The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.

The Counter-espionage Law of the People's Republic of China permits security authorities to inspect the baggage, electronic devices and facilities of individuals suspected of espionage and obliges logistics and telecommunications companies in China to provide “technical support” to fight espionage (Art. 41). It is reported that the Law’s broad definition of agents may offer an avenue to justify gathering data from foreign firms and their employees while they conduct business in China. This could reportedly give the Chinese authorities access to sensitive company data or trade secrets under the guise of preventing foreign cyber espionage.

Art. 18 of the Counterterrorism Law requires Internet service providers and the telecommunication sector to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.”

The Provisions for the Supervision and Inspection of Network Security by Public Security Agencies authorise local law enforcement agencies to conduct remote or onsite inspections of the businesses under their supervision. Inspections must ensure compliance with general regulatory obligations on all businesses under the Cybersecurity Law or specific obligations applicable to internet service providers, including, but not limited to, the implementation of technical measures for network security and data protection that comply with national standards. During such an inspection, law enforcement agencies can physically enter business sites and machine rooms, review and copy relevant information and assess the operational conditions and effectiveness of the technical measures taken by the company to safeguard the security of networks and information.

According to Art. 14 of Decree No. 292, ISPs must provide user information to the authorities upon request, without judicial oversight.

A basic legal framework on intermediary liability for copyright infringement is absent in China's law and jurisprudence. A safe harbour defence for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defence established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person."
Furthermore, the Tort Law allows victims of the tort to notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

Section 9.2.i of the 2020 Specification provides that where personal biometric information must not be shared or transferred unless actually essential for business needs, in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained.

A basic legal framework on intermediary liability beyond copyright infringement is absent in China's law and jurisprudence. A safe harbour defence for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defence established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person."
Furthermore, the Tort Law allows victims of the tort to notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

China has not joined any agreement with binding commitments on data flows.

According to the Administrative Provisions on Information Services of Mobile Internet Application Program, app providers must ensure that new app users register with their real names by verifying users’ mobile phone numbers and/or other identity information.

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law and governs personal information processing activities carried out by entities or individuals within China. The PIPL introduces several important concepts, such as personal information, sensitive personal information, and processing.

It is reported that China's Telecommunications Regulations require all data collected within the country to be stored on Chinese servers. However, the relevant article has not been found in the regulations. Moreover, it is reported that, as a result of this regulation, Hewlett-Packard, Qualcomm, and Uber had to divest more than 50% of their businesses in China to Chinese companies to avoid fines.

Art. 37 of the Cybersecurity Law requires "key information infrastructure" operators to store personal information and critical data within China. Personal information and critical data can be stored outside of China where there is a genuine need for business; in such cases a "security assessment" needs to be conducted in accordance with procedures formulated by the Cyberspace Administration of China (CAC) in collabouration with other authorities.
Art. 4 of the Outbound Data Transfer Security Assessment Measures, promulgated by the CAC, outlines four situations where a security assessment is necessary before an outbound transfer can take place, which include:
1) Cases where the transfer concerns “important data”, which is broadly defined as data that could endanger national security, economic operation, social stability, public health and safety;
2) Cases the transfer concerns personal data by a critical information infrastructure operator or processor of personal information that processed data for 1 million or more individuals;
3) Cases of transfers concerning personal data by a personal information processor that has made outbound transfers of personal information of 100,000 individuals or sensitive personal information of 10,000 persons in the preceding year;
4) Any other situation where the CAC deems a security assessment necessary.
Art. 8 of the Measures covers the factors the CAC considers when undertaking a security assessment, including:
- The risks that the transfer may entail for national security or public interests, among other policy objectives;
- Legitimacy, necessity and method of transfer;
- Whether the level of data protection in the recipient country meets the requirements of laws in China;
- Sensitivity of the data and risks of being tampered with abroad;
- Agreed safeguard measures between the data processor and data recipient;
- Any other matter that the CAC deems necessary.
In case of unfavourable outcomes, the data handler can ask the CAC for a re-assessment and a final decision. In case of a positive decision, the permission to transfer data abroad is valid for two years, but if substantial changes in the risk factors arise, a new assessment might be needed.