Skip to content

Personal Information Protection Regulations on the Mainland

Mainland's Personal Information Protection Law

I. Introduction

The Personal Information Protection Law (PIPL), the first piece of legislation in the Mainland dedicated to the protection of personal information, was passed by the Standing Committee of the National People’s Congress on 20 August 2021 and was effective since 1 November 2021.

The PIPL regulates the processing of personal information and protects an individual’s rights and interests in relation to personal information. It stipulates that the processing of personal information must abide by the principles of legality, justice, integrity, minimum necessity, openness and transparency, and the purposes of processing shall be explicit and reasonable.

Individuals have the right to access, copy, correct and request erasure of their personal information from personal information processors (similar to data users under the Personal Data (Privacy) Ordinance of Hong Kong). Individuals can also request personal information processors to provide them with the means of transferring their personal information to other processors.

When processing personal information of a minor under the age of 14, personal information processors must obtain the consent of the minor’s parent or guardian, and must formulate specific personal information processing rules.

The PIPL prohibits the use of automated decision-making based on personal information to implement unreasonable differential treatment in trade practices, such as unreasonable price discrimination against individuals (commonly known as “sha shu” behaviour). In addition, when automated decision-making is used to push information or conduct commercial marketing, personal information processors must provide individuals with options that do not target at their personal characteristics or convenient means to opt-out.

If personal information processors wish to transfer personal information out of the Mainland, they must obtain separate consent from individuals and meet specific requirements, such as passing the security assessment conducted by the national cyberspace authorities, obtaining certification from the relevant professional institutions, or entering into a standard contract formulated by the national cyberspace authorities.

The PIPL has extraterritorial effect. If overseas organisations process personal information of natural persons in the Mainland for the purposes of offering products or services to them, or for analysing or evaluating their behaviours, such overseas organisations must abide by the requirements under the PIPL, and establish designated agencies or appoint representatives in the Mainland.

The national cyberspace authorities shall be responsible for the overall coordination of personal information protection and the related supervision and management. The relevant departments of the State Council shall also be responsible for the protection of personal information and the related supervision and management within their purview.

A personal information processor that contravenes the requirements under the PIPL is liable to a maximum fine of RMB 50,000,000 or 5% of its annual turnover of the preceding year, and can also be ordered, amongst others, to suspend its business operations for rectification, have the relevant business permits or licenses revoked.

The full text of the PIPL (in Chinese) is available on the website of the National People’s Congress(NPC): https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm. English translation published by the NPC is also available at http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm. Please note that the NPC has specifically highlighted that the translation is for reference only.

II. Highlights of the Mainland’s Personal Information Protection Law

III. PCPD’s Publications and Articles on the Personal Information Protection Law

IV. Major Laws and Regulations of the Mainland in Relation to Cross-border Transfers of Personal Information (Extracted)

V. Facilitation Measures to Foster Cross-boundary Flows of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area

VI. Other Significant Regulatory Developments Relating to Personal Information Protection


Disclaimer

The information provided in this webpage is for general reference only. It does not provide an exhaustive guide to the application of the PIPL and / or any other regulations as mentioned in this webpage, and does not constitute any legal advice. The Privacy Commissioner for Personal Data makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information set out on this webpage. Organisations and individuals should seek professional legal advice for compliance with the requirements under the PIPL and / or other regulations in the Mainland.



II. Highlights of the Mainland’s Personal Information Protection Law

Below are the highlights of the PIPL.

1. Legislative Purpose To protect the rights and interests in relation to personal information, regulate personal information processing activities, and promote the reasonable use of personal information1.
2. Targets to be Regulated

The PIPL regulates processing activities of natural persons’ personal information in the Mainland2, including the processing activities carried out by state organs3.

A personal information processor refers to any organisation or individual that autonomously determines the purpose, means, etc. of the processing of personal information4.
3. Extra-territorial Application

The PIPL also applies to the overseas processing of personal information of natural persons in the Mainland under the following circumstances5:

(1) offering products or services to natural persons in the Mainland;
(2) analysing or evaluating the behaviours of natural persons in the Mainland;
(3) any other circumstances as stipulated by laws or administrative regulations.
4. Definition of Personal Information Personal information refers to all kinds of information, recorded electronically or by other means, that relates to identified or identifiable natural persons, but does not include anonymised information6.
5. Definition of Sensitive Personal Information

Sensitive personal information refers to personal information that, if leaked or used illegally, may easily lead to the infringement of the dignity of natural persons, or may seriously endanger their personal and property safety, including information relating to biometrics, religious beliefs, specific identities, healthcare, financial accounts, an individual’s whereabouts etc., as well as personal information of minors under the age of 147.
6. Transparency

When processing personal information, the principles of openness and transparency shall be adhered to. The rules on personal information processing shall be made public, with the purposes, means and scope of processing be made available explicitly8.

Before processing personal information, personal information processors shall truthfully, accurately and fully inform individuals of the following matters in a prominent way with comprehensible language: (1) their names and contact information; (2) purposes and means of personal information processing, categories and retention periods of personal information to be processed; and (3) methods and procedures for individuals to exercise their rights, etc.9.

If personal information processors are to provide individuals with the above information by formulating personal information processing rules, the rules shall be made public and be easily accessible and retained10.

If personal information processors need to transfer personal information due to mergers, divisions, dissolutions, bankruptcies or for any other reasons, they shall inform individuals of the recipients’ names and contact information11.

If personal information processors provide the personal information they process to any other processors, they shall inform the individuals of the recipient's name and contact information, the purposes and means of processing and the categories of personal information to be processed, and obtain separate consent from the individual12.
7. Collection, Use and Disclosure, etc.

Personal information processing includes the collection, retention, use, processing, transmission, provision, disclosure, and erasure etc. of personal information13.

Personal information shall be processed in accordance with the principles of legality, justice, necessity and integrity, and shall not be processed by fraudulent, misleading, or coercive, etc. means14.

The processing of personal information shall be for an explicit and reasonable purpose, be limited to the purpose directly related to the processing purpose, and the impact on individuals’ rights and interests shall be kept to a minimum. Collection of personal information shall be minimised and shall not be excessive in relation to the purpose of processing15.

Personal information processors shall only process personal information under the circumstances as prescribed in the PIPL, including (1) when an individual’s consent has been obtained; (2) when necessary for the establishment or performance of a contract, or for human resources management; (3) where necessary for fulfilling statutory duties or obligations; (4) where necessary for responding to public health emergencies, or for the protection of life, health and safety of property of a natural person in emergencies; (5) for the reasonable processing of personal information for news reporting, media supervision, and other activities conducted in the public interest; (6) for the reasonable processing of personal information that has been disclosed publicly by individuals themselves or is otherwise legally disclosed; and (7) in other circumstances as provided by laws or administrative regulations16.

No organisation or individual shall illegally collect, use, process, transmit, trade, provide or disclose the personal information of other individuals, or engage in personal information processing activities that endanger national security or harm public interests17.

Image collection and personal identification equipment in public places shall be installed only when it is necessary for the purpose of maintaining public safety, with prominent reminder signs being set up. The personal images and identification information collected can only be used for the purpose of maintaining public safety and, unless the individuals' separate consents are obtained, shall not be used for any other purpose18.

The PIPL is not applicable where a natural person processes personal information for personal or household affairs19.

Further, personal information processors shall only process sensitive personal information if there is a specific purpose and when it is of sufficient necessity, and where stringent protective measures are in place20. Separate consents shall be obtained from individuals when processing their sensitive personal information21. Prior to processing sensitive personal information, personal information processors shall carry out personal information protection impact assessments, and the relevant reports and records shall be retained for at least three years22. Processors of sensitive personal information shall also notify an individual of the necessity of processing his sensitive personal information and the impact it has on his rights and interests23.

