‘PIPCA Measures’) sets this threshold at the information of 1 million individuals or more.

According to the 2025 PIPCA Measures, a DPO should be someone who:

• has relevant management experience and PI protection expertise; and
• is familiar with PI protection laws and administrative regulations.

Additionally, both the 2021 Personal Information Protection Law and the 2025 PIPCA Measures provide that:

• the contact information of the DPO should be publicly disclosed; and
• the name and contact information of the DPO should be submitted to the relevant authority.

However, the submission process is unclear at present.

According to the 2025 PIPCA Measures and the Personal Information Security Specification (GB/T 35273-2020), the key responsibilities of a DPO are as follows:

• Coordinate the internal PI security efforts of the organisation and bear direct responsibility for PI security;
• Organise the development of a PI protection work plan and supervise and promote its implementation;
• Draft, issue, implement and regularly update PI protection policies and related procedures;
• Establish, maintain and update a list of PI that the organisation possesses (including the type, amount, source and recipient of the PI) and the policy for access authorisation;
• Carry out PI security impact assessments, put forward measures and suggestions for PI protection and supervise and promote the rectification of security risks;
• Organise PI security training;
• Conduct testing before the release of products or services to avoid the unknown PI collection, use, sharing and other processing activities;
• Publish information, such as the channel for complaints and tipoffs, and promptly accept and handle the complaints and tip-offs;
• Conduct security audits and PI protection compliance audits; and
• Liaise with the supervision and management departments to inform them of or report to them on the status of PI protection and incident handling.

No laws or regulations prohibit the outsourcing of the DPO role.

However, in local practice, the DPO is typically positioned within the entity’s legal, compliance, internal control or security team. It is advisable to appoint a person with a high degree of Chinese language proficiency to effectively handle inquiries and investigations from enforcement authorities.

Article 55 of the 2021 Personal Information Protection Law explicitly stipulates that a PI processor must conduct a personal information protection impact assessment (PIPIA) before engaging in the following activities and keep a record of the processing:

• processing sensitive PI;
• using PI in automated decision-making;
• entrusting a third party to process PI, providing PI to another PI processor or disclosing PI to the public;
• transferring of PI across borders; and
• any other PI processing activities that may significantly impact personal rights and interests.

The PIPIA must be kept on file for at least three years.

From a practical perspective, processed-based data mapping is necessary to comply with the 2021 Personal Information Protection Law. This is because the law and its implementing regulations often govern PI on a process-by-process basis (as opposed to a system-by-system basis). Without such data mapping, it would be very difficult to identify and manage the overall PI processing activities of an organisation.

The 2025 PIPCA Measures provide that the Cyberspace Administration of China and other authorities responsible for PI protection may require PI processors to conduct PI compliance audits if any of the following circumstances occur:

• A significant risk, such as a serious impact on individuals’ rights and interests or a severe lack of security measures, is identified in the PI processing activities;
• The PI processing activities may infringe the rights and interests of a large number of individuals; or
• A PI security incident occurs, resulting in the leakage, alteration, loss or damage of:
• • the PI of more than 1 million individuals; or
  • the sensitive PI of more than 100,000 individuals.

Upon completion of the PI compliance audit, the audit report must be submitted to the relevant authorities. Any issues identified during the audit must be addressed and a report on remediation measures should be submitted to the relevant authorities within 15 working days of completion of those measures.

Personal information (PI) processers must take the following measures to ensure the compliance of their PI processing activities with laws and administrative regulations and prevent any unauthorised access to, leakage of, tampering with or loss of PI:

• Develop an internal management system and operating procedures;
• Manage PI based on classification;
• Take appropriate technical security measures, such as encryption and de-identification;
• Reasonably determine the authorisations to operate the processing of PI;
• Conduct regular security education and training for employees;
• Develop and organise the implementation of emergency plans for PI security incidents; and
• Take any other measure as required by law or administrative regulations.

PI processors are responsible for the actions of the entrusted processors. As such, the above obligations or variations thereof should be specified within the entrusted processing contracts.

PI breaches must be notified to the regulator “immediately”. Under the 2021 Personal Information Protection Law, such notifications must specify:

• the type of PI to which the leakage, tampering with or loss occurs or may occur, the cause of such event or potential event and the harm that may be caused;
• any remedial measures taken by the PI processor and any measures that can be taken by the individual to mitigate the harm; and
• the contact information of the PI processor.

Regional and sector-specific regulators may have additional notification requirements. As such, communication with relevant regulators and awareness of sector-specific regulatory requirements are necessary to ensure compliance.

Additionally, crimes (eg, hacking, ransomware attacks) involving networks in China must be reported to the police within 24 hours of discovery.

PI breaches must be notified to affected PI subjects unless the PI processor can take measures to effectively avoid harm caused by the leakage of, tampering with or loss of information. The conditions for not reporting imply that a risk assessment is required before a decision not to report is made. Moreover, regulators (which must be reported to) may:

• require a PI processor to notify affected PI subjects; or
• in principle, punish a PI processor for not notifying affected PI subjects.

