China has enacted the Personal Information Protection Law (“PIPL”) as the first law to comprehensively and specifically regulate personal information, with the effective date of November 1, 2021. PIPL, together with the Cyber Security Law (“CSL”) and Data Security Law (“DSL”), takes the leading role in the personal information and cybersecurity protection field. Provisions relating to the protection of personal information and privacy are also scattered in major civil and criminal laws and administrative regulations.

• The Civil Code, adopted on May 28, 2020, took effect on January 1, 2021, and protects the right to personal information and privacy.
• The Consumer Rights and Interests Protection Law (2013 Revision) (“CPL”) includes provisions on the protection of consumers’ personal information.  
• The Criminal Law (1997) criminalizes the illegal sale and provision of personal information and the illegal acquisition of personal information.
• Information security technology — Personal information security specification (“PI Specification”) issued by the Standardization Administration of the PRC in December 2017 and updated in March 2020 is the non-mandatory national standard that provides detailed requirements for personal information protection.
• The Provisions on Protecting Children’s Personal Information in Cyberspace (“Children’s PI Provisions”) issued by the Cyberspace Administration of China (“CAC”) on August 23, 2019, came into effect as of October 1, 2019. The Children’s PI Provisions are the first regulation in China specifically regulating a child’s personal information.
• The Measures for the Data Export Security Assessment, issued by the CAC in July 2022 and effective from September 1, 2022, addresses cross-border data transfers that are subject to data export security assessment. 
• The Measures for the Standard Contract for Cross-Border Transfer of Personal Information, issued by the CAC in February 2023 and effective from June 1, 2023, addresses cross-border data transfers, which are subject to the filing of a standard contract for cross-border transfer of personal information. 
• The Provisions on Facilitating and Regulating Cross-border Data Flow (“New DBDT Provisions”), issued by the CAC on March 22, 2024, and effective from the same date, specify cross-border data transfers that would be exempt from undergoing data export security assessment, filing for a standard contract for personal information export or obtaining personal information protection certification.
• The Regulations on Network Data Security Management (“b”) issued by the State Council in September 2024 and effective on January 1, 2025, stipulate detailed implementation rules and guidelines applicable to the protection of personal information, the security of important data, the security management of data exports and the obligations of network platform operators. 
• The Administrative Measures for Personal Information Protection Compliance Audits (“Audit Measures”) issued by the CAC in February 2025 and effective from May 25, 2025, further refine the requirements for personal information protection compliance audits stipulated in the PIPL.
   
  Furthermore, there exist various laws and regulations that specifically focus on safeguarding personal information within certain industries or sectors (such as financial banking) or personal information of a particular nature (such as personal credit information).

Since China operates under a civil law system rather than a case law system, there are no specific key judicial decisions applying to data privacy legislation. However, various courts periodically release typical cases related to data privacy that offer guidance on such legislation. Moreover, various enforcement authorities, such as the CAC and its local counterparts, may issue penalty cases from time to time to offer additional guidance for the legislation.

According to Article 4 of the PIPL, “personal information” refers to any kind of information related to an identified or identifiable natural person, whether electronically or otherwise recorded, excluding information that has been anonymized.  

According to Article 28 of the PIPL, “sensitive personal information” refers to personal information that, if leaked, illegally provided, or misused, may easily lead to discrimination against individuals or serious harm to personal or property safety, including information such as biometric recognition data, religious belief, specific identity, medical and health information, financial accounts, personal whereabouts, and other information of a natural person, as well as any personal information of a minor under the age of 14.

The PIPL governs the processing of personal information and sets forth regulations on the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.

1. Sensitive personal information is subject to heightened protection requirements, including:
2. Processing of sensitive personal information is only permissible when there is a specific purpose and sufficient necessity, and stringent measures must be implemented for its security.
3. Obtaining separate consent from the individual is mandatory when processing their sensitive personal information.
4. Individuals must be informed about the necessity of processing their sensitive personal data, the potential impact on their rights and interests, in addition to providing general notification before processing their personal information.
   In addition to the PIPL, sector-specific regulations may establish more specific guidelines for managing individuals' personal information in accordance with the principles of the PIPL.