If personal information processors process personal information of minors under the age of 14, they shall formulate specific personal information processing rules for such processing24.
8. Consent

An individual’s consent refers to consent which is given voluntarily and explicitly by the individual who has been fully informed. Such requirement shall apply where the laws and administrative regulations require separate consent or written consent for processing an individual’s personal information25. Obtaining individuals’ consents is one of the situations in which personal information is lawfully processed26.

When there is any change to the purposes or means of personal information processing, or the categories of personal information involved, new consent shall be obtained again27.

If the processing of disclosed personal information has a significant impact on the rights and interests of individuals, the individuals’ consents shall be obtained28.

Personal information processors shall obtain separate consents from individuals in the following circumstances, including when:

  • providing the personal information they process to other personal information processors29;
  • disclosing the personal information they process30;
  • processing sensitive personal information31;
  • using personal images and identification information collected in public places for purposes other than maintaining public security32; and
  • transferring personal information out of the Mainland33.

When processing personal information of minors under the age of 14, personal information processors shall obtain the consent of the minors’ parents or guardians34.

Personal information processors shall not refuse to provide products or services to individuals on the ground that individuals refuse to give consent or withdraw their consent to the processing of their personal information, except where the processing of personal information is necessary for the provision of products or services35.

Where personal information processing is based on an individual's consent, an individual shall have the right to withdraw his consent. Personal information processors shall provide convenient ways for individuals to withdraw their consents36.
9. Accuracy

When processing personal information, the quality of the personal information shall be guaranteed in order to avoid any adverse impacts on individuals’ rights and interests caused by inaccurate or incomplete personal information37.
10. Security

Personal information processors shall be accountable for their personal information processing activities, and take necessary measuresto safeguard the security of the personal information that they process38.

Personal information processors that entrust third parties to process personal information shall enter into a contract with the third parties specifying the purposes, duration and means of processing, the categories of personal information involved, the protective measures involved, as well as the rights and obligations of both parties, etc.. The personal information processors shall supervise the processing activities carried out by the entrusted parties39.

The parties entrusted to process personal information shall take necessary measures to safeguard the security of the personal information that they process40.
11. Retention Period

The retention period of personal information shall be the shortest time necessary for fulfilling the purpose of processing41.

Personal information processors shall, whether on its own initiative or upon the request of individuals, erase the personal information under the circumstances prescribed in the PIPL, such as when (1) the retention period has expired, (2) the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose, (3) the consent of the individual has been withdrawn, or (4) the personal information processors have ceased providing products or services etc42.
12. Accountability and Governance

Having regard to the purposes and means of processing, the categories of personal information involved, the impact on individuals’ rights and interests, and the potential security risks, etc., personal information processors shall take the following measures to ensure that their personal information processing activities comply with the laws and regulations, and to prevent any unauthorised access to, leakage, tampering or loss of the personal information: (1) formulating internal management systems and operation procedures; (2) implementing classified management of personal information; and (3) adopting security technical measures including encryption and de-identification43.

Personal information processors that process personal information up to the threshold as prescribed by the national cyberspace authorities shall appoint personal information protection officers who shall be responsible for supervising the personal information processing activities and the implementation of protective measures44.

Processors of personal information outside the Mainland that are regulated by the PIPL shall establish designated agencies or appoint representatives in the Mainland to be responsible for handling matters related to personal information protection45.

Personal information processors shall regularly conduct compliance audits on their compliance with the laws and administrative regulations in relation to their personal information processing activities46.

Personal information protection impact assessments shall be conducted by personal information processors under the following circumstances: (1) processing sensitive personal information; (2) using personal information to conduct automated decision-making; (3) entrusting other parties to process personal information, providing personal information to other personal information processors, or disclosing personal information; (4) transferring personal information out of the Mainland; or (5) carrying out processing activities which have significant impacts on the rights and interests of individuals. Relevant reports and records shall be retained for at least three years47.
13. Obligations of Internet Platforms

Personal information processors that provide important internet platform services, have a large number of users and operate with complex business models should fulfill specific obligations, including (1) establishing robust compliance systems for personal information protection and establishing independent bodies comprising mainly of external members to supervise the personal information processing activities; (2) abiding by the principles of openness, fairness and impartiality, formulating platforms rules, specifying practices and obligations of personal information processing for platforms’ products and service providers; (3) suspending the provision service to products or service providers that seriously violate the laws and administrative regulations when processing personal information; and (4) regularly publishing social responsibility reports on personal information protection and being subject to supervision by the public48.
14. Breach Notification

When personal information leakage, tampering, or loss have occurred or may occur, personal information processors shall take remedial actions immediately, and notify personal information protection authorities as well as individuals. The notification shall include (1) categories of personal information involved, causes of the incidents and potential harm; and (2) remedial measures taken by the personal information processors and mitigation measures that individuals may take, etc49.

If personal information processors consider that the measures taken can effectively prevent any harm arising from the leakage, tampering, or loss of information, they may choose not to notify individuals. However, if personal information protection authorities consider that the personal information leakage may cause harm to individuals, they have the right to require the personal information processors to notify the individuals50.
15. Cross-border Data Transfer

Personal information processors that need to transfer personal information out of the Mainland due to business needs shall first carry out personal information protection impact assessments, and retain such reports and records for at least three years51. In addition, personal information processors shall also obtain separate consents from individuals and meet one of the following conditions52:

  • passing the security assessment conducted by the national cyberspace authorities;
  • obtaining personal information protection certification from the relevant professional institutions according to the regulations of the national cyberspace authorities;
  • entering into a contract with the overseas recipient stipulating both parties’ rights and obligations in accordance with the standard contract formulated by the national cyberspace authorities;
  • fulfilling the requirements as stipulated in other laws or administrative regulations, or by the national cyberspace authorities.

If an international treaty and agreement that the Mainland has concluded or acceded to contains requirements on transferring personal information out of the Mainland, those requirements can be complied with53.

Personal information processors shall take necessary measures to ensure that the personal information processing activities undertaken by the overseas recipients meet the personal information protection standard prescribed by the PIPL54.

In addition, personal information processors shall inform individuals of the names and contact information of the overseas recipients, the purposes and means of processing, the categories of personal information involved, as well as the methods and procedures for individuals to exercise their rights under the PIPL, etc55.

Critical information infrastructure operators and personal information processors that process personal information up to the threshold as prescribed by the national cyberspace authorities shall store the personal information collected and generated in the Mainland locally. If it is necessary to transfer the personal information overseas, they shall pass the security assessment conducted by the national cyberspace authorities, unless other laws, regulations or provisions set by the national cyberspace authorities stipulate that they do not need to undertake the security assessment56.
16. Automated decision-making

Automated decision-making refers to the activities of automatically analysing and evaluating personal behaviours, hobbies, or economic, health, and credit status etc. through computer programs, and making decisions57.

Personal information processors using personal information in automated decision making shall ensure the transparency of decision-making, and the fairness and impartiality of the results, and must not impose unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions58.

Individuals shall have the right to request the personal information processors to provide explanation, and object to the decisions made solely by automated decision making for automated decisions that have a significant impact on individuals’ rights and interests59.

When automated decision-making is used to push information and conduct commercial marketing, individuals shall be provided with options that do not target at their personal characteristics or convenient means to opt-out60.

Prior to carrying out automated decision-making, personal information processors shall conduct personal information protection impact assessments and retain the relevant reports and records for at least three years61.
17. Rights of Data Access and Correction

Individuals shall have the right to access and duplicate their personal information from personal information processors, and personal information processors shall provide the same in a timely manner62.

If individuals discover that their personal information is inaccurate or incomplete, they shall have the right to request personal information processors to correct and supplement the relevant information63.

