CHINA
Since September 2000, last amended in 2024
Since December 2012
Since December 2012
Pillar Domestic data policies |
Indicator Minimum period for data retention
Measures for the Administration of Internet Information Services (互联网信息服务管理办法)
Decision on Strengthening Network Information Protection《关于加强网络信息保护的决定
Decision on Strengthening Network Information Protection《关于加强网络信息保护的决定
The Measures for the Administration of Internet Information Services requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorised government authorities when required (Art. 14). In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorised government authorities (Art. 10).
Coverage Internet Service Providers
Sources
- https://www.nmpa.gov.cn/xxgk/fgwj/flxzhfg/20250416164819194.html
- https://web.archive.org/web/20190404000306/http://www.loc.gov/law/foreign-news/article/china-npc-decision-on-network-information-protection/
- https://web.archive.org/web/20220117214103/https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=CN
- Show more...
CHINA
Since September 2002, last amended in 2024
Pillar Domestic data policies |
Indicator Minimum period for data retention
Regulations on Administration of Business Premises for Internet Access Services (互联网上网服务营业场所管理条例)
Art. 23 of the "Regulations on Administration of Business Premises for Internet Access Services" stipulates that the operators of internet access service premises must verify and register the identity documents, such as identity cards, of individuals using internet services and must record relevant information concerning their internet usage. The particulars of these registrations and the associated backup records shall be retained for a minimum of 60 days and must be produced upon the lawful request of the cultural administrative authorities or public security organs, and such registration details and backup records shall not be altered or deleted during the prescribed retention period. Art. 2 provides that, for the purposes of these Regulations, "Internet access service premises" refers to commercial establishments such as internet cafés and computer leisure centres that provide internet access services to the public via computers or comparable devices.
Coverage Operators of internet access service premises
CHINA
Since October 2000
Pillar Domestic data policies |
Indicator Minimum period for data retention
Provisions for the Administration of Internet Electronic Bulletin (互联网电子公告服务管理规定)
Art. 14 of the "Provisions for the Administration of Internet Electronic Bulletin" requires electronic bulletin service providers to record all information posted on their systems, including the content, the time of publication, and the relevant Internet Protocol address or domain name, and to retain backups of these records for 60 days for provision to the competent state authorities upon lawful request. Art. 2 clarifies that, for the purposes of these Provisions, "electronic bulletin services" denotes facilities enabling Internet users to publish information online through interactive formats such as electronic noticeboards, electronic whiteboards, electronic forums, online chat rooms, and message boards.
Coverage Electronic bulletin services
Sources
- https://web.archive.org/web/20260323214640/http://www.moe.gov.cn/s78/A13/s8353/moe_774/tnull_1058.html
- https://web.archive.org/web/20230110061559/https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/Documents/CountryProfiles/567%20china-d-Comparative%20Research_ed1a.PDF
- https://web.archive.org/web/20241009080813/http://www.china.org.cn/business/2010-01/20/content_19274960_2.htm
- Show more...
CHINA
Since August 2021, entry into force in November 2021
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Personal Information Protection Law of the People's Republic of China (中华人民共和国个人信息保护法)
Art. 52 of the Personal Information Protection Law requires the appointment of a data protection officer when the personal information handler meets specified conditions. In addition, under Arts. 55 and 56, a personal information protection impact assessment is required in certain circumstances.
Coverage Horizontal
CHINA
Since June 2021, entry into force in September 2021
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Data Security Law of the People's Republic of China (中华人民共和国数据安全法)
Art. 27 of the Data Security Law mandates the designation of personnel responsible for overseeing data security. This obligation applies solely to processors of important data; however, the statute itself does not provide a definition of that category.
Coverage Processors of important data
CHINA
Since October 2020
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Amendment to the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (信息安全技术-个人信息安全规范) (GB/T 35273-2020) 修正案)
The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.
Coverage Horizontal
Sources
- https://web.archive.org/web/20230221153710/https://www.tc260.org.cn/upload/2020-09-18/1600432872689070371.pdf
- https://web.archive.org/web/20211124183425/https://www.manafoundation.org/uploads/soft/200601/%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8%E6%8A%80%E6%9C%AF%E4%B8%AA%E4%BA%BA%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%...
