The collection, use, and disclosure of personal information in the People’s Republic of China (PRC or China, excluding Hong Kong, Macau, and Taiwan) are primarily regulated by the following national laws:

• Personal Information Protection Law (PIPL). The PIPL, effective since 2021, aims to enhance personal information protection in the digital age, aligning with global data protection standards. It establishes comprehensive regulations for the collection, use, processing, and transmission of personal information to protect individuals’ privacy rights and ensure personal information security, while imposing strict penalties for non-compliance.
• Cybersecurity Law. Effective since 2017, the Cybersecurity Law regulates cyberspace activities to safeguard national security and protect critical information infrastructure. It imposes stringent requirements on data localisation, security assessments and the protection of network products and services.
• Data Security Law. The Data Security Law, effective since 2021, aims to regulate data processing activities to enhance data security, protect national interests, and promote the lawful and efficient use of data resources. It imposes responsibilities on handlers for data protection, including data categorisation, risk assessment and security measures.
• Civil Code. Part IV, Chapter 6 of the Civil Code provides for the rights to privacy and personal information protection to safeguard individual interests.
• Criminal Law. To combat cybercrime and protect individuals’ personal information, the Criminal Law defines several relevant offences, including the Crime of Infringement upon Citizens’ Personal Information, the Crime of Illegal Invading Computer Information System, and the Crime of Illegally Obtaining Data of Computer Information System, along with corresponding penalties.
• Regulations on the Management of Network Data Security. The regulations, effective on January 1, 2025, serve as implementing administrative rules for the above three overarching laws. They supplement and provide further guidance on China’s data security regulatory regime.

The PIPL and relevant laws and regulations impose obligations on personal information handlers and grant rights to personal information subjects. Additionally, to better address different roles in processing activities and certain special data handlers, the law introduces concepts such as “entrusting party”, “entrusted party”, and “critical Information Infrastructure operator”.

Personal information handler. A “personal information handler” under the PIPL is analogous to the concept of “data controller” under the GDPR. It refers to an organisation or individual that independently determines the handling purpose and method in the processing of personal information.

Personal information subject. According to the Civil Code and the PIPL, the personal information of a natural person is protected by law. A personal information subject refers to an identified or identifiable individual to whom personal information relates.

Entrusting party and entrusted party. When a personal information handler entrusts another party to handle personal information, the handler is the entrusting party, and the party entrusted is the entrusted party.

Critical information infrastructure operator. A “critical information infrastructure operator” refers to an operator of important network facilities and systems in key industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government, and national defence science, technology and industry. This category also includes operators of other important network facilities and information systems which, if destroyed, compromised, or subjected to data leaks, could result in serious damage to national security, the national economy, people’s livelihoods and public interests.

Data Security Law. Article 2 of the Data Security Law stipulates the territorial scope of application under general and special circumstances:

• In general, the Data Security Law applies to data processing activities within the territory of the PRC.
• Special circumstances refer to data processing activities conducted outside the PRC that harm national security, public interest, or the legitimate rights and interests of individuals or organisations. These activities are also subject to legal liability in accordance with the law.

Personal Information Protection Law. Article 3 of the PIPL divides the applicable territorial scope into two categories:

• In general, it applies to activities that process personal information of natural persons within the territory of the PRC.
• The jurisdiction of this law may extend beyond the territory of the PRC when the purpose is to provide products or services to natural persons within the territory, or to analyse or evaluate the behaviour of natural persons within the territory, as well as other circumstances stipulated by laws and administrative regulations.

The processing of personal information includes the collection, use, storage, transfer, provision, public disclosure and deletion of personal information.

Collection. The act of obtaining control over personal information includes behaviours such as:

• proactive provision of information by the personal information subject;
• automatic collection through interactions with the personal information subject;
• recording the behaviour of the personal information subject; and
• indirectly obtaining personal information through sharing, transferring, or collecting publicly available information.

Use. The use of personal information includes:

• converting, aggregating, and analysing personal information; and
• automated decision-making, i.e., using computer programs to automatically analyse and evaluate personal behaviour habits, interests, economic status, health, credit status and decision-making activities.

Storage. The act of storing personal information in systems or any other media.

Transfer. The process of transferring control over personal information from one handler to another due to merger, division, dissolution, bankruptcy or other reasons.

Provision. The process in which a personal information handler provides personal information to another handler, with both parties independently holding control over the personal information.

Public Disclosure. The act of releasing information to the public or an unspecified group of people.

Deletion. The act of removing personal information from systems involved in daily business functions, ensuring that it remains in a state that is not retrievable or accessible.