Personal information processors shall establish a convenient mechanism for receiving and handling applications from individuals who exercise their rights. Where an individual’s request to exercise his rights is refused by a personal information processor, reasons for the refusal should be provided. The individual may also file a lawsuit with the people's court if a personal information processor refuses his request64.
18. Personal Information Portability

If individuals request personal information processors to transfer their personal information to their designated personal information processors, and the requests meet the requirements stipulated by the national cyberspace authorities, personal information processors shall provide the means for the transfers65.
19. Right to Erasure, Restrict or Refuse Personal Information Processing

Personal information processors shall, whether on their own initiative or upon receiving requests from individuals, erase personal information under one of the following circumstances66:

  • the purposes of processing have been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purposes of processing;
  • personal information processors have ceased providing products or services;
  • the retention period has expired;
  • individuals have withdrawn their consents;
  • personal information processors have violated the laws, administrative regulations or agreements when processing personal information;
  • other circumstances stipulated by the laws or administrative regulations.

If erasure of personal information is technically infeasible, personal information processors shall cease processing the personal information, except for storage and taking necessary security protection measures67.

Individuals shall have the right to restrict or refuse the processing of their personal information by others, except when the laws or administrative regulations stipulate otherwise68.

Close relatives of deceased natural persons may, for their own lawful and legitimate interests, exercise rights such as accessing, duplicating, correcting and erasing the personal information of the deceased69.
20. Right to be Informed

Individuals shall have the right to be informed and the right to make decisions on the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others, except as otherwise stipulated by laws or administrative regulations70.

Individuals shall have the right to request personal information processors to interpret their personal information processing rules71.

Personal information processors shall establish a convenient mechanism for receiving and handling applications made by individuals who exercise their rights72. Where an individual's request to exercise his rights is refused by a personal information processor, reasons for the refusal should be provided.

The individual may file a lawsuit with the people's court if a personal information processor refuses his request for exercising his rights73.
21. Enforcement Authorities

The national cyberspace authorities are responsible for the overall coordination of personal information protection and the related supervision and management. The relevant departments of the State Council shall be responsible for the protection of personal information and the related supervision and management within their purview74.

The above authorities shall collectively be referred to as personal information protection authorities75.

If personal information protection authorities, while performing their duties, discover illegal personal information processing activities that may constitute criminal offences, they shall timely refer the matter to public security authorities for handling in accordance with the law76.
22. Penalty

In the event that the processing of personal information violates the requirements under the PIPL, personal information protection authorities may order for rectification, issue a warning and confiscate illegal gains. Those refusing to rectify shall be liable to a fine of not more than RMB 1,000,000. The person in-charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine of not less than RMB 10,000 but not more than RMB 100,00077.

For cases of serious nature, personal information protection authorities above the provincial level may order rectification, confiscate illegal gains, and impose a fine of not more than RMB 50,000,000 or 5% of annual turnover of the previous year. The personal information protection authorities may also order the suspension of relevant business operations and business for rectification, and notify the competent authorities to revoke relevant business permits or licenses. The person in-charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine of not less than RMB 100,000 but not more than RMB 1,000,000, and may be prohibited from serving as directors, supervisors, senior managers and personal information protection officers in relevant corporations within a certain period of time78.

If the violation of the requirements under the PIPL amounts to behaviour in violation of public security management, such act shall be liable to public security administration penalties. If it amounts to criminal offences, it shall be liable for criminal liabilities79.

Contraventions of the requirements under the PIPL may be entered into the relevant credit record and published80.
23. Compensation / Litigation

If the processing of personal information infringes individuals’ personal information rights and interests and causes harm, and the personal information processors cannot prove that they are not at fault, the personal information processors shall assume the liability for damages and other tort liabilities. The liability for damages shall be determined on the basis of the losses suffered by individuals or the benefits acquired by the personal information processors from the infringement. Where it is difficult to determine the losses of individuals and benefits of personal information processors, the amount of the damages shall be determined based on the actual circumstances81.

If personal information processors process personal information in violation of the requirements under the PIPL, and infringe the rights and interests of many individuals, the people’s procuratorate, the consumer organisations specified by the law, and the organisation designated by the national cyberspace authorities may file a lawsuit with the people’s court according to the law82.

III. PCPD’s Publications and Articles on the Personal Information Protection Law

Date Publication / Article
Monthly (Since April 2021) PCPD e-Newsletter
  • Starting from April 2021, the “Mainland Corner” column gives readers monthly overviews of the latest legislative developments in personal information protection of the Mainland. <Chinese only>
18/11/2021 Introduction to the Personal Information Protection Law of the Mainland<Chinese only>
  • The “Introduction to the Personal Information Protection Law of the Mainland” (Introduction) is divided into three parts. The first two parts introduce the background and major requirements of the Personal Information Protection Law (PIPL), respectively. Relevant requirements under other regulations and relevant cases are included to assist readers to better grasp the PIPL requirements. The third part of the Introduction gives an account of related regulations, such as those relating to data security, consumer rights, e-commerce, mobile applications, online platforms and the financial sector. A comparison between Hong Kong’s Personal Data (Privacy) Ordinance and the PIPL is also included in the Introduction to provide a quick overview of the similarities and differences between the two pieces of legislation.

IV. Major Laws and Regulations of the Mainland in Relation to Cross-border Transfers of Personal Information (Extracted)

Since the implementation of the Personal Information Protection Law, different authorities of the Mainland have published laws and regulations in relation to cross-border transfers of personal information, including:

Date of Publication Effective Date Law / Regulation
16/12/2022 Not specified The Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information Version V2.0 (《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範V2.0》)<Chinese only>
18/11/2022 Not specified Implementation Rules for Personal Information Protection Certification (《個人信息保護認證實施規則》) <Chinese only>
7/7/2022 1/9/2022 The Security Assessment Measures on Cross-border Transfers of Data (《數據出境安全評估辦法》)<Chinese only>
31/8/2022 1/9/2022 Guidance on Reporting Security Assessments of Cross-border Transfers of Data (1st edition) (《數據出境安全評估申報指南(第一版)》)<Chinese only>
24/2/2023 1/6/2023 Measures on the Standard Contract for Cross-border Transfers of Personal Information (《個人信息出境標準合同辦法》<Chinese only>
30/5/2023 1/6/2023 Guidance on Filing the Standard Contracts for Cross-border Transfers of Personal Information (1st edition) (《個人信息出境標準合同備案指南(第一版)》) <Chinese only>
22/3/2024 22/3/2024 Regulations on Facilitating and Regulating Cross-Border Data Flow (《促進和規範數據跨境流動規定》) <Chinese only>
22/3/2024 Not specified Guidance on Reporting Security Assessments of Cross-border Transfers of Data (2nd edition) (《數據出境安全評估申報指南(第二版)》)<Chinese only>
22/3/2024 Not specified Guidance on Filing the Standard Contracts for Cross-border Transfers of Personal Information (2nd edition) (《個人信息出境標準合同備案指南(第二版)》) <Chinese only>


The consultation documents in relation to cross-border transfers of personal information that have been published by different authorities in the Mainland include:

Date of Publication Consultation Document
1/11/2023 Draft Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information for Cross-Border Data Transfers in the Guangdong-Hong Kong-Macau Greater Bay Area (《網絡安全標準實踐指南 - 粵港澳大灣區跨境個人信息保護要求 (徵求意見稿)》) <Chinese only>

The Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information Version 2.083

The National Information Security Standardisation Technical Committee (TC260) published a second edition of the “Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information Version V2.0” (the Guidance) on 16 December 2022. The Guidance amended an earlier version84 published on 24 June of the same year by enhancing the requirements for personal information processors and data recipients outside the jurisdiction.

Article 38 (2) of the PIPL states that one of the prerequisites for carrying out cross-border personal information processing activities is that personal information processors obtain certification in relation to personal information protection from specialised institutions according to the provisions issued by the national cyberspace authorities. The Guidance provides a basis for certification institutions to conduct certification of cross-border personal information processing activities, and serves as a reference guideline for personal information processors to regulate their own cross-border personal information processing activities85.