The PIPL obligations primarily apply to personal information processors, which are defined as any organization or individual that independently determines the purpose and method of processing personal information in their processing activities.

The PIPL also extends to any processing of personal information of any natural person located within China that occurs outside China under any of the following circumstances:
(i)    providing a product or service to the individual within China;
(ii)    analyzing or assessing the behavior of the individual within China; or
(iii)    any other circumstance stipulated by law or administrative regulations.

According to Article 4 of the PIPL, the processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information. 

According to PIPL, the processing of personal information is required to comply with the following principles: 
(i)    the processing of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to process personal information by misleading, fraud or coercion; 
(ii)    the processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing and shall be conducted in a way that minimizes the impact on personal rights and interests; 
(iii)    the collection of personal information shall be limited to the minimum scope for achieving the purpose of processing and it is not allowed to excessively collect personal information; 
(iv)    the processing of personal information shall follow the principles of openness and transparency, make public the rules for processing personal information and expressly indicate the purpose, method and scope of such processing; 
(v)    the quality of personal information shall be ensured in the processing of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information; and 
(vi)    the personal information processor shall be responsible for its processing of personal information and take necessary measures to ensure the security of the personal information processed.

Under the PIPL, a personal information processor is only permitted to process personal information based on one of the following legal bases:
(i)    where the consent of the individual concerned is obtained; 
(ii)    where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law; 
(iii)    where it is necessary for the performance of statutory duties or statutory obligations; 
(iv)    where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency; 
(v)    where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope; 
(vi)    where it is necessary to process the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL; and 
(vii)    other circumstances prescribed by laws and administrative regulations.

Where personal information is to be processed based on the consent of an individual, such consent shall be a voluntary and explicit indication of intent given by such an individual on a fully informed basis. Prior to the processing of the personal information of an individual, a personal information processor shall inform the individual of the specified matters in a conspicuous way and in clear and easy-to-understand language, except when such matters shall be kept confidential or are not required to be disclosed according to law or administrative regulations.

The PIPL also provides for requirements for joint-processing, entrusted processing, sharing personal information with third parties, cross-border transfer of personal information, automated decision-making, processing of sensitive personal information and processing of personal information of minors under the age of 14. 

Under certain circumstances as described in Article 55 of the PIPL, personal information processors must conduct a personal information protection impact assessment (PIPIA) before engaging in the following activities and maintain a processing record:

(i)    Processing sensitive personal information;
(ii)    Employing personal information in automated decision-making processes;
(iii)    Outsourcing personal information processing to a third party, sharing personal information with another processor, or disclosing personal information;
(iv)    Transferring personal information to an overseas recipient; or
(v)    Any other individual personal information processing activity that significantly affects personal rights and interests.
Personal information processors shall, based on their processing purpose and method, the type of personal information involved, the impact on individual rights and interests, potential security risks, etc., implement measures as mandated by the PIPL to ensure compliance with laws and regulations, and to prevent unauthorized access, leakage, alteration, or loss of personal information.

PIPL requires the retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, unless otherwise stipulated by laws and administrative regulations. There are no standardized data retention requirements in place under current PRC laws, except for specific categories of data that have unique requirements under relevant sectoral regulations. 

Article 51 of the PIPL sets forth the organizational and technical measures that a personal information processor shall implement, after taking into account the purposes and methods of personal data processing, the types of personal data, the impact on individuals’ rights and interests, possible security risks, etc., to ensure that personal data processing activities are in compliance with laws and administrative regulations and to prevent unauthorized access and personal data from being leaked, tampered with or lost: (i) to formulate internal management rules and operating procedures; (ii) to carry out classified management of personal data; (iii) to adopt corresponding security technical measures such as encryption and de-identification; (iv) to reasonably determine the operating authority for personal data processing, and conduct regular security education and training for employees; (v) To formulate and organize the implementation of the emergency response plan for personal data security incidents; and (iv) to take other measures stipulated by laws and administrative regulations.

