article

Navigating China’s Privacy Framework

Lindsay Palmer Senior Privacy Research Specialist, TrustArc

In today’s global business environment, understanding China’s stringent privacy framework is crucial for organizations, as non-compliance can lead to severe legal and financial penalties. China has witnessed significant developments in its privacy landscape, with the introduction of key laws and regulations that have far-reaching implications for organizations processing personal information (PI).

China’s privacy landscape has evolved significantly since 2021. Prior to this time, businesses processing PI in China had to piece together different privacy provisions found in various laws and regulations.

Today, China’s privacy regime can be more easily discerned; together, the Personal Information Protection Law (PIPL), the Cyber Security Law (CSL), and the Data Security Law (DSL) form the foundation of China’s data protection framework. These laws encompass a wide spectrum of regulations governing the collection, use, disclosure, and security of PI.

Understanding and complying with China’s privacy regulations is crucial for organizations seeking to operate within the country or engage with Chinese citizens. In this blog, we’ll delve into the essential insights and key considerations for organizations that must adhere to privacy regulations in China.

China’s Privacy Regulatory Framework

PIPL

The Personal Information Protection Law (PIPL), in particular, shares similarities with the GDPR, such as:

an extraterritorial scope, impacting not only entities within China but also those processing PI of Chinese citizens overseas
legal grounds for processing PI that put consent on equal footing with other valid grounds (e.g., contractual or legal obligations, vital interests, public health and security)
the use of cross-border transfer mechanisms (e.g., security assessment, standard contract) to ensure the secure transfer of PI outside of China
compliance with individual rights requests (e.g., access, deletion, correction, data portability).

Just like organizations doing business in the EU under the GDPR, compliance with the provisions outlined in PIPL is paramount for organizations seeking compliance in China.

CSL

Additionally, the Cyber Security Law (CSL) focuses on cybersecurity protection, encompassing safeguarding personal information processed through computerized information networks. Organizations must recognize the applicability of the CSL to network operators and the implications for data protection within the cybersecurity landscape.

DSL

The Data Security Law (DSL) extends its regulatory purview beyond personal information, encompassing a broad range of data categories. Its emphasis on categorizing data based on importance, including considerations for national security and public interest, underscores the comprehensive nature of China’s data protection framework.

Making sense of China’s privacy laws

Below is a brief comparison of what China’s three main laws cover and who they apply to:

Law	Scope	Application
PIPL	China’s comprehensive data protection law Regulates the collection, use, and disclosure of PI Shared elements with GDPR include an extraterritorial scope, processing principles, legal grounds for processing, cross-border transfer mechanisms, and individual rights	Applies to processing of PI by individuals and businesses (PI processors) in both public and private sectors Within China that process PI of Chinese citizens Outside of China that process PI of Chinese citizens for the purpose of providing goods or services or analyze and assess behaviors
CSL	China’s main law regulating cyberspace Addresses protection of PI processed using computerized information networks Focuses on cybersecurity protection, including protection of critical information infrastructure and certification of network services and products	Applies to all network operators, including network service providers (i.e., entities that construct, operate, maintain, and use computerized information networks)
DSL	China’s main law regulating different classifications of data Requires data to be categorized by different levels of importance, such as data impacting national security and public interests	Applies to data processing activities of all natural and legal persons Businesses outside of China are liable if their processing of data harms Chinese national security, the public interest, or the lawful rights or interests of Chinese citizens or organizations

Law

Scope

Application

PIPL

China’s comprehensive data protection law

Regulates the collection, use, and disclosure of PI
Shared elements with GDPR include an extraterritorial scope, processing principles, legal grounds for processing, cross-border transfer mechanisms, and individual rights

Applies to processing of PI by individuals and businesses (PI processors) in both public and private sectors

Within China that process PI of Chinese citizens
Outside of China that process PI of Chinese citizens for the purpose of providing goods or services or analyze and assess behaviors

CSL

China’s main law regulating cyberspace

Addresses protection of PI processed using computerized information networks
Focuses on cybersecurity protection, including protection of critical information infrastructure and certification of network services and products

Applies to all network operators, including network service providers (i.e., entities that construct, operate, maintain, and use computerized information networks)

DSL

China’s main law regulating different classifications of data

Requires data to be categorized by different levels of importance, such as data impacting national security and public interests

Applies to data processing activities of all natural and legal persons

Businesses outside of China are liable if their processing of data harms Chinese national security, the public interest, or the lawful rights or interests of Chinese citizens or organizations

In addition to the core laws, China’s data protection framework is complemented by the Personal Information Security Specification, a voluntary set of best practices that provides granular, practical guidelines for implementing compliant PI processing.

While the PIPL takes precedence, Chinese authorities still leverage the Specification to assess organizations’ compliance with privacy obligations, making it a valuable supplementary compliance tool for businesses.

Understanding China’s Cross-Border Transfer Rules

China’s cross-border transfer rules aim to ensure that PI is handled securely when transferred outside of China. The Regulations on Promoting and Regulating Cross-Border Data Flows is the main legal text governing the transfer of PI outside of China.

China’s cross-border rules differ from those in typical data protection laws in that the data transfer mechanism required relies on the type and amount of PI transferred, rather than who the recipient is or their location.

Unless an exemption applies, transfers must comply with one of the following data transfer mechanisms: data export security assessment, standard contract, or PI protection certificate.

Regardless of which data transfer mechanism used or exemption relied on, all transfers must meet specific conditions, such as informing individuals of the transfer, obtaining individual consent, and conducting an PI protection impact assessment.

China’s Enforcement Landscape

Navigating China’s data protection framework also entails understanding the regulatory authorities and enforcement landscape. While the Cyberspace Administration of China (CAC) serves as the primary enforcement authority for non-sector-specific entities, other State Council departments, such as the Ministry of Public Security (MPS) and the Ministry of Industry and Information Technology (MIIT), play crucial roles in supervising and administering privacy protection within their respective sectors.

Organizations operating in China must be cognizant of the enforcement mechanisms and penalties associated with non-compliance. For instance, PIPL establishes a private right of action for individuals who have been denied the opportunity to exercise their rights and holds organizations criminally liable for violations that may constitute a crime.

Administrative penalties can reach as high as RMB 50 million (~ 7 million USD) or 5% of turnover for the previous year, including suspension or cessation of related business activities and/or revocation of the relevant business permit or license. Liability extends to persons in charge and other directly liable persons, with fines imposed up to RMB 1 million (~ 142,000 USD).

Organizations must take a proactive approach to ensure adherence to the evolving privacy landscape.

Move forward with confidence

Compliance with privacy regulations in China is a multifaceted endeavor that demands a thorough understanding of the legal landscape and a proactive approach to data protection. Staying informed about the evolving regulatory landscape and proactively adapting their privacy practices will be instrumental for organizations seeking to operate ethically and sustainably within China’s dynamic business environment.

Current Nymity Research subscribers can find everything they need to know about China’s privacy landscape in our new Privacy Simplified: China page in Nymity Research, and Operational Template on China’s Cross-Border Rules (get the template below).

Nymity Research

Get detailed insights, tools, and templates to help you manage China’s Privacy Framework and other regulations.

Start today

China – Cross-Border Transfer Rules Template

Review the rules for transferring personal information (PI) outside of the People’s Republic of China.

Download now

Key Topics

Get the latest resources sent to your inbox