The PIPL and relevant laws and regulations provide rules for processing personal information and sensitive personal information. They also explain the difference between de-identified information and anonymous information.

Personal information. Personal information refers to all kinds of information recorded electronically or by other means that is related to identified or identifiable natural persons, excluding information that has been anonymised.

Sensitive personal information. Sensitive personal information refers to personal information that, if leaked or illegally used, is likely to lead to infringement of a natural person’s dignity or harm to their personal or property safety. This includes biometric data, religious beliefs, specific identities, medical health information, financial accounts, tracking information and personal information of minors under the age of 14.

Anonymous information. Anonymous information refers to personal information encrypted so that the person can no longer be identified directly or indirectly. When a person cannot be re-identified, the related information is no longer considered as personal information under the PIPL.

De-identified information. De-identified information refers to personal information processed to make it impossible to re-identify specific natural persons without additional information. The process is called de-identifying, which is similar to “pseudonymisation” in the GDPR.

Sensitive personal information and personal information classified as important data are subject to a higher level of protection under the laws of the PRC.

Sensitive personal information. Personal information that requires special protection is mainly sensitive personal information (as defined in Question 5, above). Several types of personal information are easily recognised as sensitive, including personal property information, personal health and physiological information, personal biometric information and personal identity information.

Personal information handlers shall not process sensitive personal information unless there is a specific purpose and sufficient necessity, and strict protective measures have been taken. Additionally, personal information protection impact assessments must be conducted in advance, and the personal information subject must be notified of the processing necessity and the likely impact on their rights and interests.

Important data. Important data refers to data that, if tampered with, destroyed, leaked, illegally obtained or illegally used, could potentially harm national security and public interest. Under certain circumstances, an accumulation of personal information may be classified as important data. Consequently, important data is subject to enhanced protection measures, including regular risk assessments.

Criteria for processing personal information

Personal information handlers must meet the following criteria to process personal information lawfully:

• Personal information handlers can process personal information only if one of the following circumstances exists:
  • the personal information subject’s consent has been obtained;
  • the processing is necessary for the conclusion or performance of a contract to which the data subject is a party, or necessary for human resources management in accordance with labour rules and regulations established by law and the collective contracts signed according to law;
  • the processing is necessary for the performance of statutory duties or obligations;
  • the processing is necessary for responding to public health emergencies, or for the protection of life, health and property safety of natural persons in emergencies;
  • the personal information is reasonably processed for news reporting, media supervision and other activities conducted in the public interest;
  • the personal information disclosed by the individual or other legally disclosed personal information of the individual is reasonably processed in accordance with the PIPL; or
  • other circumstances as provided by laws or administrative regulations.
• Generally, a personal information handler shall fulfil the notification requirements as set out in the following section.
• The processing of personal information shall be subject to the principles of lawfulness, legitimacy, necessity, and good faith. It shall be based on explicit and reasonable purposes and directly related to those purposes, and shall exert the minimum impact on the rights and interests of personal information subjects.

Notification

• General notification. A personal information handler shall, before processing personal information, truthfully, accurately and fully inform the personal information subject of the following matters and inform of any changes thereafter:
  • the name and contact information of the personal information handler;
  • the purposes and means of personal information processing, and the categories and storage periods of the personal information to be processed;
  • the methods and procedures for the personal information subject to exercise their rights as provided in the PIPL; and
  • other matters that the personal information subject should be notified of as provided by laws and administrative regulations.
• Special notification. Additional information shall be notified to the personal information subject when a handler processes sensitive personal information, transfers personal information to another handler, or provides personal information to another handler or overseas recipients. For each case, the additional information includes:
  • the necessity of processing sensitive personal information and the impact it has on the rights and interests of the personal information subject when processing sensitive personal information;
  • the recipient’s name and contact information when transferring personal information;
  • the recipient’s name and contact information, the purposes and means of processing, and the categories of personal information to be processed when providing personal information; and
  • the recipient’s name and contact information, the purposes and means of processing, the categories of personal information to be processed, as well as the methods and procedures for individuals to exercise their rights over an overseas recipient when providing personal information to overseas recipients.
• Exceptions. In certain cases, such as where informing would hinder a State organ from performing its statutory duties or where timely informing in emergencies to protect individuals’ life, health, and property safety is impossible, notification may not be required.

Consent

Generally, consent should be obtained in the following circumstances:

• before any personal information is processed; and
• where the processing of disclosed personal information may have a significant impact on an individual’s rights and interests.