The Guidance sets out various basic principles in relation to cross-border processing of personal information, requiring both personal information processors and the relevant data recipients outside the jurisdiction to meet the requirements of the legislations and regulations of the Mainland86. Parties are also required to, amongst others, enter into legally binding agreements, designate an officer to take charge of personal information protection, and to conduct a personal information protection impact assessment before carrying out cross-border processing activities87. Besides, the Guidance incorporates protection on various rights and interests of personal information subjects88, including the right to withdraw consent, the rights to access and to erase their personal information, etc. The Guidance also sets out additional and more detailed requirements and obligations for personal information processors and data recipients outside the jurisdiction to observe when carrying out cross-border personal information processing activities, so as to meet the relevant requirements as set out in the Security Assessment Measures on Cross-border Transfers of Data and in the Draft Rules on the Standard Contractual Clauses for Cross-border Transfers of Personal Information.

Other major requirements of the Guidance include:

  • personal information processors applying for certification should be a valid legal entity currently carrying out business with good reputation and goodwill89;
  • personal information processors and data recipients outside the jurisdiction should set up respective personal information protection agencies in fulfilling their personal information protection obligations90; and
  • cross-border personal information processing activities should be recorded objectively with the relevant records retained for at least three years and submitted to national cyberspace authorities in accordance with relevant laws and regulations91.

As no implementation date is specified in the Guidance, the date of issue shall be deemed as the effective date of the Guidance (i.e. 16 December 2022).

Implementation Rules for Personal Information Protection Certification92

On 18 November 2022, the State Administration for Market Regulation (SAMR) and the Cyberspace Administration of China (CAC) jointly issued the Implementation Rules for Personal Information Protection Certification (the Rules). The Rules provides clearer guidance on the certification of personal information processors in relation to their cross-border personal information processing activities, as mentioned in Article 38(2)93 of the PIPL. The Rules sets out the basic principles and requirements of certification for personal information processors in relation to their collection, storage, use, processing, transmission, provision, disclosure, erasure and cross-border transfers, etc of personal information.

The certification is a voluntary mechanism. The Rules stipulates that personal information processors carrying out cross-border personal information processing activities would have to comply with the national standards as set out in GB/T 35273-2020 Information Security Technology—Personal Information Security Specification94 as well as in the TC260-PG-20222A Guidance.

The Rules also provides the following two personal information protection certification marks95:

(1) Certification mark for activities not involving cross-border processing of personal information
Certification mark for activities not involving cross-border processing of personal information
(2) Certification mark for activities involving cross-border processing of personal information
Certification mark for activities involving cross-border processing of personal information
“ABCD” represents the certification institution.

According to the Rules, the modes for Personal Information Protection Certification include96:

  • Technical verification
  • On-site review
  • Continuous post-certification supervision

Certifications issued by certification institutions are valid for three years. Personal information processors must pass the post-certification supervision within the validity period in order to maintain the validity of the certification. For certifications that are due to expire, renewal applications should be made within six months before the actual date of expiry. The certification would only be renewed where the approval of post-certification supervision by the relevant certification institutions is passed and the requirements of certification are satisfied97.

As no implementation date is specified in the Rules, the date of issue shall be deemed as the effective date of the Rules (i.e. 18 November 2022).

The Security Assessment Measures on Cross-border Transfers of Data98

The Security Assessment Measures on Cross-border Transfers of Data (the Measures), promulgated by the Cyberspace Administration of China (CAC) on 7 July 2022, came into operation on 1 September 2022. The Measures were drafted with reference to relevant laws including the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law of the Mainland, for the purposes of regulating cross-border data transfers, protecting the rights and interests regarding personal information, upholding national security and society’s public interest, and facilitating the safe and free flow of data across the border.

The Measures apply to the security assessments of cross-border transfers of critical data and personal information collected and generated by data processors through their operations in the Mainland99. The term “critical data” refers to any data which, if tampered with, damaged, leaked, or illegally acquired or used, may endanger national security, the operation of the economy, social stability, public health and security, etc100. It is worth noting that as stated in the Draft Information Security Technology - Guideline for Identification of Critical Data released by the National Information Security Standardization Technical Committee on 7 January 2022, “critical data” specifically excludes state secrets and personal information. However, statistical data and derivative data which formation is based on massive personal information may be regarded as critical data101.

According to the Measures, data processors (including enterprises or organisations) which effect cross-border transfers of data shall, in any of the following situations, carry out their own security assessments and report such security assessments to the CAC through local cyberspace administration authorities at the provincial level102:

  • where the data processor transfers critical data across the border;
  • where the data processor which transfers personal information across the border is an operator of Critical Information Infrastructure;
  • where the data processor which transfers personal information across the border processes personal information of over 1 million persons;
  • where the data processor which transfers personal information across the border has cumulatively made outbound transfers of personal information of over 100,000 persons, or sensitive personal information of over 10,000 persons since 1 January of the preceding year; and
  • in other situations as prescribed by the CAC where a report on security assessment is required.

Regarding the applicability of the Measures, it should be read together with the Regulations on Facilitating and Regulating Cross-Border Data Flow, published by the CAC on 22 March 2024 (see below).

The self-assessment shall address, among others, the following key factors103:

  • the legality, propriety and necessity of (a) the cross-border transfer and (b) the purpose, scope and manner of processing of the data by the recipient outside the jurisdiction;
  • the quantity, scope, category and sensitivity of the outbound data, and the risks that cross-border transfer of data might pose to national security, public interests, and the lawful rights and interests of individuals or organisations;
  • whether the responsibilities and obligations undertaken by the recipient outside the jurisdiction and the management and technical measures and capabilities of such recipient to perform the aforesaid responsibilities and obligations can ensure the security of the outbound data;
  • the risks of the outbound data suffering from alteration, destruction, leakage, loss, transfer, illegal acquisition or illegal use, etc., during and after the cross-border transfer, and whether or not channels are available to uphold personal information rights and interests, etc.;
  • whether data security protection responsibilities and obligations are sufficiently stipulated in the contract, or other documents with legal effect, intended to be concluded with the recipient outside the jurisdiction regarding the cross-border data transfer; and
  • other matters that may affect the security of the cross-border data transfer.

Regarding the procedures for reporting a security assessment, the Measures require a data processor to submit reporting materials to the local cyberspace administration authorities at the provincial level, which shall, within five working days upon receipt, confirm if the reporting materials are in order. If so, they are to be submitted to the CAC104. The CAC shall, within seven working days upon receipt of the reporting materials, determine whether or not to accept them for review and notify the data processor in writing105. The CAC shall complete the security assessment within 45 working days from the date of issuance of the written acceptance notice to the data processor106. If the situation is complicated or the reporting materials need to be supplemented or corrected, the processing time may be appropriately extended, and the data processor is to be notified of the estimated extension period107. The Measures also provide for a re-assessment mechanism. Where a data processor objects to the assessment results, the data processor may apply for a re-assessment within 15 working days upon receipt of the assessment results. The re-assessment results will be final verdict108. Furthermore, the Measures empower the relevant authorities to hold a data processor legally accountable according to the law, if the data processor willfully submits false materials109.

To guide and assist data processors in reporting security assessments of cross-border transfers of data in a regulated and orderly manner, the CAC issued the Guidance on Reporting Security Assessments of Cross-border Transfers of Data (1st edition)110 and the Guidance on Reporting Security Assessments of Cross-border Transfers of Data (2nd edition)111 on 31 August 2022 and 22 March 2024 respectively, explaining the specific requirements on the means and procedures of reporting such security assessments, as well as the materials to be submitted.

