According to Art. 7 of the Telecom Regulations, a telecom operator must obtain a proper license for its telecom business. In accordance with Art. 8, telecom business is divided into basic telecom business and value-added telecom business. The Classification Catalogue of Telecom Business, attached to these Regulations, further divides basic telecom business and VAT business into different sub-categories, each requiring a corresponding license. One of the essential sub-categories of VAT business is called “Information Service”. The information service provided through the Internet is called “Internet Information Service”, which is usually referred to as Internet Content Provision (ICP) service. This is a very broad category and covers a wide range of online services, such as instant messaging, app stores, search engines, online communities, and online anti-virus services, among others. An ICP license is required for the ICP service. All websites with their own domain name that are hosted on the Chinese mainland territory are required to obtain an ICP license. Websites that are hosted outside of the Chinese mainland territory do not need to obtain it.
ICP filing is regulated by local regulations in each province. In general, requirements are similar in every province; for example, the core requirement fixed by Beijing municipality is that the website abides by the content laws in China and "should not contain materials related to terrorism, explosives, drugs, jurisprudence, gambling, and other illegal acts”. In addition, the following requirements and documents shall be prepared and provided:
- The domain name must be registered with a China-based domain name provider.
- The ICP Filing subject must be the domain name owner.
- For personal, a scanned copy or photo of the front and back of the ID card is required.
- For the company, a scanned copy or photo of the company’s registration certificate and scanned copies or photos of the front and back of the ID cards of the persons in charge of ICP Filing and the website.
- Other documents required by the local communications administration, such as a domain name certificate.
Websites are shut down, and companies can be blacklisted by the Chinese Ministry of Industry and Information Technology if they do not comply with the ministry's requirements.

According to Art. 5 of the Provisions on the Administration of Internet News Information Services, Internet news providers are required to obtain a permit to provide Internet news information services to the social public through Internet websites, application software, forums, blogs, microblogs, public account, instant messaging tools, online live streaming and other such methods. In addition, pursuant to Art. 6 of the Provisions, the applicant’s person-in-charge or chief editor must be a Chinese citizen, and the applicant shall have a legal person legally established within the territory of the People's Republic of China. Furthermore, the applicant must separately obtain an Internet Content Provider (ICP) license or an ICP filing from telecom industry regulators. According to Art. 16 of the law, without an ICP number, a website can be shut down by the hosting provider with no notice.
Furthermore, all privately operated news services are obligated to have their operations overseen by personnel endorsed by the ruling party. Editorial staff working on these platforms need approval from national or local government internet and information offices, and their employees are required to undergo training and obtain reporting credentials from the central government. The Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management set out the procedural and administrative processes for the Cyberspace Administration of China to enforce the laws and regulations relating to Internet content.

Section 9.2.i of the 2020 Specification provides that where personal biometric information must not be shared or transferred unless actually essential for business needs, in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained.

A basic legal framework on intermediary liability beyond copyright infringement is absent in China's law and jurisprudence. A safe harbour defence for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defence established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person."
Furthermore, the Tort Law allows victims of the tort to notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

China has not joined any agreement with binding commitments on data flows.

According to the Administrative Provisions on Information Services of Mobile Internet Application Program, app providers must ensure that new app users register with their real names by verifying users’ mobile phone numbers and/or other identity information.

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law and governs personal information processing activities carried out by entities or individuals within China. The PIPL introduces several important concepts, such as personal information, sensitive personal information, and processing.

The Regulation on Internet Information Services of the People's Republic of China requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorised government authorities when required (Art. 14).
In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorised government authorities (Art. 10).

The Internet Surfing Service Business Venue Management Rules apply to commercial venues that provide Internet surfing services to the public through computers connected to the Internet. According to the Rules, Internet surfing service businesses are required to record the users' authentic ID information and relevant surfing information, record back-ups, preserve such information for 60 days and provide the same to relevant governmental departments who make inquiries according to the law.

The Provisions for the Administration of Internet Electronic Bulletin apply to electronic bulletin services, which refer to electronic bulletin boards, electronic whiteboards, electronic forums, internet chat rooms, message boards, and other forms of interactive behaviour characterised by the provision of information dissemination for online customers.
The electronic bulletin service provider must record all information content published in the electronic bulletin service system, including the internet access time, user account, Internet address or domain name, caller's phone number, and other information. Such records must be kept for 60 days and provided to the relevant state authority when inquiries are made according to the law.

According to Art. 52 of the Personal Information Protection Law, if the volume of personal information processed reaches a threshold established by the Cyberspace Administration of China, the entity responsible for handling this data is required to appoint a personal information protection officer. However, it has been reported that the specific volume of personal information that would meet this threshold has yet to be determined. Furthermore, Art. 53 of the Law mandates that organisations established outside the borders of China must establish a dedicated entity or appoint a representative within China to oversee matters related to the personal information they process.

Under Art. 55 of the Personal Information Protection Law, a personal information handler must conduct a personal information protection impact assessment prior to: processing sensitive personal information; using personal information in automated decision-making; engaging an entrusted party to process personal information on the personal information handler's behalf; providing personal information to another personal information handler; disclosing personal information to the public; transferring personal information outside of China; or any processing activity that will have a material impact on the personal rights and interests of an individual. The personal information protection impact assessment must specify: whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary; the impact of the processing on individuals' rights and interests, and the level of risk involved; and whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.

The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.