Separate consent or written consent should be obtained where laws and administrative regulations provide.

Separate consent is an individual’s specific and explicit consent for the targeted processing of personal information, separated from the consent given to serve multiple purposes or methods like consent to general terms and conditions. Separate consent is required when providing personal information to other personal information handlers, publicly disclosing personal information, using personal images and identity information collected through image capture and personal identification devices in public places for purposes other than maintaining public security, processing sensitive personal information and providing personal information to overseas recipients. Written consent is required, for example, when credit bureaux collect information on an individual’s income, deposits, securities, business insurance, real estate and tax payments.

Where personal information processing is based on consent, the consent shall be voluntary, explicit and fully informed. Re-consent is required when there are changes in the purpose, method or types of personal information processed. Additionally, the personal information subject has the right to withdraw their consent at any time.

Exceptions: as set out above, personal information handlers could process personal information in certain circumstances without the consent of the personal information subject.

Personal information handlers should process data in a lawful, secure and accountable manner under the PIPL. Additionally, personal information handlers need to fulfil the data security protection obligations and network information security requirements under the Data Security Law and the Cybersecurity Law, if applicable.

General legal obligations of personal information handlers

National laws provide that a common personal information handler shall:

• Meet the criteria, including notification and consent, to process personal information lawfully as stated in Question 7, above.
• Implement security measures to ensure lawful and compliant processing and prevent unauthorised access, disclosure, tampering or loss.
• Establish mechanisms to receive and process requests from individuals to exercise their rights.
• Conduct personal information protection impact assessments in advance for certain processing activities, and keep records, such as when processing sensitive personal information and using personal information to make automated decisions.
• Conduct regular compliance audits of personal information processing activities.
• Provide remedies and notify individuals and competent authorities in case of personal information breaches. The notice shall include the types, reasons, and possible harm of the information that has been involved or may be involved in the divulgence, tampering with, or loss of personal information; the remedial measures adopted by the personal information processor and the measures individuals may take to mitigate the harm; and the contact information of the personal information handler.
• Ensure the retention period of personal information is the minimum period necessary for achieving the purpose of handling, unless otherwise stipulated by laws and administrative regulations (for example, the retention period of cyber-related logs shall be no less than six months according to the Cybersecurity Law). The personal information handler shall voluntarily delete the personal information when:
  • the purpose of processing has been realised, cannot be realised, or is no longer necessary for the realisation of the purpose of processing;
  • the personal information handler ceases to provide the product or service, or the retention period has expired;
  • the individual withdraws their consent; or
  • the personal information handler violates laws, administrative regulations or agreements to process the personal information.

Additional legal obligations of certain personal information handlers

Additional legal obligations are required for certain personal information handlers according to national laws:

• Personal information handlers processing a certain volume of personal information shall designate a personal information protection officer.
• Personal information handlers located overseas shall establish a specialised agency or designate a representative within China.
• Personal information handlers designated as critical information infrastructure operators or large internet platforms shall fulfil certain additional obligations, such as establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection.
• State organs shall store the personal information they handle within the territory of the PRC.
• Critical information infrastructure operators and personal information handlers whose quantity of handling of personal information reaches a certain volume as prescribed by the Cyberspace Administration of China (CAC) shall store personal information collected and generated within the territory of the PRC.

Obligations of co-handlers, entrusting parties, and entrusted parties

In addition to the obligations described above, personal information handlers may be subject to corresponding obligations because of their own role in processing personal information:

• Where two or more personal information handlers jointly determine the purpose and method of handling personal information, they shall agree upon respective rights and obligations and all comply with the obligations of handlers of personal information stated above, if applicable.
• Entrusting parties shall supervise the personal information handling activities of the entrusted parties.
• Entrusted parties shall handle personal information in compliance with the obligations stated above if applicable and shall not handle personal information beyond the agreed purpose and method of handling as agreed with the information handler or re-entrust others with the handling of personal information without the consent of the personal information handler.

The following rights are designed to empower personal information subjects in managing their personal information and ensuring their privacy is respected under the PIPL and relevant laws and regulations:

• Right to be informed. Personal information subjects have the right to be informed about the processing of their personal information (see Question 7, above, for details) and to request explanations regarding it.
• Right to access and copy. Personal information subjects have the right to access their personal information and request copies of their data.
• Right to correct. Personal information subjects who find that their personal information is inaccurate or incomplete have the right to request the handler of personal information to correct or supplement it.
• Right to delete. Personal information subjects have the right to request deletion if the personal information handler fails to delete the information in the circumstances as stated in Question 8, above.
• Right to cancel the account. Personal information subjects shall be provided with a simple method to cancel the account by the personal information handler who provides products or services through a registered account.
• Right to object. Personal information subjects have the right to restrict or refuse the processing of their personal information, and also the right to withdraw their consent to process.
• Right to data portability. Personal information subjects have the right to transfer their personal information to other service providers.
• Rights related to automated decision-making. Personal information subjects shall be provided with effective rights regarding automated decision-making. Their rights to be informed and object are especially emphasised by laws in this circumstance.