According to the Measures, the approval of the security assessment of cross-border transfers of data is valid for two years, to be calculated from the date when the results of assessment are issued. The Measures set out the circumstances under which a data processor shall submit a report afresh before the expiry of the aforesaid period of validity112:

  • there are changes in the purpose, manner, scope, or category of transfer of data across the border, or the purpose and manner of processing the data by the recipient outside the jurisdiction, hence affecting the security of the outbound data; or where the time limit for storing personal information or critical data outside the jurisdiction is extended;
  • where the security of outbound data is affected in situations such as: there is change in the data security protection polices and cybersecurity environment of the recipient outside the jurisdiction, or other force majeure event occurs; there is a change in the actual control over the data processor or the recipient outside the jurisdiction; or there is change to the legal document between the data processor and the data recipient outside the jurisdiction;
  • where other circumstances arise which affect the security of the outbound data.

Regarding the validity of the security assessment of cross-border transfers of data, the Measures should be read together with the Regulations on Facilitating and Regulating Cross-Border Data Flow, published by the CAC on 22 March 2024 (see below).

The Measures require data processors to submit another report on data security assessment 60 working days before the validity period expires, so as to continue with their cross-border transfers of data113.

Lastly, the Measures provide that where cross-border data transfers carried out before 1 September 2022 (i.e. before the Measures came into operation) do not conform with the provisions of the Measures, steps must be taken to rectify the situation within 6 months from 1 September 2022114.

Measures on the Standard Contract for Cross-border Transfers of Personal Information115

The CAC promulgated the Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Standard Contract Measures) on 24 February 2023. The Measures, which comes with 13 provisions and a template standard contract, will come into operation on 1 June 2023.

The Standard Contract Measures is promogulated pursuant to legislations and regulations including the PIPL116. Personal information processors are required to follow the provisions of the Standard Contract Measures and enter into a standard contract if they wish to rely on the execution of standard contracts to transfer personal information out of the Mainland as prescribed by Article 38(3)117 of the PIPL118. The Standard Contract Measures also stipulates clearly that all other contractual provisions entered into between a personal information processor and a recipient outside the jurisdiction must not be in conflict with the standard contract119.

According to the Standard Contract Measures, personal information processors that satisfy all of the following conditions may rely on the execution of standard contracts to transfer personal information out of the Mainland120:

  • where the personal information processor is not an operator of critical information infrastructure;
  • where the personal information processor which transfers personal information out of the Mainland processes personal information of not more than one million persons (in aggregate);
  • where the personal information processor which transfers out personal information has cumulatively made outbound transfers of personal information of not more than 100,000 persons (in aggregate) since 1 January of the preceding year; and
  • where the personal information processor which transfers out personal information has cumulatively made outbound transfers of sensitive personal information of not more than 10,000 persons since 1 January of the preceding year.

Regarding the applicability of the Standard Contract Measures, it should be read together with the Regulations on Facilitating and Regulating Cross-Border Data Flow, published by the CAC on 22 March 2024 (see below).

Pursuant to the Standard Contract Measures, the relevant personal information processor shall enter into a standard contract strictly in accordance with the template standard contract121 and shall carry out a personal information protection impact assessment prior to the outbound transfer of personal information122. The impact assessment report, together with the standard contract signed, shall be filed with the local cyberspace administration authority at the provincial level within 10 working days from the effective date of the contract123. Any transfers of personal information out of the Mainland shall only take place after the standard contract takes effect124.

To guide and assist personal information processors in filing the standard contracts for cross-border transfers of personal information in an orderly manner, the CAC issued the Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st edition)125 and the Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (2nd edition)126 on 30 May 2023 and 22 March 2024 respectively, setting out the details on the mode of filing, filing procedures, and materials to be submitted, etc.

Further, it is noteworthy that the Standard Contract Measures stipulates clearly that personal information processors that are required to duly undergo security assessments for transferring personal information out of the Mainland shall not deploy tactics such as quantity splitting so that they may transfer personal information outside the jurisdiction by entering into standard contracts127.

The personal information protection impact assessment shall assess, among others, the following key matters128:

  • the legality, propriety and necessity of the purpose, scope and manner of processing of the personal information by the personal information processor and the recipient outside the jurisdiction;
  • the scale, scope, category and sensitivity of the outbound personal information, and the risks that cross-border transfer of personal information might pose to the rights and interests of individuals regarding personal information;
  • whether the obligations undertaken by the recipient outside the jurisdiction and the management, technical measures and capabilities of such recipient to perform such obligations can ensure the security of the outbound data;
  • the risks of the outbound personal information suffering from alteration, destruction, leakage, loss or illegal use, etc., during and after the cross-border transfers, and whether the channels provided to uphold the rights and interests of individuals regarding personal information are clear, etc.;
  • the impact of personal information protection policies and regulations of the location of the recipient outside the jurisdiction on the performance of the standard contract; and
  • other matters that may affect the security of the cross-border transfers of personal information.

Where any of the following situations take place during the effective period of the standard contract, the personal information processor shall conduct a new personal information protection impact assessment, supplement or re-enter into a standard contract with the personal information recipient outside the jurisdiction, and comply with the corresponding filing requirements:

  • change of the purpose, scope, category, sensitivity, manner of provision, location of storage of the personal information, or change of the purpose and manner of processing of personal information on the part of the recipient outside the jurisdiction, or extension of the retention period of the personal information outside the jurisdiction;
  • change of personal information protection policies and regulations of the location of the recipient outside the jurisdiction which may affect the rights and interests of individuals regarding personal information;
  • any other situations which may affect the rights and interests of individuals regarding personal information129.

As to the terms of the standard contract, they cover, amongst others, the obligations of the personal information processor and the recipient outside the jurisdiction130, the impact of personal information protection policies and regulations of the location of the recipient outside the jurisdiction on the performance of the standard contract131, the rights of the individuals132, remedies available to individuals133, and liability for breach of the contract134. The personal information processor and the recipient outside the jurisdiction may also incorporate other provisions if necessary.

Finally, where cross-border transfers of personal information which have commenced before the effective date of the Standard Contract Measures (i.e. 1 June 2023) do not conform with the provisions of the Standard Contract Measures, action should be taken to rectify the situation within six months from the commencement of the Standard Contract Measures (i.e. before 30 November 2023)135.

Regulations on Facilitating and Regulating Cross-Border Data Flow136

The CAC released the Regulations on Facilitating and Regulating Cross-Border Data Flow (the Regulations) on 22 March 2024, which came into effect on the same day. The Regulations, which comprise of 14 provisions,seek to facilitate the orderly and free flow of data through, inter alia, introducing certain exemptions where data processors may be exempted from conducting security assessments, entering into standard contracts, or obtaining personal information protection certification.

According to the Regulations, where the data concerned has not been classified or publicly promulgated by the relevant authorities or regions as important data, no security assessments would have to be conducted by the data processor(s)137. Situations where there can be exemptions from conducting security assessments, entering into standard contracts or obtaining personal information protection certifications include:

  • where the data to be transferred out of the Mainland is collected and generated from international trade, cross-border transportation, academic collaboration, cross-border manufacturing activities, and marketing or sales activities, which does not contain any personal information or important data138;
  • where the personal information collected and originated by a data processor outside Mainland is transferred to the Mainland for domestic processing before being provided abroad, the process of which does not involve any personal information or important data within the Mainland139;
  • where the transfer, not containing any important data, by a data processor meets one of the following conditions140:
    • the outbound transfer of personal information is necessary for the execution and performance of a contract to which the individuals are parties (e.g., for cross-border purchases, cross-border deliveries, cross-border remittances, cross-border payments, cross-border account opening, hotel and air ticket reservations, visa applications, examination services etc.);
    • the outbound transfer of employees’ personal information is necessary for the implementation of cross-border human resources management in accordance with applicable labour regulations and legally executed collective contracts ;
    • the outbound transfer of personal information is necessary in emergency circumstances to protect an individual’s life, health, and safety of his or her properties; and
    • the data processor that is not a critical information infrastructure operator (CIIO) transfers personal information of less than 100,000 individuals (excluding sensitive personal information) since 1 January of the current year.

