General Guides
Regional Guides
Starter Guides
In recent years, China has enforced new laws that significantly impact data privacy and security. These laws affect companies in China that utilize user data, ensuring they comply with regulations on handling, storing, using, and transferring personal information. Implementing these laws affects all e-commerce businesses in China and any other business that collects user data online.
Here we explain how China’s data privacy laws work, and what international businesses need to do to ensure full compliance.
China’s Data Privacy Laws: The Personal Information Protection Law and Data Security Law
Data Security Law (DSL)
The DSL categorizes user data collection and storage based on its potential security and economic impact on China. Regulations on the storage or transfer of data depend on its classification level.
Personal Information Protection Law (PIPL)
The PIPL regulates collecting and protecting personal information obtained by organizations operating in China. Personal information is “any information related to identified or identifiable natural persons stored in electronic or any other format.” The scope of the PIPL covers the collection, reorganization, storage, usage, transmission, disclosure, provision, and deletion of personal information.
Send us your questions and we will answer within 24 hours Message →
Reasons for Creating New Regulations on Data Privacy
These laws’ primary goal is to protect individuals’ privacy rights and limit companies’ power over personal data. They set conditions for companies to use, collect, store, secure, and transfer personal data, including obtaining consent before collecting personal information. These regulations aim to regulate cyberspace, monitor company compliance, and address public complaints about data misuse.
Impact on Foreign Companies in China
Foreign businesses in China that process local data must comply with the PIPL and DSL (see Cooley LLP – Privacy Talks: “Key Things to Know About Data Protection Laws in China”) . This includes appointing local representatives to file for compliance (for example under the PIPL’s extraterritorial scope). Non-compliance can result in penalties or even blacklisting, effectively preventing the processing of personal data in China. Notable examples include LinkedIn and Yahoo!, which ceased operations in China due to the challenging legal environment.
Are you expanding into China and unsure how the Personal Information Protection Law (PIPL) and Data Security Law (DSL) apply to your business? MSA helps foreign businesses establish local compliance structures. Contact us for a compliance audit today. Message →
Framework of the Data Security Law
| Category | Description |
|---|---|
| Core Data | Data concerning national and economic security, citizens, and public interests, given the highest security level and strictest regulation. |
| Important Data | Undefined specifics, with scope identification assigned to relevant national, regional, and sector authorities. |
Data Transfer
- CIIOs: Must ensure data is generated and safeguarded in China. Conduct security self-assessments before sending data overseas.
- Non-CIIOs: Forbidding sending data stored in China to foreign law enforcement or judicial bodies without PRC approval.
Downstream Data
Intermediaries using data for commercial purposes must verify the legality of the data they receive and maintain identification and transaction records for auditing.
Security
Companies must update and improve data security systems, designate responsible teams for data security, and regularly submit risk assessments to authorities.
Key Differences: China’s DSL vs PIPL – What Foreign Businesses Need to Know
| Law | Effective Date | Scope & Focus | Key Obligations for Foreign Businesses | Consequences of Non-Compliance |
|---|---|---|---|---|
| Data Security Law (DSL) | 1 September 2021 | Establishes a national framework for protecting “data security,” including classification of data (e.g., core data, important data) and safeguards aligned with national security and public interests. | Classify and inventory data; implement security management systems; conduct risk assessments for “important data”; follow localisation and security review requirements for certain outbound data transfers. | Administrative penalties, fines, rectification orders, potential business suspension, and reputational risk. |
| Personal Information Protection Law (PIPL) | 1 November 2021 | Governs processing of personal information of individuals in China, with extraterritorial reach for overseas entities that handle PI related to offering goods/services to, or analysing behaviour of, individuals in China. | Establish lawful bases (e.g., consent); provide transparency notices; enable data subject rights; conduct Personal Information Protection Impact Assessments (PIPIA) for high-risk processing; meet cross-border transfer mechanisms (e.g., SCCs, CAC security assessment, certification); appoint a local representative where required. | Fines (including percentage-of-revenue caps), rectification, potential blacklisting restricting processing of Chinese PI, and individual/organisational liability exposures. |
The framework of the Personal Information Protection Law
Data Localization and Deletion
Data handlers must delete personal data after its purpose is achieved if it no longer serves the disclosed purpose, the service is no longer available, the retention period lapses, the user withdraws consent, or data processing violates laws.
Restrictions on Data Transfer
Data handlers must obtain user consent before forwarding personal information to third parties and ensure the recipient enforces data protection security and compliance.
User Consent
Businesses must obtain user consent before collecting data, especially sensitive information. They should disclose the necessity and specific purpose of data collection.
Compliance
Companies must conduct self-audits to identify potential security risks and ensure regulatory compliance. Algorithms used for data analysis must follow fairness and transparency clauses.
Implications of the Implementation
Companies must assess whether their systems comply with the DSL and PIPL, potentially reorganizing operations based on the level of personal data they handle. Legal advice from local PRC counsel is recommended for companies dealing with data export.
Comparison Between GDPR and Chinese Privacy Laws
The PIPL and GDPR allow individuals to access, correct, delete, or rescind consent for their data. However, the PIPL is enforced by the Cyberspace Administration of China (CAC), whereas GDPR is handled by independent regulators in each country. Non-compliance with PIPL can result in blacklisting, unlike GDPR, which imposes financial penalties.
China’s Personal Information Protection Law (PIPL, effective 2021) imposes stringent rules on data collection, storage, cross-border transfers, and individual rights—with penalties reaching 50 million RMB or 5% of annual revenue for serious violations. Compliance requires privacy by design, consent frameworks, and data residency controls. MSA Asia audits and updates your China company setup data governance. Connect with our specialists implementing data governance frameworks that protect privacy while enabling business operations..