If a personal information handler refuses to allow personal information subjects to exercise their rights without valid reasons, the individual can file a lawsuit before the court. However, these rights are not absolute and have exceptions, such as the exemptions from notification stated in Question 7, above, or where personal information processing activities are carried out by authorities under the powers and procedures stipulated by law to safeguard national security or public interest.

The right to privacy in the Civil Code provides a superior legal basis for regulating the sending of commercial or direct marketing communications. Specific requirements are outlined in the Law on the Protection of Rights and Interests of Consumers, Advertising Law and the PIPL, among others.

General principles. According to Article 1033 of the Civil Code, unless otherwise provided for by law or explicitly consented to by the individual, neither an organisation nor an individual shall intrude into the peace of another person’s private life by utilising telephone calls, text messages, instant messaging tools, emails, leaflets or similar means. The Law on the Protection of Rights and Interests of Consumers and the Advertising Law further provide that business operators shall not send commercial information to individuals without their consent or request, or when an individual has explicitly rejected it.

Specific requirements. There are different requirements for various methods of sending commercial or direct marketing communications:

• Information pushing and automated marketing: information pushing and commercial marketing to individuals using automated decision-making shall be accompanied by options that do not target individual characteristics or provide individuals with an easy way to decline.
• Electronic messages: if an advertisement is sent through an electronic message, the identity and contact information of the sender shall be made clear, and the recipients shall be provided with a way to refuse to continue receiving it.
• Internet advertisements: the use of the internet to publish or distribute advertisements shall not affect the normal use of the internet by individuals. Advertisements published on internet pages, such as pop-up advertisements, shall be indicated with a conspicuous mark for one-click close.
• Telephone marketing: when conducting commercial marketing via telephone, prior consent from individuals must be obtained, relevant evidence must be retained, and active cooperation must be provided for harassing call verification work. Except for immediate callback businesses, proactive calls must avoid individuals’ daily rest periods and cannot be made by blindly dialling number segments. Additionally, after individuals explicitly refuse marketing calls for specific industries or businesses, no further calls can be made. If calls are necessary to provide services to individuals, the calling time and frequency must be strictly controlled, and call recordings must be retained for a certain period.

When personal information handlers have fulfilled their basic obligations, there are generally three mechanisms to transfer personal information outside of the PRC lawfully. The PIPL and relevant laws and regulations also provide special rules on cross-border personal information transfer.

Basic obligations

Personal information handlers providing personal information to overseas recipients must comply with the requirements of notification and obtain separate consent from personal information subjects as stipulated by laws and administrative regulations (see Question 7, above, for details). Additionally, personal information handlers are required to conduct personal information protection impact assessments in advance and maintain records of the processing activities. Most importantly, personal information handlers shall take necessary measures to ensure that when processing the personal information, the overseas recipient meets the protection standards for personal information as prescribed in the PIPL.

Three mechanisms

The three mechanisms for transferring personal information outside the territory of the PRC and the exemptions are as follows:

Security assessment for data provision abroad. Personal information handlers providing personal information overseas must file a security assessment for data provision abroad to the CAC for approval through the provincial cyberspace department where they are located if they meet one of the following conditions:

• Operators of critical information infrastructure provide personal information to overseas recipients.
• Personal information handlers other than operators of critical information infrastructure cumulatively provide personal information of over one million individuals (excluding sensitive personal information) or sensitive personal information of over 10,000 individuals since 1 January of the current year.

Standard contracts with overseas recipients and personal information protection certification. Personal information handlers other than operators of critical information infrastructure that cumulatively provide personal information of over 100,000 but less than 1 million individuals (excluding sensitive personal information) or less than 10,000 individuals of sensitive personal information since 1 January of the current year must enter standard contracts for the export of personal information with overseas recipients or undergo personal information protection certification.