CHINA
Since November 2016, entry into force in June 2017
Pillar Domestic data policies |
Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Cybersecurity Law of the People's Republic of China (中华人民共和国网络安全法)
Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions (Art. 34).
Coverage Horizontal
CHINA
Since June 2021, entry into force in September 2021
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Data Security Law of the People’s Republic of China (中华人民共和国数据安全法)
Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.
Coverage Horizontal
CHINA
Since December 2015, entry into force in January 2016, last amended in April 2018
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Counterterrorism Law of the People's Republic of China (中华人民共和国反恐怖主义法)
Art. 18 of the Counterterrorism Law requires Internet service providers and the telecommunication sector to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.”
Coverage Internet service providers and telecommunication sector
Sources
- https://web.archive.org/web/20230324194915/http://www.hoover.org/sites/default/files/research/docs/segal_webreadypdf_updatedfinal.pdf
- https://web.archive.org/web/20231129113030/http://www.xinhuanet.com//politics/2015-12/27/c_128571798.htm
- https://web.archive.org/web/20221210010510/http://www.npc.gov.cn/zgrdw/npc/xinwen/2018-06/12/content_2055871.htm
- Show more...
CHINA
Since October 2020
Pillar Cross-border data policies |
Indicator Conditional flow regime
Amendment to the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (信息安全技术-个人信息安全规范》(GB/T 35273-2020)修正案)
Section 9.2.i of the "Amendment to the Information Security Technology – Personal Information Security Specification" provides that where personal biometric information must not be shared or transferred unless actually essential for business needs, in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained.
Coverage Horizontal
Sources
- https://web.archive.org/web/20231227001129/https://digichina.stanford.edu/work/information-security-technology-guidelines-for-personal-information-protection-on-public-and-commercial-service-informati...
- https://web.archive.org/web/20240712200613/https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=CN
- https://web.archive.org/web/20231128172929/http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2280037
- https://web.archive.org/web/20200727022639/http://law.emory.edu/elj/content/volume-64/issue-3/articles/data-nationalism.html
- https://web.archive.org/web/20211025231401/http://www.insideprivacy.com/international/china/china-releases-national-standard-for-personal-information-collected-over-information-systems-industr/
- Show more...
CHINA
Since August 2021, entry into force in November 2021
Since March 2024
Since March 2024
Pillar Cross-border data policies |
Indicator Conditional flow regime
Personal Information Protection Law of the People's Republic of China (中华人民共和国个人信息保护法)
Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定)
Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定)
Under Art. 40 of the Personal Information Protection Law (PIPL), personal information handlers who process personal data exceeding the thresholds stipulated by regulatory authorities, as well as operators of critical information infrastructure, are required to store the personal information they collect and generate within the territory of China. If it is genuinely necessary for a personal information handler to transfer personal information abroad, specific regulatory requirements must be satisfied. In accordance with Art. 38 of the PIPL and Arts. 7 and 8 of the Provisions on Promoting and Regulating the Cross-Border Flow of Data, personal information handlers seeking to provide or transfer personal data outside of China must meet one of the following conditions:
1. Obtain approval through a security assessment conducted by the Cyberspace Administration of China (CAC), applicable if any of the following criteria are met: the handler is a critical information infrastructure operator; the handler (not classified as a critical information infrastructure operator) has, since 1 January of the current year, cumulatively provided the personal information of 1,000,000 individuals or sensitive personal information of 10,000 individuals to overseas recipients; the handler seeks to transfer personal information classified as important data or otherwise containing important data outside China.
2. Satisfy requirements through either of the following mechanisms: enter into the standard contract formulated by the CAC with the overseas data recipient; or obtain personal information protection certification from professional institutions in accordance with CAC rules. This applies when the handler is not a critical information infrastructure operator; or intends to transfer non-sensitive personal information of more than 100,000 but less than 1,000,000 individuals, or sensitive personal information of fewer than 10,000 individuals, on a cumulative basis, since 1 January of the current year.
