There are two articles in the State Security Law permitting the state security organ to accede, when necessary, to any information or data held by anyone in China. Art. 11 stipulates that ‘where state security requires, a state security organ may inspect the electronic communication instruments and appliances and other similar equipment and installations belonging to any organization or individual’ and Art. 18 ‘When a State security organ investigates and finds out any circumstances endangering State security and gathers related evidence, citizens and organizations concerned shall faithfully furnish it with relevant information and may not refuse to do so.’
The Counterespionage Law, which repealed the State Security Law, provides for state security organ personnel to gain entry to restricted regions, venues or units and to inspect, read or collect relevant archives, materials or items. Such access is permitted on the basis of relevant national regulations and upon approval and presentation of appropriate documents. Further, state security organ personnel can also check electronic communication tools, equipment and facilities in accordance with the regulations.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialized security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

The Personal Protection Law requires controllers to:
- Notify data subjects that its legal representative or principal person bears overall responsibility for the security of personal data;
- Appoint a data security officer (that must a full time position if the organization deals with personal data as its main line of business and employs over 200 people, or processes personal data for more than 500,000 people);
- Devise emergency plans to deal with security issues;
- Undertake security audits at least once per year;
- Provide training to relevant staff on data security at least once a year.

The 2020 Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must be someone who has relevant management experience and personal information protection expertise and shall participate in important decisions on personal information processing activities and report directly to the principal of the organization.

These provisions apply to electronic bulletin services. Electronic bulletin services refer to electronic bulletin boards, electronic whiteboards, electronic forums, internet chat rooms, message boards, and other forms of interactive behavior characterized by the provision of information dissemination for online customers.
The electronic bulletin service provider must record all information content published in the electronic bulletin service system as well as internet access time, user account, Internet address or domain name, caller's phone number and other information. Such record must be kept for 60 days and provide to the relevant State authority when inquired in accordance with the law.

The Internet Surfing Service Business Venue Management Rules apply to commercial venues that provide internet surfing services to the public through computers connected to the internet. Internet surfing service businesses are required to record the users' authentic ID information, relevant surfing information, record back-ups, preserve such information for 60 days and provide the same to relevant governmental departments who make inquires according to the law.

Under the Provisions, mobile Internet application providers in accordance with the "background real name, the front voluntary" principle, the registered user based on cell phone numbers and other real identity information authentication, record user log information, and save 60 days (Art. 7).

China instituted a licensing system for online taxi companies which requires them to host user data and business data generated by it on Chinese servers for at least two years, and the information and data shall not be exported unless otherwise provided by laws and regulations.

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law and governs personal information processing activities carried out by entities or individuals within China. The PIPL introduces several important concepts, such as personal information, sensitive personal information, and processing. It explicitly stipulates its exterritorial jurisdiction, and provides the traditional elements for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms, and rights of data subjects.

The Regulation on Internet Information Services of the People's Republic of China requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorized government authorities when required (Art. 14.).
In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorized government authorities (Art. 10).

The 2020 Specification provides that where personal biometric information must not be shared or transferred unless actually essential for business needs in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained (9.2.i).

China has not joined any agreement with binding commitments on data flows.

Article 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas."

Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

The Personal Information Protection Law (Art. 40) provides that critical information infrastructure operators and personal information processors handling personal information must store personal information collected and produced within the borders of China. Where such information needs to be provided abroad, they shall pass a security assessment organized by the national cyberspace department. Also, according to Art. 38, the processors of personal information must apply one of the conditions to provide information outside of PRC: passing the security assessment organized by the national cyberspace department in accordance with Art. 40 of this Law; obtaining personal information protection certification from the relevant specialized institution according to the provisions issued by the national cyberspace department; concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department; and meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.
Where a processor of personal information provides personal information outside the People's Republic of China, it is required to inform the individual of the name or names of the overseas recipient, the contact information, the purpose of processing, the manner of processing, the type of personal information, as well as the manner and procedure for the individual to exercise his or her rights under this Law with the overseas recipient, and obtain the individual's individual consent (Art. 39). Personal information processors shall not provide personal information stored in the People's Republic of China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People's Republic of China (Art. 41).