Exemptions. The following circumstances are exempt from filing security assessment for data provision abroad for approval, entering standard contracts for the export of personal information, and undergoing personal information protection certification:

• Personal information collected and generated overseas that is transmitted for domestic processing and then provided to overseas recipients, provided that no domestic personal information or important data is introduced during processing.
• Providing personal information to overseas recipients as necessary for entering or performing contracts where individuals are parties.
• Providing employee personal information to overseas entities as necessary for implementing cross-border human resource management according to labour rules and collective contracts established in accordance with the law.
• Providing personal information to overseas entities as necessary to protect the life, health and property safety of natural persons in emergency situations.
• When it falls into exemptions under special rules introduced in free trade zones where personal information handlers are located.

Special rules

The provisions prescribed in the international treaties or agreements concluded or acceded to by the PRC prevail over the above three mechanisms when personal information handlers transfer personal information outside of the PRC. Especially, if a foreign judicial or law enforcement agency requests access to personal information stored in China, the competent authorities of China shall deal with the request by such international treaties or agreements or by the principle of equality and reciprocity, and no handler shall provide personal information stored in China to such agency without the approval of the competent authorities.

Additionally, the CAC could make a list of overseas organisations or individuals engaged in personal information processing activities infringing upon the personal information rights and interests of citizens or endangering the national security and public interests of the PRC and restrict or prohibit transferring personal information to such organisations or individuals.

The CAC is responsible for overall coordination of personal information protection work and related supervision and management. Relevant departments under the State Council and relevant departments of local people’s governments are responsible for personal information protection and related supervision and management within their respective duties or areas.

To fulfil their responsibilities for personal information protection, the departments mentioned above may take the following measures:

• inquire with relevant parties and investigate relevant matters;
• review and duplicate relevant materials;
• conduct on-site inspections and investigate suspected illegal personal information processing activities;
• inspect relevant equipment and items and seize equipment and items proven to be used for illegal personal information processing;
• interview the legal representative or main responsible person of the personal information handler, or require the handler to engage professional institutions to conduct compliance audits of their personal information processing activities;
• issue administrative penalties like giving warnings, confiscating illegal gains; or
• other measures as provided by laws or administrative regulations.

The PIPL, together with the Civil Code and the Criminal Law, provides strict penalties and liability for violations and multiple remedies for individuals.

Penalties and liabilities

Administrative penalties

Violating the laws regarding the processing of personal information, or failing to fulfil the obligations of personal information protection may result in administrative penalties including warnings, fines and/or confiscation of illegal gains.

For personal information handlers, a fine may reach up to RMB 50 million (approximately USD 7 million) or 5% of the previous year’s revenue, whichever is the greater. Additionally, they may be ordered to suspend related business activities or undergo operational rectification, and relevant authorities may revoke their business licenses or permits. Directly responsible supervisors and other responsible personnel may face fines of up to RMB 1 million (approximately USD 0.14 million) and may be prohibited from serving as directors, supervisors, senior management, or personal information protection officers in related enterprises for a specified period.

In addition, relevant violations may be recorded in credit files and publicly disclosed.

Criminal penalties

For very serious violations that constitute criminal offences, criminal liability shall be pursued in accordance with the Criminal Law, particularly for the following offences:

The Crime of Infringement upon Citizens’ Personal Information: offenders may face imprisonment for up to three years or criminal detention, along with fines; for especially serious cases, imprisonment of three to seven years and fines may apply.

The Crime of Illegal Invading Computer Information System and the Crime of Illegally Obtaining Data of Computer Information System: for serious cases, offenders may face imprisonment for up to three years or criminal detention, along with fines; for especially serious cases, imprisonment of three to seven years and fines may apply.

For the offences above, if the crime is committed by an organisation, the organisation shall be fined, and directly responsible supervisors and other responsible personnel shall be penalised.

Civil liabilities

According to the PIPL, personal information handlers who infringe on personal information rights and cause damage, and cannot prove no-fault, shall bear tort liability. Compensation for damages is determined based on the losses suffered by individuals or the benefits gained by the personal information handler; if difficult to ascertain, compensation amounts shall be determined based on actual circumstances.

Remedies

Complaints and reports

Individuals can file complaints and reports through the channels provided by personal information handlers. They may also submit complaints and reports to the regulatory authorities responsible for personal information protection (such as the CAC or local relevant departments).

General civil lawsuits

Individuals whose personal information rights have been infringed may file civil lawsuits to seek compensation for damages caused by illegal processing of personal information.

Public interest actions

If the violation infringes the rights of various individuals, the people’s procuratorate, legally designated consumer organisations, or organisations identified by the CAC may file public interest actions to represent victims and protect their legitimate rights and interests.