The Regulations stipulates that security assessments shall be filed with the CAC through provincial cyberspace authorities where one of the following requirements are met141:

  • CIIOs are to transfer personal information or important data outside Mainland;
  • Non-CIIOs are to transfer important data, or personal information of over 1,000,000 individuals (not containing any sensitive personal information), or sensitive personal information of over 10,000 individuals since 1 January of the current year outside Mainland.

Data processors that are not CIIOs are required to enter into standard contracts or obtain personal information protection certifications when personal information of over 100,000 individuals but less than 1,000,000 individuals (not containing any sensitive personal information), or sensitive personal information of less than 10,000 individuals, to be counted from 1 January of the current year, is to be transferred out of the Mainland142.

Data processors that transfer personal information abroad should fulfil obligations related to notification, obtaining separate consent from individuals, conducting personal information protection assessments. etc.143. The validity period of approved security assessments results is 3 years. For data processors that need to continue to transfer data abroad and have not encountered any circumstances that necessitate reapplications, they may make an application with the CAC for extending the validity period of the approved assessment results within 60 working days before the validity period expires. Upon approval, the validity of the assessment results can be extended for another 3 years144.

Pursuant to the framework of the national data classification and grading protection system, free trade pilot zones can formulate its own list of data that requires security assessments, standard contracts or other personal information protection certifications, also known as a “negative list” , based on its respective needs145. Upon approval of the provincial CAC offices, such “negative list” should be filed with the national CAC and national data management authorities. Data not included in the “negative list” can be exempted from the requirements of conducting security assessments, entering into standard contracts or obtaining personal information protection certifications.

Finally, in case of any inconsistencies between the provisions in the Security Assessment Measures on Cross-border Transfers of Data and the Measures on the Standard Contract for Cross-border Transfers of Personal Information and those of the Regulations, the previsions of the Regulations shall prevail146.

V. Facilitation Measures to Foster Cross-boundary Flows of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area

The Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) signed the Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macao Greater Bay Area (MoU) on 29 June 2023 to jointly promote cross-boundary data flows in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). The Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC) is a facilitation measure under the MoU to foster the cross-boundary flows of personal information147 within the GBA. It was formulated by the CAC, ITIB, and Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).

The GBA SC applies to cross-boundary flows of personal information between personal information processors148 and recipients which are registered (applicable to organisations) or who are located (applicable to individuals) in the Mainland cities within the GBA (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing of Guangdong Province) and Hong Kong, including cross-boundary personal information transfers from the Mainland cities within the GBA to Hong Kong and those from Hong Kong to the Mainland cities within the GBA.

The GBA SC contains the following eight parts:
Article 1 Definition
Article 2 Obligations and Responsibilities of Personal Information Processors (including data users)
Article 3 Obligations and Responsibilities of Recipients
Article 4 Rights of Personal Information Subjects (including data subjects)
Article 5 Remedies
Article 6 Termination of Contract
Article 7 Liabilities for Breach of Contract
Article 8 Miscellaneous

According to the GBA SC, personal information processors (including data subjects) have to comply with the clauses stipulated therein. For instance, the obligations and responsibilities of personal information processors include (but are not limited to):

  • Personal information subjects (including data subjects149) should be informed of the name and contact information of the recipient, the purposes of processing the personal information to be transferred across boundary, the means of such processing, the categories of personal information, the retention period(s), the transfer to a third party in the same jurisdiction as the recipient (if the recipient is registered (applicable to organisations) or located (applicable to individuals) in a Mainland city within the GBA, “same jurisdiction” includes all Mainland cities within the GBA; if the recipient is registered (applicable to organisations) or located (applicable to individuals) in Hong Kong, “same jurisdiction” means Hong Kong), and the methods and procedures for exercising their rights as personal information subjects, etc. If notice is not required under the relevant laws and regulations of the jurisdiction concerned, such provisions shall prevail (Article 2(2) of the GBA SC refers).
  • Prior to the cross-boundary transfer of personal information to the recipient, the consent of personal information subjects should be obtained in accordance with the laws and regulations of the jurisdiction concerned (Article 2(3) of the GBA SC refers).
  • Personal information subjects should be informed that they will be a third-party beneficiary as agreed by the personal information processor and the recipient under the GBA SC; if a personal information subject does not explicitly reject this term within 30 days, he/she shall enjoy the rights of a third-party beneficiary in accordance with the GBA SC (Article 2(4) of the GBA SC refers).
  • Conduct a personal information protection impact assessment on the intended transfer of personal information to the recipient. The impact assessment should focus on the following, and the personal information protection impact assessment report should be retained for at least 3 years:
    • The legality, legitimacy and necessity of the purposes and means, etc. of processing personal information by the personal information processor and recipient;
    • The impact on and security risks to the rights and interests of personal information subjects;
    • Whether the obligations undertaken by the recipient, as well as its management, technical measures and capabilities, etc. to perform the obligations, can ensure the security of personal information transferred across the boundary.
    (Article 2(8) of the GBA SC refers)

For recipients, their obligations and responsibilities under the GBA SC include (but are not limited to):

  • The recipient shall not provide personal information received in accordance with the GBA SC to organisations or individuals outside the GBA (Article 3(7) of the GBA SC refers).
  • The recipient may only provide personal information to a third party in the same jurisdiction of the Mainland cities within the GBA or the Hong Kong Special Administrative Region (if the recipient is registered (applicable to organisations) or located (applicable to individuals) in a Mainland city within the GBA, “same jurisdiction” means all Mainland cities within the GBA; if the recipient is registered (applicable to organisations) or located (applicable to individuals) in Hong Kong, “same jurisdiction” means Hong Kong) if all of the following conditions are met:
    • There is a business need for the transfer.
    • The personal information subject has been informed of the third party’s name and contact information, purposes of processing, means of processing, categories of personal information, retention period(s) and methods and procedures for exercising their rights as a personal information subject, etc. If notice is not required under the relevant laws and regulations of the jurisdiction of the personal information processor, such provisions shall prevail.
    • Consent has to be obtained from the personal information subject in accordance with the laws and regulations of the jurisdiction of the personal information processor, if the processing of personal information is based on the consent of the individual.
    • The personal information is provided to a third party in the same jurisdiction in accordance with the terms set out in “Description of cross-boundary transfer of personal information” in Appendix I of the GBA SC.
    (Article 3(8) of the GBA SC refers)
  • If the recipient receives a request from a government department or judicial body of the jurisdiction where it is located to provide personal information received under the GBA SC, it should immediately notify the personal information processor (Article 3(13) of the GBA SC refers).

Please click here to download the GBA SC.

The Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (the Implementation Guidelines on the GBA SC) are guidelines established by the governments of the Mainland and Hong Kong for the implementation of the GBA SC. The Implementation Guidelines on the GBA SC came into operation on 13 December 2023. Personal information processors and recipients in the GBA may, in accordance with the requirements of the Implementation Guidelines on the GBA SC, conduct cross-boundary flows of personal information between the Mainland cities within the GBA and Hong Kong by entering into a Standard Contract150.

Please click here to download the Implementation Guidelines on the GBA SC.

To help organisations in Hong Kong understand the applicability of the GBA SC and the relationship between the GBA SC and other Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data issued by the PCPD, the PCPD has issued the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”.

Please click here to download the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”.

Please click here to browse the thematic website set up by the Office of the Government Chief Information Officer of the Hong Kong Special Administrative Region (OGCIO) to obtain further information.

Further, please click the links below for the reference materials published by the regulatory authorities under the GBA SC:

Regulatory Authorities Subject Matter Reference Materials
PCPD Personal information protection impact assessments
OGCIO Filing requirements Filing Guidelines on the “Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”
Cyberspace Administration of Guangdong Province Filing requirements Announcement on Facilitation Measure on “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (關於落實《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同實施指引》的通知) <Chinese only>

VI. Other Significant Regulatory Developments Relating to Personal Information Protection

Date of Publication Date of Implementation Relevant Document Area of Interest Description
21 March 2024 1 October 2024 Data Security Technology – Rules for Data Classification and Grading Data Security To implement the national data classification and grading system as stipulated in the Data Security Law, the Data Security Technology – Rules for Data Classification and Grading sets out key guidelines in relation to the basic principles, frameworks, methods, and processes for data classification and grading.