Notwithstanding the above requirements, the outbound transfer of personal information, excluding important data, is exempt from these provisions under Arts. 3, 4, and 5 of the Provisions if the transfer arises from the following circumstances:
- International trade, cross-border transportation, academic collaboration, transnational manufacturing, marketing, or similar activities that do not involve personal or important data.
- Exporting personal information collected or generated outside China and then processed in China, provided no domestic personal information collected within China is included.
- Transfers necessary for the performance of contracts involving the data subject, such as cross-border shopping, payments, travel bookings, visa applications, or similar services.
- Employee-related data transfers for implementing human resources management under employment policies or collective labour agreements.
- Transfers required to protect the life, health, or property security of individuals in emergencies.
- Transfers involving non-sensitive personal information of fewer than 100,000 individuals on a cumulative basis by handlers who are not critical information infrastructure operators since 1 January of the current year.
Additionally, Arts. 38, 39, 41, 53, and 55 of the PIPL impose further obligations on personal information handlers seeking to transfer personal data outside China, including:
- Demonstrating a legitimate business or operational need for the cross-border transfer.
- Implementing measures to ensure that overseas recipients process the data in compliance with the protection standards set out in the PIPL.
- Providing adequate prior notification to individuals and obtaining their explicit consent.
- Securing approval from the relevant Chinese authorities for transfers to foreign judicial or law enforcement agencies.
- Establishing local representatives or agencies within China for overseas recipients who do not have a local entity and are classified as personal information handlers outside Mainland China.
- Conducting a personal information protection impact assessment before initiating a cross-border transfer.
1. Obtain approval through a security assessment conducted by the Cyberspace Administration of China (CAC), applicable if any of the following criteria are met: the handler is a critical information infrastructure operator; the handler (not classified as a critical information infrastructure operator) has, since 1 January of the current year, cumulatively provided the personal information of 1,000,000 individuals or sensitive personal information of 10,000 individuals to overseas recipients; the handler seeks to transfer personal information classified as important data or otherwise containing important data outside China.
2. Satisfy requirements through either of the following mechanisms: enter into the standard contract formulated by the CAC with the overseas data recipient; or obtain personal information protection certification from professional institutions in accordance with CAC rules. This applies when the handler is not a critical information infrastructure operator; or intends to transfer non-sensitive personal information of more than 100,000 but less than 1,000,000 individuals, or sensitive personal information of fewer than 10,000 individuals, on a cumulative basis, since 1 January of the current year.
Notwithstanding the above requirements, the outbound transfer of personal information, excluding important data, is exempt from these provisions under Arts. 3, 4, and 5 of the Provisions if the transfer arises from the following circumstances:
- International trade, cross-border transportation, academic collaboration, transnational manufacturing, marketing, or similar activities that do not involve personal or important data.
- Exporting personal information collected or generated outside China and then processed in China, provided no domestic personal information collected within China is included.
- Transfers necessary for the performance of contracts involving the data subject, such as cross-border shopping, payments, travel bookings, visa applications, or similar services.
- Employee-related data transfers for implementing human resources management under employment policies or collective labour agreements.
- Transfers required to protect the life, health, or property security of individuals in emergencies.
- Transfers involving non-sensitive personal information of fewer than 100,000 individuals on a cumulative basis by handlers who are not critical information infrastructure operators since 1 January of the current year.
Additionally, Arts. 38, 39, 41, 53, and 55 of the PIPL impose further obligations on personal information handlers seeking to transfer personal data outside China, including:
- Demonstrating a legitimate business or operational need for the cross-border transfer.
- Implementing measures to ensure that overseas recipients process the data in compliance with the protection standards set out in the PIPL.
- Providing adequate prior notification to individuals and obtaining their explicit consent.
- Securing approval from the relevant Chinese authorities for transfers to foreign judicial or law enforcement agencies.
- Establishing local representatives or agencies within China for overseas recipients who do not have a local entity and are classified as personal information handlers outside Mainland China.
- Conducting a personal information protection impact assessment before initiating a cross-border transfer.
