Support Centre

China

Summary

Law: Personal Information Protection Law (PIPL) (Enforcement date of November 1, 2021).

Regulator: The Cyberspace Administration of China (the CAC).

Summary: On August 20, 2021, China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on November 1, 2021, and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC also approved, on June 10, 2021, the Data Security Law, which entered into effect on September 1, 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.

There are also provisions related to personal data protection in several other pieces of legislation, most notably the Cybersecurity Law 2016, which came into effect in 2017 (official Chinese version available here; unofficial English available here) (the Cybersecurity Law) which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards that provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.

Insights

The AI Safety Governance Framework v1.0 (the Framework) was published by the National Information Security Standardization Technical Committee (TC260) on September 9, 2024. It is neither a mandatory law or regulation, nor a national standard for AI, but more a general risk assessment and a guidance for different roles when facing the problem of artificial intelligence (AI) safety. Although not a law, it has contributed some useful and helpful opinions on AI safety governance, especially the risk assessment it proposed for safety risks. Dehao Zhang, Counsel at Fieldfisher, provides an overview of the Framework and how it may impact future AI legislation in China.

Along with the growth and increasing prevalence of artificial intelligence (AI), including generative AI, the privacy and ethical risks brought along by the new technology cannot be understated. Ada Chung Lai-Ling, Privacy Commissioner for Personal Data (PCPD), Hong Kong, China, looks at what steps organizations can take to ensure compliance and the guidance offered by the PCPD to help this.

Further to the Provisions on Promoting and Regulating Cross-border Data Transmission promulgated by the Cyberspace Administration of China on March 22, 2024 (the CBDT Provisions) which substantially reduce the procedural burden associated with transmitting data out of China, Beijing authorities recently issued the Administrative Measures for the Negative List for Data Export from China (Beijing) Pilot Free Trade Zone (for trial implementation) including a detailed negative list (the Beijing Negative List) on August 30, 2024. The Beijing Negative List aims to further liberalize the transmission of data out of the Beijing pilot free trade zone (FTZ) and provide more clarity on the identification of important data. On top of benefiting existing companies in the Beijing FTZ, the business-friendly tone of the Beijing Negative List seems to be a good reason for companies to revisit their current data export set-up and make the best use of the benefits offered under these new rules. Are these rules indeed creating a substantial difference and a game changer?

Dr. Michael Tan and Julian Sun, from Taylor Wessing, take a deep dive into the new measures and FTZ, comparing them with other FTZs in China.

The Cyberspace Administration of China (CAC) published the Regulations on Promoting and Regulating Cross-border Data Flows (only available in Chinese here) (the Regulations) on March 22, 2024, following their initial request for public comment in October 2023. The Regulations aim to clarify data transfer obligations under the Cyber Security Law (CSL), Data Security Law (DSL), and the Personal Information Protection Law (PIPL) including the data export security assessment, personal information export standard contract, and personal information protection certification. OneTrust DataGuidance provides an analysis of the Regulations with comments provided by Dr. Michael Tan, Partner at Taylor Wessing.

In an era dominated by digital connectivity, safeguarding the integrity of networks and information systems has become a global imperative. China, recognizing the critical importance of cybersecurity, has introduced the draft Management Measures for Cybersecurity Incident Reporting (the Measures). The Measures outline a comprehensive approach to reporting cybersecurity incidents, aiming to minimize losses, incentivize legal compliance, protect national cybersecurity, and align with existing legal frameworks. Samuel Yang, Chris Fung, and Bill Zhou, from AnJie Broad Law Firm, explore key provisions in the Measures, shedding light on the intricacies of China's evolving cybersecurity landscape.

On October 15, 2023, the public comment period closed for the Cyberspace Administration of China's (CAC) draft Provisions on Regulating and Promoting Cross-Border Data Flows (the Draft Provisions). In this Insight article, Kate M. Growley, Evan Y. Chuck, Zhiwei Chen, and Christiana State, from Crowell & Moring LLP, explore existing mechanisms in place and how the Draft Provisions could affect companies' data transfer obligations.

