Database

Browse Database

CHINA

Since February 1996
Sine June 2017

Pillar Content access  |  Indicator Licensing schemes for digital services and applications
Provisional Regulation of the People’s Republic of China for the Administration of International Networking of Computer Information Networks (中华人民共和国计算机信息网络国际联网管理暂行规定)

Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management (互联网信息内容管理行政执法程序规定)
According to Art. 6 of the Interim Provisions of the People's Republic of China on the Management of International Networking of Computer Information Networks, computer information networks for direct international networking must use the international channels provided by the national public telecommunications network of the Ministry of Posts and Telecommunications. No unit or individual may establish or use other channels for international networking on their own. The public security authorities may issue a warning and impose a fine of up to RMB 15,000 (USD 2,200) on anyone who violates this provision. In addition, institutions or individuals are not allowed to use the international network to endanger national security, divulge state secrets, infringe upon national, social, and collective interests and the legitimate rights and interests of citizens, or engage in illegal and criminal activities. Institutions and individuals engaged in international networking services are required to file procedures in designated public security agencies within 30 days of the connection and accept the security supervision, inspection, and guidance of the public security authorities; for those who violate the measures, individuals and institutions can be fined in serious cases. The Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management set out the procedural and administrative processes for the Cyberspace Administration of China to enforce the laws and regulations relating to Internet content.
Coverage Internet access

CHINA

Since January 2017

Pillar Content access  |  Indicator Licensing schemes for digital services and applications
Circular on Clearing up and Regulating the Internet Access Service Market (工业和信息化部关于清理规范互联网网络接入服务市场的通知)
The Circular on Clearing up and Regulating the Internet Access Service Market imposes government approval for telecom and Internet access providers to set up or rent a VPN. There are reports since 2017 that VPNs have been shut down, and individuals who set up or use VPNs have been punished.
Coverage VPNs

CHINA

Since September 2000, last amended in February 2016
Since 2000, last amended in 2015

Pillar Content access  |  Indicator Licensing schemes for digital services and applications
Telecommunications Regulations of the People’s Republic of China (中华人民共和国电信条例)

Classification Catalogue of Telecommunications Services (电信业务分类目录)
Under Art. 7 of the Telecommunications Regulations, the State is required to operate a licensing regime for telecommunications enterprises in accordance with the established classification of such businesses. Pursuant to the Classification Catalogue of Telecommunications Services, this framework encompasses Internet data centre services. The corresponding licence is necessary for the provision of various services, including, among others, cloud services.
It is reported that China imposes stringent restrictions on foreign enterprises seeking to participate in the development of cloud computing services, including computer data processing and storage services and software application services provided over the Internet, and that foreign‑invested companies established in China are not permitted to supply these services directly. As cross‑border provision is difficult due to restrictive Chinese regulatory policies, the only practical means for a foreign company to access the Chinese market is to enter into a contractual partnership with a domestic firm that holds the required Internet data centre licence, a model that typically requires the foreign company to transfer valuable technology, intellectual property, know‑how, and branding to its Chinese partner. Although the foreign service provider may receive a licensing fee from such an arrangement, it gains no direct relationship with customers in China and has no independent ability to develop its business, effectively ceding control of its operations to a Chinese firm. It is also reported that in October 2024, the Ministry of Industry and Information Technology launched a pilot programme in four free‑trade zones, including in Beijing and Shanghai, permitting foreign companies to wholly own and operate Internet data centres.
Coverage Internet data center services, including cloud services

CHINA

Since September 2000, last amended in February 2016
Since March 2016
Since September 2017

Pillar Content access  |  Indicator Licensing schemes for digital services and applications
Telecommunications Regulations of the People’s Republic of China (中华人民共和国电信条例)

Classified Catalogue of Telecommunications Services (电信服务分类目录)

Administrative Measures for the Licensing of Telecommunication Business (电信业务经营许可管理办法)
China requires a supplier to have a basic telecommunications service license to provide VoIP service.
Coverage VoIP services

CHINA

Since July 2016, entry into force in November 2016, last amended in November 2022