Full text (available in Chinese only)
29 February 2024 Not specified Basic Security Requirements for Generative Artificial Intelligence Service Artificial Intelligence To support the implementation of the Interim Measures for the Management of Generative Artificial Intelligence Services, the Basic Security Requirements were issued to set out basic standards for service providers of generative artificial intelligence (AI) services in the Mainland to follow in relation to the security of AI training data and foundation models, the technical security measures to be adopted, as well as the requirements to comply with in conducting security assessments.

Full text (available in Chinese only)

Mainland Corner’s March 2024 Column (available in Chinese only)
8 December 2023

Consultation ended on 7 January 2024		 Not specified Draft Management Measures on the Report of Cybersecurity Incidents Cybersecurity To regulate the reporting of cybersecurity incidents and to reduce the losses and hazards resulted therefrom, the Draft Management Measures was drafted with a view to standardising the reporting procedures of cybersecurity incidents while setting out clear obligations for different relevant regulatory bodies to follow.

Full text (available in Chinese only)
16 October 2023 1 January 2024 Regulations on the Protection of Minors in Cyberspace Children Privacy

The Regulations on the Internet Protection of Minors was drafted pursuant to the Law on the Protection of Minors, the PIPL and the Cybersecurity Law. It seeks to enhance the protection of personal information of minors and covers areas including the cultivation of cyberspace literacy, the dissemination of network content and the prevention of internet addiction.

Full text (available in Chinese only)

Mainland Corner’s January 2024 Column (available in Chinese only)
25 August 2023   Not specified Practical Guidance of Cybersecurity Standards – Labelling Methods for Content Generated by Generative Artificial Intelligence Services Artificial Intelligence

The Practical Guidance of Cybersecurity Standards – Labelling Methods for Content Generated by Generative Artificial Intelligence Services sets out the implementation rules for labelling and demarcating content generated from generative artificial intelligence, including that of texts, images, audios, and videos. Apart from guiding providers of generative artificial intelligence to enhance the standards of content labelling, it also serves as a referential guide for other relevant regulatory departments.

Full text (available in Chinese only)

Mainland Corner’s September 2023 Column (available in Chinese only)
9 August 2023

Consultation ended on 8 October 2023		 Not specified   Draft Information Security Technology – Security Requirements for Processing of Sensitive Personal Information Processing of Personal Information

The Draft Information Security Technology – Security Requirements for Processing of Sensitive Personal Information seeks to regulate the processing activities of sensitive personal information by information processors in the Mainland. It also serves as a reference guide for regulatory departments and third-party assessment organisations in monitoring, managing and assessing the relevant processing activities.

Full text (available in Chinese only)
8 August 2023

Consultation ended on 7 September 2023		 Not specified Draft Interim Measures for the Regulation of Facial Recognition Technology Facial Recognition

The Draft Interim Measures for the Regulation of Facial Recognition Technology seeks to regulate the application of facial recognition technology in the Mainland to, amongst others, protect the personal information rights of individuals in the Mainland, their personal and property rights and interests, as well as to maintain public order and security. It applies to activities that process facial biometric information and provide products or services through the use of facial recognition technology in the Mainland.

Full text (available in Chinese only)
3 August 2023

Consultation ended on 2 September 2023		 Not specified Draft Measures for the Management of Compliance Audit for Personal Information Protection Processing of Personal Information

The Draft Measures for the Management of Compliance Audit for Personal Information Protection applies to information processors who are required to conduct regular compliance audits under the PIPL or if they are obliged to do so under the directions from the CAC or other relevant departments that are responsible for personal information protection. It also stipulates the rules that are applicable to the performance of such compliance audits.

Full text (available in Chinese only)

2 August 2023

Consultation ended on 2 September 2023		 Not specified Draft Guidelines for the Construction of Minors’ Mode on Mobile Internet Children Privacy

The Draft Guidelines for the Construction of Minors’ Mode on Mobile Internet is aimed at preventing minors from getting addicted to the internet by encouraging the development of a positive cyberspace in the Mainland. It requires platforms of different mobile intelligence terminals, mobile internet applications and mobile internet applications distribution services to develop a dedicated interface for minors in relation to their services to ensure compliance with the general requirements, technical requirements and management requirements of the CAC.

Full text (available in Chinese only)
10 July 2023 15 August 2023 Interim Measures of the Management of Generative Artificial Intelligence Services   Artificial Intelligence

The Interim Measures of the Management of Generative Artificial Intelligence Services applies to the use of generative artificial intelligence technologies in providing services of generated text, images, audios, videos etc. within the territory of the Mainland. It specifically requires relevant service providers who provide services that contain characteristics of public opinion or are capable of social mobilisation to conduct security assessments, and to conduct filing, rectification and cancellation of filing, etc. in accordance with the Rules on Management of Algorithmic Recommendations in Internet Information Services.

Full text (available in Chinese only)

Mainland Corner’s August 2023 Column (available in Chinese only)
7 July 2023

Consultation ended on 6 August 2023		 Not specified Draft Regulations on the Management of Cyber Violence Information Cybersecurity

The Draft Regulations on the Management of Cyber Violence Information requires network information service providers to comply with their content management responsibilities by, amongst others, establishing a comprehensive mechanism on the governance of cyber violence information, and strengthening systems such as account management, audits of information dissemination, monitoring and early warnings, reporting and assistance, and addressing cyberviolence information. It aims to strengthen the governance of cyberviolence information while fostering a sustainable ecosystem over the Mainland’s internet sphere.

Full text (available in Chinese only)
23 May 2023 1 December 2023 Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (GB/T 42574-2023) (The Implementation Guidelines) Processing of Personal Information

The Implementation Guidelines provides practical guidelines on the specific methods and steps for personal information processors to notify individuals under different scenarios, and stipulates the rules in obtaining their consent under the PIPL. As the PIPL has not provided clear definitions on “consent” and “notices”, the Implementation Guidelines is of referential value for personal information processors in complying with the PIPL.

Full text (available in Chinese only)

Mainland Corner’s July 2023 Column (available in Chinese only)
25 November 2022 10 January 2023 Provisions on the Administration of Deep Synthesis of Internet-based Information Services Artificial Intelligence

The Provisions on the Administration of Deep Synthesis of Internet-based Information Services applies to deep synthesis service providers that use deep synthesis technology in the Mainland. It sets out the relevant regulations in relation to the provision of deep synthesis services and provides concrete guidance on the regulatory work concerning deep synthesis technology.

Full text (available in Chinese only)

Mainland Corner’s February 2023 Column (available in Chinese only)
25 September 2021 25 September 2021 The Code of Ethics for the New Generation of Artificial Intelligence Artificial Intelligence

The Code of Ethics for the New Generation of Artificial Intelligence aims to integrate ethics and morals into the full life cycle of AI and provide ethical guidance for stakeholders engaged in AI-related activities to follow.

Full text (available in Chinese only)
10 June 2021 1 September 2021 Data Security Law Data Security

The Data Security Law applies to data processing activities in the Mainland and provides for the regulation of such activities. It establishes a data categorisation and classification system as well as a data security risk assessment framework. It also sets out other guidelines in relation to the monitoring and giving of early alerts of data security risks, the establishment of a data security emergency response mechanism, and a review system for data security etc. The Data Security Law is administered and enforced by the Cyberspace Administration of China.