The CSL also requires network operators, subject to the requirements of classified cybersecurity protection system, to take the following measures to protect networks from disturbance, damage or unauthorized access and prevent the network data from being divulged, stolen or tampered with: (i) formulating internal security management system and operating procedures, determining the persons in charge of network security and implementing responsibility for network security protection; (ii) adopting the technical measures for preventing computer virus and the activities endangering network security such as network attack and network intrusion; (iii) adopting the technical measures for monitoring and recording network operation status and the network security incidents and keeping relevant network logs for at least six months in accordance with relevant provisions; (iv) adopting the measures such as data classification as well as backup and encryption of important data; and (v) other obligations prescribed by laws and administrative regulations.

Under the PIPL, data subjects are entitled to the following personal information rights: (i) right of access and has a copy of personal information being processed by the personal information processor; (ii) right of rectification of inaccurate or incomplete personal information; (iii) right of deletion in certain circumstances; (iv) right of objection and restriction of personal information processing; (v) right to withdraw consent; (vi) right to ask for an explanation of personal information processing rules; (vii) right to object automated decision-making; (viii) right of portability in certain circumstances. 

Besides, where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in PIPL, unless otherwise arranged by the deceased prior to his/her death. 

The personal information processor shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual’s request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information processor refuses an individual’s request for exercising his/her rights, the individual may file a lawsuit with a people’s court in accordance with the law.

The PIPL stipulates that data subjects' consent is a crucial aspect of data processing. The key consent requirements under the PIPL include:
(i)    Where personal information is to be processed based on the consent of an individual, such consent shall be a voluntary and explicit indication of intent given by such an individual on a fully informed basis.
(ii)    If there are changes in the purpose, method or types of personal information being processed, personal consent shall be re-obtained.

(iii)    Data subjects have the right to withdraw their consent to the processing of their personal information carried out based on their consent, and personal information processors shall provide data subjects with an easy way to withdraw their consent.
(iv)    Personal information processors must obtain the consent of a parent or guardian of a minor under the age of 14 for the processing of their personal information.
(v)    Separate consent shall be obtained from data subjects before engaging in the following processing activities:
(a)    Processing their sensitive personal information;
(b)    Disclosing their personal information;
(c)    Installing image capture and personal identity recognition devices for purposes other than public safety maintenance;
(d)    Sharing their personal information with another personal information processor; or
(e)    Transferring their data subjects’ personal information outside of China. 

If personal information processing relies on an individual's consent, that consent must be voluntary, explicit, and provided by the individual on a fully informed basis. Prior to the processing of the personal information of an individual, a personal information processor shall inform the individual of the following matters in a conspicuous way and in clear and easy-to-understand language: 
(i)    The personal name and contact information of the personal information processor;
(ii)    The purpose and method of processing personal information, the type of personal information to be processed and its retention period;
(iii)    The way and procedure for the individual to exercise his/her rights provided for by the PIPL; and
(iv)    Any other matter to be informed as required by law or administrative regulations.

If there are any changes in the purpose, method or types of personal information being processed, individual consent shall be re-obtained.
In specific scenarios, separate consent shall be obtained from data subjects before undertaking certain processing activities, including: 
(i)    Processing of sensitive personal data: data subjects must be informed about the necessity of processing their sensitive personal data and potential impact on their rights and interests, in addition to providing general notification before processing their personal information.
(ii)    Sharing personal information with another personal information processor: data subjects shall be informed of the name and contact information of the receiving party, the purpose and method of the processing, and the type of personal information involved. 
(iii)    Transferring personal information outside of China: data subjects shall be informed of the name and contact information of the overseas recipient, the purpose and method of the processing, and the type of personal information involved, as well as how to exercise their rights against the overseas recipient.
(iv)    Disclosing personal information; and
(v)    Installing image capture and personal identity recognition devices for purposes other than public safety. 
When processing personal data of a child under the age of 14, personal information processors are required to obtain consent from the child's parent or legal guardian. 