Pillar Content access  |  Indicator Licensing schemes for digital services and applications
Interim Measures for the Administration of Online Taxi Booking Business Operations and Services (网络预约出租汽车经营服务管理暂行办法)
China instituted a licensing system for online taxi companies, which requires that personal information and business data be stored and used in mainland China and not transferred outside of China. Such information should be retained for two years, except when otherwise required by other laws and regulations. The Measurement also requires that taxi companies' servers be set up in Mainland China, with a network security management system and technical measures for security protection in compliance with regulations.
Coverage Online taxi sector

CHINA

Since August 2017

Pillar Intermediary liability  |  Indicator User identity requirement
Administrative Measures on Internet Forum Community Service (互联网论坛社区服务管理规定)
According to the Administrative Measures on Internet Forum Community Service, providers of Internet forum community services are required to obtain and verify the identity information of users and enter into service agreements with them.
Coverage Internet forum community services

CHINA

Since September 2000, last amended in 2024
Since December 2012

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Measures for the Administration of Internet Information Services (互联网信息服务管理办法)

Decision on Strengthening Network Information Protection《关于加强网络信息保护的决定
The Measures for the Administration of Internet Information Services requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorised government authorities when required (Art. 14). In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorised government authorities (Art. 10).
Coverage Internet Service Providers

CHINA

Since September 2002, last amended in 2024

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Regulations on Administration of Business Premises for Internet Access Services (互联网上网服务营业场所管理条例)
Art. 23 of the "Regulations on Administration of Business Premises for Internet Access Services" stipulates that the operators of internet access service premises must verify and register the identity documents, such as identity cards, of individuals using internet services and must record relevant information concerning their internet usage. The particulars of these registrations and the associated backup records shall be retained for a minimum of 60 days and must be produced upon the lawful request of the cultural administrative authorities or public security organs, and such registration details and backup records shall not be altered or deleted during the prescribed retention period. Art. 2 provides that, for the purposes of these Regulations, "Internet access service premises" refers to commercial establishments such as internet cafés and computer leisure centres that provide internet access services to the public via computers or comparable devices.
Coverage Operators of internet access service premises

CHINA

Since October 2000

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Provisions for the Administration of Internet Electronic Bulletin (互联网电子公告服务管理规定)
Art. 14 of the "Provisions for the Administration of Internet Electronic Bulletin" requires electronic bulletin service providers to record all information posted on their systems, including the content, the time of publication, and the relevant Internet Protocol address or domain name, and to retain backups of these records for 60 days for provision to the competent state authorities upon lawful request. Art. 2 clarifies that, for the purposes of these Provisions, "electronic bulletin services" denotes facilities enabling Internet users to publish information online through interactive formats such as electronic noticeboards, electronic whiteboards, electronic forums, online chat rooms, and message boards.
Coverage Electronic bulletin services

CHINA

Since August 2021, entry into force in November 2021

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Personal Information Protection Law of the People's Republic of China (中华人民共和国个人信息保护法)
Art. 52 of the Personal Information Protection Law requires the appointment of a data protection officer when the personal information handler meets specified conditions. In addition, under Arts. 55 and 56, a personal information protection impact assessment is required in certain circumstances.
Coverage Horizontal

CHINA

Since June 2021, entry into force in September 2021

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Data Security Law of the People's Republic of China (中华人民共和国数据安全法)
Art. 27 of the Data Security Law mandates the designation of personnel responsible for overseeing data security. This obligation applies solely to processors of important data; however, the statute itself does not provide a definition of that category.
Coverage Processors of important data

CHINA

Since October 2020

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Amendment to the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (信息安全技术-个人信息安全规范) (GB/T 35273-2020) 修正案)
The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.
Coverage Horizontal

CHINA

Since November 2016, entry into force in June 2017

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Cybersecurity Law of the People's Republic of China (中华人民共和国网络安全法)
Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions (Art. 34).
Coverage Horizontal

CHINA

Since June 2021, entry into force in September 2021

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Data Security Law of the People’s Republic of China (中华人民共和国数据安全法)
Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.
Coverage Horizontal

Report issue     Report new measure