Full text (available in Chinese only)

Mainland Corner’s June 2021 Column (available in Chinese only)
7 November 2016 1 June 2017 Cybersecurity Law   Cybersecurity

The Cybersecurity Law is the first legislation in regulating cybersecurity in the Mainland. It applies to the construction, operation, maintenance and use of the network as well as the supervision and administration of cybersecurity in the Mainland. The Cybersecurity Law provides specific regulations for network operators and critical information infrastructure operators to follow. It is administered and enforced by the Cyberspace Administration of China.

Full text (available in Chinese only)

1 Article 1 of the PIPL
2 Article 3 of the PIPL
3 Article 33 of the PIPL
4 Article 73(1) of the PIPL
5 Article 3 of the PIPL
6 Article 4 of the PIPL
7 Article 28 of the PIPL
8 Article 7 of the PIPL
9 Article 17 of the PIPL
10 Article 17 of the PIPL
11 Article 22 of the PIPL
12 Article 23 of the PIPL
13 Article 4 of the PIPL
14 Article 5 of the PIPL
15 Article 6 of the PIPL
16 Article 13 of the PIPL
17 Article 10 of the PIPL
18 Article 26 of the PIPL
19 Article 72 of the PIPL
20 Article 28 of the PIPL
21 Article 29 of the PIPL
22 Articles 55 to 56 of the PIPL
23 Article 30 of the PIPL
24 Article 31 of the PIPL
25 Article 14 of the PIPL
26 Article 13 of the PIPL
27 Articles 14 and 23 of the PIPL
28 Article 27 of the PIPL
29 Article 23 of the PIPL
30 Article 25 of the PIPL
31 Article 29 of the PIPL
32 Article 26 of the PIPL
33 Article 39 of the PIPL
34 Article 31 of the PIPL
35 Article 16 of the PIPL
36 Article 15 of the PIPL
37 Article 8 of the PIPL
38 Article 9 of the PIPL
39 Article 21 of the PIPL
40 Article 59 of the PIPL
41 Article 19 of the PIPL
42 Article 47 of the PIPL
43 Article 51 of the PIPL
44 Article 52 of the PIPL
45 Article 53 of the PIPL
46 Article 54 of the PIPL
47 Articles 55 to 56 of the PIPL
48 Article 58 of the PIPL
49 Article 57 of the PIPL
50 Article 57 of the PIPL
51 Articles 55 to 56 of the PIPL
52 Articles 38 to 39 of the PIPL
53 Article 38 of the PIPL
54 Article 38 of the PIPL
55 Article 39 of the PIPL
56 Article 40 of the PIPL
57 Article 73(2) of the PIPL
58 Article 24 of the PIPL
59 Article 24 of the PIPL
60 Article 24 of the PIPL
61 Articles 55 to 56 of the PIPL
62 Article 45 of the PIPL
63 Article 46 of the PIPL
64 Article 50 of the PIPL
65 Article 45 of the PIPL
66 Article 47 of the PIPL
67 Article 47 of the PIPL
68 Article 44 of the PIPL
69 Article 49 of the PIPL
70 Article 44 of the PIPL
71 Article 48 of the PIPL
72 Article 50 of the PIPL
73 Article 50 of the PIPL
74 Article 60 of the PIPL
75 Article 60 of the PIPL
76 Article 64 of the PIPL
77 Article 66 of the PIPL
78 Article 66 of the PIPL
79 Article 71 of the PIPL
80 Article 67 of the PIPL
81 Article 69 of the PIPL
82 Article 70 of the PIPL
83Full text available at https://www.tc260.org.cn/front/postDetail.html?id=20221216161852 (Chinese only)
84 Full text available at https://www.tc260.org.cn/front/postDetail.html?id=20220624175016 (Chinese only)
85 Part 1 of the Guidance – Application Situations
86 Part 4 of the Guidance – Basic Principles
87 Part 5 of the Guidance – Basic Requirements
88 Part 6 of the Guidance – Protection of the Rights and Interests of Personal Information Subjects
89 Part 2 of the Guidance – Certification Bodies
90 Part 5.2.2 of the Guidance – Personal Information Protection Organisation
91 Part 6.2 of the Guidance – Obligations for Personal Information Processors and Data Recipients located outside the jurisdiction
92 Full text available at http://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm (Chinese only)
93 Where a personal information processor has a genuine need to carry out cross-border transfers of personal information owing to, among others, business needs, the processor shall obtain personal information protection certification from the relevant specialized institution according to the provisions issued by the national cybersecurity authorities.
94 Full text available at https://www.tc260.org.cn/piss/files/zwb.pdf (Chinese only)
95 Part 5.2 of the Rules – Certification Marks
96 Part 3 of the Rules – Certification Modes
97 Part 5.1.1 of the Rules – Renewal of Certification
98 Full text available at http://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm (Chinese only)
99 Article 2 of the Measures
100 Article 19 of the Measures
101Draft Information Security Technology - Guideline for Identification of Critical Data – 3.1 Critical Data
102 Article 4 of the Measures
103 Article 5 of the Measures
104 Article 7 of the Measures
105 Article 7 of the Measures
106 Article 12 of the Measures
107 Article 12 of the Measures
108 Article 13 of the Measures
109 Article 11 of the Measures
110 Guidance on Reporting Security Assessments of Cross-border transfers of data (1st edition): http://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm (Chinese only)
111 Guidance on Reporting Security Assessments of Cross-border Transfers of Data (2nd edition): https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm (Chinese only)
112 Article 14 of the Measures
113 Article 14 of the Measures
114 Article 20 of the Measures
115Full text of the Standard Contract Measures: http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm (Chinese only)
116 Article 1 of the Standard Contract Measures
117 Where a personal information processor truly needs to transfer personal information out of the Mainland for business sake or other reasons, a personal information processor shall conclude a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace authority.
118 Article 2 of the Standard Contract Measures
119 Article 6 of the Standard Contract Measures
121 Article 4 of the Standard Contract Measures
120 Article 6 of the Standard Contract Measures
121 Article 5 of the Standard Contract Measures
123 Article 7 of the Standard Contract Measures
124 Article 6 of the Standard Contract Measures
125 Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st edition): http://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm (Chinese only)
126 Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (2nd edition): https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm (Chinese only)
127 Article 4 of the Standard Contract Measures
128 Article 5 of the Standard Contract Measures
129 Article 8 of the Standard Contract Measures
130 Clauses 2 and 3 of the template standard contract
131 Clause 4 of the template standard contract
132 Clause 5 of the template standard contract
133 Clause 6 of the template st13 ofandard contract
134 Clause 8 of the template standard contract
135 Clause 13 of the template standard contract
136 Full text: https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
137 Article 2 of the Regulations
138 Article 3 of the Regulations
139 Article 4 of the Regulations
140 Article 5 of the Regulations
141 Article 7 of the Regulations
142 Article 8 of the Regulations
143 Article 10 of the Regulations
144 Article 9 of the Regulations
145 Article 6 of the Regulations
146 Article 13 of the Regulations
147 According to the GBA SC, personal information processed by personal information processors in the Mainland cities of the GBA shall be determined in accordance with the Personal Information Protection Law of the People’s Republic of China; personal information processed by personal information processors in the Hong Kong Special Administrative Region shall be determined in accordance with the definition of “personal data” under the Personal Data (Privacy) Ordinance of the Hong Kong Special Administrative Region.
148 According to the GBA SC, “personal information processor”, for the Mainland, refers to an organisation or individual that autonomously determines the purposes and means of personal information processing; for the Hong Kong Special Administrative Region, it also includes a “data user”, which, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. A “personal information processor” is a transferor of personal information across the boundary.
149 According to the GBA SC, “personal information subject”, for the Mainland, refers to the natural person identified by or associated with the personal information; for the Hong Kong Special Administrative Region, it also includes a “data subject”, which, in relation to personal data, means the individual who is the subject of the data.
150 Personal information that has been classified or promulgated by the relevant authorities or regions as critical data is excluded.