The cross-border transfer of personal information is subject to certain requirements under the PIPL and other applicable regulations.
(i)    Data subjects are informed of the name and contact information of the overseas recipient, the purpose and method of the processing, and the type of personal information involved, as well as how to exercise their rights against the overseas recipient.
(ii)    Separate consents have been obtained from data subjects for transferring their personal information outside of China.
(iii)    Unless exempted, at least one of the following conditions should be met before exporting personal information: 
(a)    if the personal information being transferred outside of China exceeds a certain threshold, a data export security assessment (“Security Assessment”) led by the CAC must be passed; 
(b)    if the personal information being transferred outside of China has reached a certain threshold, a filing for the standard contract for personal information export (“Standard Contract”) must be made, or a certification for personal information protection (“Certification”) must be obtained; or 
(c)    other conditions prescribed by laws, administrative regulations or the CAC must be satisfied. 
(iv)    A personal information protection impact assessment has been conducted for the cross-border data transfer. 

Notwithstanding the above, according to the New CBDT Provisions, a personal information processor in China is no longer required to adopt any of the Security Assessment, Standard Contract or Certification in the following scenarios:

(i)    Data generated in international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing where the data does not contain personal information or critical data.
(ii)    Personal information collected outside China that remains segregated from personal information or critical data originating from China. This pertains to the export of personal information that was imported into China for processing.
(iii)    Transfer of personal information outside China for purposes such as entering into and executing a contract in activities like cross-border shopping, delivery, remittance, payment, account opening, air ticket and hotel reservations, visa processing, examination services, etc.
(iv)    Transfer of personal information outside China for cross-border human resources management in compliance with labor laws and regulations and any legally signed collective agreements.
(v)    Transfer of personal information outside China for emergency situations to protect the life, health, and property safety of individuals.
(vi)    Transfer of personal information (excluding sensitive personal information) of fewer than 100,000 individuals that has been cumulatively transferred outside China by a non-critical information infrastructure operator (CIIO) since January 1st of that year.

In addition, the PIPL also stipulates the approval requirements of the competent authorities for providing personal information abroad due to international judicial assistance or administrative law enforcement assistance and the anti-discrimination requirements for countries and regions that have adopted discriminatory and unreasonable measures against China in terms of personal information protection.

Furthermore, there are additional regulations that may place specific limitations or requirements on the cross-border transfer of certain types of data, such as population health information, healthcare-related big data, medical records, etc.

“Incidents” and “breaches” lack clear definitions under PRC laws. However, according to the non-mandatory national standard, Information Security Technology – Guidelines for the Categorization and Classification of Cybersecurity Incidents, cybersecurity incidents encompass a range of incident categories, such as data breaches, which may also involve breaches of personal information.

Yes, there are some notification requirements under the current laws.

According to the CSL, in case users' personal information under the custody of network operators is or may be divulged, destructed or lost, the operator should take remedial measures immediately, inform the users and report to relevant competent authorities in a timely manner.

According to the PIPL, where personal information has been or may be divulged, tampered with or lost, the personal information processor shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (i) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information; (ii) the remedial measures taken by the personal information processor and the measures that can be taken by the individuals to mitigate harm; and (iii) the contact information of the personal information processor. Where the personal information processor has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information processor may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information processor to notify the individuals concerned.

There are also other national and local law requirements for specific types of personal information breaches.

There is no single privacy regulator. Some industrial regulators are responsible for the protection of personal information in the correspondent industrial sectors.

Examples are: The main regulator under the CSL and PIPL is the CAC, which will coordinate the work of authorities for certain industries. The collection and use of personal information by telecom and Internet service providers are also regulated by MIIT. The collection and use of consumers' personal information (including in E-commerce operations) are generally regulated by the SAMR. The MPS is responsible for investigating and cracking down on crimes relevant to the internet. There are also other regulators in charge of specific types of personal information.

The breaching party may be subject to administrative punishment or face a tort infringement lawsuit or criminal liability.

According to the CSL, network operators infringing the personal information protection obligations may be imposed on punishments including ordered to make corrections, suspension of business, suspension of business for rectification, website closure, revocation of a business permit or a fine of up to RMB 1,000,000.