Overall, it seems on balance that:

• the most compliant notification approach is always to notify PI subjects; and
• the second most compliant approach is to conduct an impact assessment and consult with regulators before deciding whether to notify affected PI subjects.

From a legal perspective, we would suggest taking the following key actions in the event of a PI breach:

• Verify the breach:
• • Identify affected systems and hardware;
  • Determine the nature of the data and incident; and
  • Assess whether personal information was exposed.
• Contain and mitigate:
• • Isolate compromised systems;
  • Stop the source responsible; and
  • Assess threats to other systems.
• Convene a response team:
• • Assemble a team with legal, IT, human resources, business units and communications; and
  • Assign roles for investigation, notification, and reporting.
• Investigate and analyse:
• • Preserve evidence and data about the breach; and
  • Analyse the legal implications of the breach.
• Develop a communication plan:
• • Prepare for inquiries from affected individuals and media; and
  • Prepare communications for employees, regulators and third parties.
• Notify affected parties:
• • Report to regulators and notify affected individuals (if required by law); and
  • Give those individuals remediation guidance.
• Review and improve security measures: Make improvements to the protection of PI based on an analysis of the PI breach and incident response.

The 2021 Personal Information Protection Law establishes fundamental requirements for the protection of employees’ personal information. As employment-related laws and regulations have not been updated since the enactment of the 2021 Personal Information Protection Law, cancelled or terminated labour contracts must be retained for at least two years.

Employee surveillance is restricted but not absolutely prohibited. The following points regarding employee surveillance should be borne in mind:

• Internal policies: Surveillance measures should be incorporated into internal employment policies and subject to employee consultations. This will allow for the processing of employees’ personal information (PI) using the legal basis of human resource management according to a legally established employment policy. Alternatively, employers can obtain employee consent before implementing surveillance measures. However, this is subject to some potential problems.
• Privacy considerations: Monitoring equipment should not be installed in private areas (eg, changing rooms), as this would infringe employees’ privacy rights.

The following should be considered from an employment perspective in the context of PI protection:

• Legal basis: The legal basis for PI processing differs between employees and job candidates. For candidates, consent is often accepted as the only valid legal basis since internal employment policies do not apply to candidates. There is also some debate at present regarding the processing of PI concerning family and dependants of employees (eg, for benefits). As such, a prudent approach for family and dependants would be to obtain their consent before processing their PI.
• Retention period: Upon an employee’s resignation, any PI that is no longer necessary for processing – such as bank account details and pre-employment background check records – should be promptly deleted.
• Data subject request: Employers must establish a privacy policy for employees and clearly define the process for exercising their personal information rights.

No special legal framework applies to cookies in China.

Chinese regulators are more focused on software developer kits (SDKs).

The general framework of the 2021 Personal Information Protection Law applies to SDKs and is supplemented by detailed guidance from regulators, such as the Ministry of Industry and Information Technology (MIIT). In practice, the privacy policies linked to many Chinese mobile apps will contain:

• detailed lists of SDKs;
• details of their processing activities;
• details of system permissions;
• links to SDK privacy policies; and
• other matters.

Both app providers and SDK providers must inform users of:

• their personal information (PI) collection and processing practices; and
• any updates or changes regarding how their PI is processed.

The MIIT frequently conducts crackdowns on SDKs, application programming interfaces (APIs) and the mobile apps that use them. Such crackdowns can result in SDKs, APIs and mobile apps that do not comply with laws and regulations being withdrawn from the market.

Under the 2021 Personal Information Protection Law, cloud service users will typically, but not always or for all PI processing activities, be PI processors, and cloud service providers entrusted processors. As such, cloud service users will be responsible under the law for protecting PI and the rights of PI subjects.

Before using or procuring cloud services, a cloud service user should conduct a personal information protection impact assessment to ensure that the overall arrangements comply with relevant laws and regulations, including the 2021 Personal Information Protection Law. Thereafter, the cloud service user should ensure that the services it procures are:

• adequate to fulfil its compliance obligations; and
• fully outlined within a well-drafted contract.

From the perspective of cloud service providers, they must:

• process PI as agreed with cloud service users; and
• not go beyond the agreed purpose and method of PI processing.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users 2013, issued by the MIIT, require telecommunications and internet service providers to be responsible for the security of users’ PI. These provisions also apply to cloud service providers.

From a legal perspective, things that should be considered in relation to marketing activities include the following:

• Legal basis: Marketing activities should always be based on consent because no other legal basis under the 2021 Personal Information Protection Law adequately supports it. This view is reinforced by the Advertising Law, which states that entities may not distribute ads to parties by electronic means without their consent or request. Moreover, advertising recipients should be provided with the method to refuse subsequent receipt of such ads.
• Automated processing: Under the 2021 Personal Information Protection Law, if marketing is directed at individuals using automated decision-making, an option not to target personal characteristics or an easy way to refuse marketing information must be given to the individual.