Coverage Horizontal
Sources
- https://web.archive.org/web/20240617005345/https://www.wilmerhale.com/en/insights/client-alerts/20200324-china-issues-new-personal-information-security-specification
- https://web.archive.org/web/20220524101741/https://www.pipchina.cn/uploads/20210926/1632643529092037513.pdf
- https://web.archive.org/web/20230910032835/https://www.tc260.org.cn/upload/2020-09-18/1600432872689070371.pdf
- Show more...
CHINA
Since November 2012, entry into force in February 2013
Pillar Cross-border data policies |
Indicator Conditional flow regime
Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (公共及商用服务信息系统个人信息保护指南)
Art. 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without the express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organisations and institutions registered overseas." Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.
Coverage Public and commercial services information systems
Sources
- https://web.archive.org/web/20231114190732/http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm
- https://web.archive.org/web/20231123130542/https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
- https://web.archive.org/web/20241202200931/https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
- https://web.archive.org/web/20241202201136/https://www.chinalawtranslate.com/en/Provisions-on-Promoting-and-Regulating-the-Cross--Border-Flow-of-Data/
- https://www.dataguidance.com/notes/china-data-transfers
- https://web.archive.org/web/20241202201305/https://iclg.com/practice-areas/data-protection-laws-and-regulations/china
- Show more...
CHINA
N/A
Pillar Cross-border data policies |
Indicator Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
China has not joined any agreement with binding commitments to open transfers of data across borders. Art. 12.15 of the Regional Comprehensive Economic Partnership (RCEP) recognises that each party may maintain its own regulatory requirements governing cross‑border transfers of information by electronic means and stipulates that such transfers shall not be restricted when undertaken for the conduct of business by a covered person; however, the article simultaneously allows parties to adopt or maintain any measures they themselves deem necessary to achieve a legitimate public policy objective, as well as any measures necessary to protect essential security interests, with the parties expressly affirming that the determination of such necessity lies solely with the implementing party and that such measures shall not be subject to dispute. It is reported that this formulation enables China to preserve its domestic data‑control regime under the rubric of national security without risking inter‑state disputes, and that the relative weakness of Chapter 12 renders its provisions largely ineffectual in facilitating the liberalisation of cross‑border data flows, particularly because the clause entrusting necessity assessments to the implementing party effectively permits any measure to be characterised as legitimate at that party’s discretion.
Coverage Horizontal
Sources
- https://web.archive.org/web/20260108205952/https://www.unilu.ch/fileadmin/fakultaeten/rf/burri/TAPED/TAPED_Burri_Vasquez_2025.xlsx
- https://web.archive.org/web/20250927032823/https://asean.org/wp-content/uploads/2024/10/Regional-Comprehensive-Economic-Partnership-RCEP-Agreement-Full-Text.pdf
- https://web.archive.org/web/20260317152539/https://moderndiplomacy.eu/2024/11/30/cross-border-data-flows-under-rcep-striking-a-balance-between-security-and-competitiveness/
- https://web.archive.org/web/20260317153111/https://www.cigionline.org/articles/digital-trade-rcep-wtos-future/
- Show more...
CHINA
Since August 2021, entry into force in November 2021
Pillar Domestic data policies |
Indicator Framework for data protection
Personal Information Protection Law of the People's Republic of China (中华人民共和国个人信息保护法)
The Personal Information Protection Law provides a comprehensive regime of data protection in China.
Coverage Horizontal
CHINA
Since January 2019
Pillar Cross-border data policies |
Indicator Ban to transfer and local processing requirement
Banking Financial Institutions Anti-Money Laundering and Counter Terrorist Financing Management Measures
Pursuant to Art. 28 of the ¨Banking Financial Institutions Anti-Money Laundering and Counter-Terrorist Financing Management Measures¨, banking and financial institutions are prohibited from transmitting customer identification information and transaction data obtained in the course of fulfilling anti-money laundering and counter-terrorist financing obligations to entities outside the country, except where such transmission is authorised by applicable laws and administrative regulations.
Coverage Financial sector