According to the PIPL, in the event that personal information is processed in violation of the provisions of the PIPL, or that personal information is processed without performing the obligation of protecting personal information as stipulated in PIPL, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally processes personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than RMB 1 million shall be imposed on it concurrently; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the above-mentioned with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time.

The infringing party may also face a privacy lawsuit filed by the injuring party.

Criminal liability may also be applicable for the illegal sale or acquisition of personal information that falls under the scope of criminal law.

In general, no one may send commercial electronic information to individuals without the consent of or the request from the recipients.

The Law on Advertising (2021 Revision) provides that no organization or individual may deliver advertisements (including electronic advertisements) to any persons without their consent or their request.

When an advertisement is sent through an electronic message, the true identity and contact information of the sender shall be clearly indicated and those to whom the advertisement is sent shall be provided with the methods for refusing to continue to receive the advertisements.

Further, sending advertisements via the internet shall not interrupt the normal use of the internet by the users and if the advertisement is sent via a pop-up, the pop-up shall have an obvious button for turning off to ensure that the users can turn off the pop-up with one click.

According to the PIPL, information pushing and commercial marketing to an individual through automated decision-making shall be accompanied by options that do not target the individual's personal characteristics, or convenient rejection ways shall be provided to the individual.

There are also specific rules for sending advertisements by email or text message.

There are industry-specific guidelines and standards issued by regulatory authorities in China that outline privacy requirements for sectors such as finance, healthcare, telecommunications, and e-commerce. These sector-specific regulations often provide detailed rules on data protection, confidentiality, and compliance obligations tailored to the specific characteristics and risks of each industry.

For instance, the Provisions on Security Management of Automotive Data (Trial), jointly issued by the CAC, National Development and Reform Commission, MIIT, PSB, and the Ministry of Transportation in August 2021, and in effect from October 1, 2021, govern the processing of automotive data in China. This includes personal information and important data across the automotive design, manufacturing, sales, usage, operation, and maintenance processes. These regulations also establish principles for processing automotive data, such as in-vehicle processing and no-collection by default, etc. 

Another instance is the Administrative Measures for Data Security in Industry and Information Technology Sectors (for Trial Implementation) issued by MIIT on  December 8, 2022 (“Data Security Measures”), which became effective on January 1, 2023. These measures pertain data within the industry and information technology sectors, including industrial data, telecommunications data and radio data (collectively “Industry Data”). The Data Security Measures divide the Industry Data into three categories based on the potential harm to national security, public interests and legal interests of individuals in the event of unauthorized alteration, destruction, leakage or illegal acquisition or use of such data: ordinary data, important data and core data. The processing of important data and core data entails specific filing and reporting obligations. The Data Security Measures also mandate that processors of Industry Data establish a full life-circle data security management systems, appoint data security management personnel, manage operation authorization effectively, develop responses plans, and conduct emergency drills and relevant training.

According to Article 52 of the PIPL, personal information processors that exceed the threshold amount set by the national cyberspace authority for processing personal information must appoint a personal information protection officer. This individual will be responsible for overseeing the processing of personal information, ensuring the implementation of protective measures, and other related activities.

Article 12 of the Administrative Measures for Personal Information Protection Compliance Audits (“Audit Measures”) further specifies that a personal information processor handling the personal information of one million individuals or more must designate a personal information protection officer to oversee compliance audits related to the processor's personal information protection measures.

The PIPL requires personal information processors to conduct a personal information protection impact assessment (PIPIA) before carrying out the following activities. They are required to maintain a processing record for these activities, which must be retained for a minimum of 3 years: 

(i)    Processing sensitive personal information;
(ii)    Employing personal information in automated decision-making processes;
(iii)    Entrusting personal information processing to a third party, sharing personal information with another processor, or disclosing personal information;
(iv)    Transferring personal information to an overseas recipient; or
(v)    Any other individual personal information processing activity that significantly affects personal rights and interests.