If personal information (PI) subjects discover that entities are processing their PI unlawfully, they have the right to file a civil lawsuit in a people’s court of competent jurisdiction. Depending on the complexity of the dispute and jurisdiction, the case may be heard in:

• the basic courts;
• the intermediate courts; or
• the high people’s courts.

China has specialised basic courts – such as the internet courts in Hangzhou, Beijing and Guangzhou – which focus on online disputes, including data privacy cases.

The methods of resolving data-related disputes between entities depend on their agreements and may include arbitration or litigation. The Cyberspace Administration of China (CAC) and other regulatory authorities are responsible for the enforcement and interpretation of some rules, but do not adjudicate disputes between private parties.

In civil litigation, the lack of a proper legal basis for collecting, processing and transferring PI is becoming a common issue. Courts typically assess whether the PI processor has engaged in unlawful processing. If a violation is found, the processor may be ordered to take corrective measures and pay damages.

In administrative enforcement, the Ministry of Industry and Information Technology and provincial communications administrations regularly inspect the compliance of apps. Common issues under investigation include:

• coercive or excessive permission requests;
• frequent self-starting and associated launching;
• unauthorised PI collection;
• arbitrary redirects through pop-up windows; and
• other non-compliant practices.

Apps found to be in violation, along with their operators, are publicly reported and required to implement corrective measures within a specified timeframe. Failure to comply may result in the authorities instructing app stores to remove the non-compliant apps.

Additionally, provincial branches of the CAC may launch investigations following a data breach. If the breach is attributed to a lack of cybersecurity management and technical measures, the responsible entity and directly accountable managers may face fines under the 2016 Cybersecurity Law.

Data protection laws and regulations do not always provide clear and comprehensive definitions for every concept or relationship they reference. Therefore, court rulings and regulatory decisions serve as valuable references for interpretation.

In February 2024, the Shanghai Number 1 Intermediate People’s Court summarised the criteria for determining a ‘joint processing’ relationship in (2024) Hu 01 Min Zhong No 410. In this case, a user discovered that their insurance policy information had been leaked through an online platform operated by Technology Company B and subsequently sued Technology Company B – along with its partners, Insurance Brokerage Company A and Insurance Company C – seeking joint liability for damages.

In this case, the court summarised the criteria for joint processing as follows:

• Joint decision making: Whether the parties jointly determine the purpose and means of PI processing, which can be reflected in their contracts or system integrations with third parties, demonstrating a mutual agreement on data processing procedures.
• Appearance of joint processing: Whether users perceive the parties as jointly processing PI based on the interactions.
• Continuity of data processing responsibility: If one party ceases its services and the other continues handling user data, this indicates an intent to jointly process PI and share control over data processing methods.

China’s regulatory focus on privacy, data protection and cybersecurity may shift from cross-border data transfers to other compliance issues, such as data breach reporting and audits.

A general AI law has been on the legislative agenda in recent years and will impact personal information (PI) protection practices in China.

Companies operating in China must:

• keep up with changes in the regulatory landscape; and
• review whether their compliance strategies are robust enough to navigate the increasingly complex and detailed legal environment.

Top tips for data protection in China include the following:

• Conduct processed-based data mapping: This is necessary because one cannot govern unknown processing activities. Based on experience, systems-based data mapping is often unsuitable for 2021 Personal Information Protection Law purposes.
• Auditing: This is mandatory in some circumstances, but in general the required frequency of personal information (PI) audits is not always clear. In such cases, organisations should:
• • conduct an initial audit to identify gaps; and
  • thereafter establish and implement an audit policy to demonstrate a clear effort to comply with laws and regulations.
• Adopt appropriate management and technical measures: Appropriate management and technical measures should be adopted based on the nature and scope of the PI processing. These measures may include:
• • establishing internal policies;
  • implementing encryption and other necessary data protection protocols; and
  • training staff.
• Strengthen third-party management: The data protection capabilities of vendors, partners and other third parties are crucial for ensuring data compliance. It is important to:
• • assess their data compliance levels before entering into any cooperation; and
  • sign a data processing agreement that clearly outlines the data protection responsibilities of all parties involved.
• Stay updated on regulatory changes: Regularly monitor regulatory updates to ensure ongoing compliance with evolving data protection laws and requirements.

Potential sticking points in China include the following:

• Multiple regulatory authorities: The Cyberspace Administration of China, the Ministry of Industry and Information Technology and various industry regulators:
• • have the authority to investigate data compliance issues; and
  • may collaborate to issue specific regulatory requirements for certain industries.
• Increase in civil litigation: With the implementation of the 2021 Personal Information Protection Law, individuals have become more aware of their rights and are increasingly willing to protect them through civil litigation. As a result, PI processors should pay close attention to handling PI subject requests to prevent potential escalation into legal disputes.