The rapid development of artificial intelligence (AI) in China has made it an important player on the global stage. In response to society's concerns over potential issues that could arise from this new technology, China has rolled out several sets of rules regarding the use of AI which will have an impact on companies that intend to integrate AI into their daily operations in the Chinese market. The Interim Measures for the Administration of Generative Artificial Intelligence Services (AI Measures), released on July 10, 2023, have become a hot topic of conversation. While they represent a significant milestone in China's efforts to regulate AI, they may only have a limited impact on the companies using AI technologies.  

There is now another set of rules, but the title does not refer to the term AI so could be easily overlooked: the Technology Ethics Review Measures (Trial), promulgated by the Ministry of Science and Technology (MOST) together with several other ministries and institutions on September 7, 2023, which entered into effect on December 1, 2023 (Review Measures). After comparing with the earlier AI Measures, the Review Measures appear to be more relevant to international companies that plan to apply AI technologies in the course of their business in China and will be subject to some statutory obligations, including actionable measures. Dr. Michael Tan and Julian Sun, from Taylor Wessing, analyze these measures, exploring their relevance and practical implications for organizations.  

In many aspects, the Personal Information Protection Law (PIPL), which became effective on November 1, 2021, looks very similar to the EU's General Data Protection Regulations (GDPR). However, many of these similarities remain as high-level principles under the PIPL, while more detailed content has been rolled out step by step. Earlier this year, the Cyberspace Administration of China (CAC), established export security assessment procedures and Standard Contractual Clauses (SCCs) for data exports. Now, the CAC is shifting its focus to compliance audits. On August 3, 2023, the CAC presented the draft Administrative Measures for Compliance Audit of Personal Information Protection (Draft Audit Measures) soliciting public comments. For Data Protection Officers (DPOs) and compliance officers, this topic will become another important task to include in their planning for implementation in 2024.

In this Insight article, Julian Sun, from Taylor Wessing, delves into the key provisions of the Draft Audit Measures and sheds light on the evolving compliance audit framework, highlighting its importance, nuances, and potential impacts for companies operating in China.

As the digital economy continues to expand globally and the legal regimes of data protection vary in different jurisdictions, multinational companies carrying out cross-border data transfer activities face challenges in complying with multi-jurisdictional data protection regulations. In this context, those relatively flexible approaches for cross-border data transfers with less regulatory involvement will become important instruments for multinational companies seeking to navigate the legal landscape.

In this Insight article, Dora Luo (Duoqun), Partner at Hunton Andrews Kurth LLP, examines the similarities and differences between the Standard Contract for Cross-border Transfer of Personal Information (the Standard Contract) under the Personal Information Protection Law (PIPL) and the Standard Contractual Clauses (SCCs) under the General Data Protection Regulation (GDPR), with a particular focus on requirements, steps that must be taken before their use, circumstances that may require revision, and general comments.

Part one of this series presents an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) ('the Security Design Requirements'), Part two looks at the Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058-2019) ('the 2019 Implementation Guide'), and Part three explores the Information Security Technology - Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) ('the Evaluation Requirement'). In this Insight article, Jim Fitzsimmons, Principal at Control Risks Group Limited, looks specifically at the GB/T 22239-2019 Information Security Technology – Baseline for Classified Protection of Information System Security (the Baseline Standard).

On 24 February 2023, the Cyberspace Administration of China ('CAC') promulgated the finalised Standard Contract Measures for Exporting Personal Information1 ('the Measures'), along with the Personal Information Export Standard Contract ('the Standard Contract'). The Measures will take effect on 1 June 2023. Most companies which transfer personal information out of China will need to adopt responsive measures in order to comply.

In this Insight article, Richard Qiang, Partner at DaHui Lawyers, provides a summary of the key takeaways from the Measures and the Standard Contract.

On 2 December 2022, the Communist Party of China ('CPC') Central Committee and the State Council jointly released the Opinions on Building Basic Systems for Data to Better Play the Role of Data Factors ('the Opinions'), in order to speed up efforts to build basic systems for data, give full play to China's strengths in massive-scale data and rich application scenarios, and stimulate the potential of data factors. Dr. Annie Xue and Yang Chen, from GEN Law Firm, outline the key takeaways from the Opinions.