Furthermore, in accordance with Article 12 of the Regulations on Network Data Security Management, network data processors are obligated to maintain processing records for a minimum of 3 years when sharing or entrusting the processing of personal information and important data with other network data processors. These records must be retained for at least 3 years.

According to Article 55 of the PIPL, personal information processors must conduct a personal information protection impact assessment (PIPIA) before carrying out the following activities: 

(i)    Processing sensitive personal information;
(ii)    Employing personal information in automated decision-making processes;
(iii)    Entrusting personal information processing to a third party, sharing personal information with another processor, or disclosing personal information;
(iv)    Transferring personal information to an overseas recipient; or
(v)    Any other individual personal information processing activity that significantly affects personal rights and interests.

According to the PIPL, if a third-party vendor is engaged to process personal information, a personal information processor shall agree with such vendor on the purpose, period, processing method, the type of personal information to be processed, any protection measure to be taken, and the rights and obligations of both parties, etc.. The personal information processor shall also supervise the processing activities carried out by the vendor. The vendor shall process personal information as agreed, and shall not process personal information beyond the agreed purpose and method as agreed; if the contract with the vendor fails to become effective, becomes null and void, or is cancelled or terminated, the vendor shall return the personal information to the personal information processor or delete it, and shall not retain such information. In addition, without the approval of the personal information processor, the vendor shall not subcontract the processing of personal information to any other person.

If a personal information processor shares personal information with a third-party vendor, who is also a personal information processor, as per Article 23 of the PIPL, the personal information processor must inform the relevant individuals about the vendor's name, contact information, processing purpose and method, and the type of personal information being shared before sharing the information. Separate consent from the relevant individuals must be obtained. The vendor is required to process the personal information received within the specified purpose, method, and type of personal information. In case of any changes to the original purpose or processing method, the vendor must seek renewed consent from the relevant individuals.

According to the PIPL, in the event that personal information is processed in violation of the provisions of the PIPL, or that personal information is processed without performing the obligation of protecting personal information as stipulated in PIPL, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally processes personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than RMB 1 million shall be imposed on it concurrently; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge and other directly liable persons. 

For any illegal act specified in the above-mentioned with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time.

According to the PIPL, personal information processors are required to perform regular compliance audits on their processing of personal information to ensure adherence to laws and regulations on a regular basis. The Administrative Measures for Personal Information Protection Compliance Audits (“Audit Measures”) further specify the frequency and requirements for conducting such compliance audit. According to the Audit Measures, personal information processors processing the personal information of more than ten million individuals are required to conduct a personal information protection compliance audit at least once every two years. For other personal information processors, the frequency of conducting regular audits should be determined based on their specific circumstances.  

The issuance of the Provisions on Facilitating and Regulating Cross-border Data Flow (“New DBDT Provisions”) by the CAC on March 22, 2024, demonstrates the Chinese government's commitment to promoting cross-border data transfers. Following these New CBDT Provisions, various local governments in free trade zones such as Shanghai, Beijing, Tianjin, Hainan province and Zhejiang province have also introduced corresponding data export negative lists. These lists are intended to ease restrictions on specific cross-border data transfers within relevant industries. Data not listed in the negative list can be freely exported cross-border.

The long-awaited Regulations on Network Data Security Management (“Network Data Regulations”) issued by the State Council in September 2024 came into effect on January 1, 2025. These regulations provide detailed implementation rules and guidelines concerning the protection of personal information, the security of important data, data export security management, and the responsibilities of network platform operators.

The Administrative Measures for Personal Information Protection Compliance Audits (“Audit Measures”), released by the CAC in February 2025, became effective on May 25, 2025. These measures are intended to guide the implementation of compliance audits for personal information processors as required under the PIPL. Another notable development under the PIPL is the Announcement issued by the CAC on July 18, 2025, mandating eligible personal information processors to appoint a designated Personal Information Protection Officer (“PIPO”). 

As a result, we have observed the gradual implementation of key personal information protection requirements under the PIPL, which has led to the improvement and refinement of the legal framework for personal information protection in China.