A comparison of data protection laws: China

    By Amigo L Xie and Susan Munro, K&L Gates

    Data is the oil of the information age. Despite the varied and complex socioeconomic and political landscapes, many Asian jurisdictions are taking giant strides in strengthening personal data safeguards





    The 2021 Personal Information Protection Law (PIPL) is China’s first comprehensive law on personal information protection. Private personal information is protected as a right of privacy under the Civil Code, and individual rights in personal information, private or public, are protected under the PIPL. Data security, including data that are not personal information, and cybersecurity are regulated under the Data Security Law and Cybersecurity Law, which along with the PIPL form China’s data privacy and security legal regime.


    The principal authority tasked with implementing and enforcing data governance is the Cyberspace Administration of China (CAC). Various other industry and provincial regulators are tasked with supervision and administration.


    Amigo L Xie, K&L Gates
    Amigo L Xie
    K&L Gates in Hong Kong
    Phone: +852 2230 3510
    Email: amigo.xie@klgates.com

    To implement China’s data national security and personal information protection rules, data have been graded according to levels of risk and importance. The Data Security Law provides for a “classified and graded” data protection system that categorises data into groups according to type, and assigns different levels of importance to data within each group. A national data security co-ordination mechanism undertakes overall planning and co-ordinates departments of the State Council to formulate catalogues of “important data” and strengthen the protection of important data.

    The PIPL distinguishes between personal information and sensitive personal information. Personal information refers to any kind of information related to an identified or identifiable natural person recorded electronically or otherwise, excluding anonymised information. Sensitive personal information refers to personal information that, if leaked or illegally used, would easily lead to infringement of human dignity or harm to a natural person, including biometric recognition, religious belief, medical and health, financial accounts, personal location tracking and other similar information – and any personal information of a minor under 14 years.


    The data governance system does not contain separate definitions of a data controller and a data processor. The PIPL defines a personal information handler (PIH) as any organisation or individual that independently determines the purpose and method of processing personal information. A PIH may subcontract the processing of personal data to another party, but shall be responsible for the acts and omissions of the subcontractor. PIHs must take measures to protect the security of personal information, ensuring that third-party processors comply with laws and do not process personal information beyond agreed purposes.


    The PIPL prescribes the circumstances when a PIH may process personal information, including:

    • Lawful consent of data subject;
    • Necessity in connection with conclusion or performance of a contract, or human resources management under an employment policy or a collective contract;
    • Necessity for performance of statutory duties;
    • Necessity in response to a public health emergency or protection of life, health or property safety in emergency;
    • News reporting or public interest; or
    • Where personal information has been disclosed already by an individual, or otherwise legally, such information may be processed within reasonable scope.


    Susan Munro, K&L Gates
    Susan Munro
    Registered Foreign Lawyer
    K&L Gates in Hong Kong
    Tel: +852 2230 3518
    Email: susan.munro@klgates.com

    The Cybersecurity Law contains provisions that apply to cross-border transfers of personal information and important data produced and collected by critical information infrastructure operators (CIIOs), which will be designated by the authorities. By contrast, the PIPL contains a comprehensive framework for cross-border transfers of personal information.

    Several implementing rules and guidelines or drafts, including the Regulations on Network Data Security Management (NDSM) and Measures for Security Assessment of Cross-border Data Transfer (MSA), address cross-border data transfers. Several industry laws and regulations impose restrictions and prohibitions on cross-border transfers of certain types of data. General requirements for PIHs include:

    • Cross-border transfers of personal information must be on a lawful basis.
    • PIHs are required to take all necessary measures to ensure transferred personal information is processed and protected by overseas recipients to the same standards mandated in the PIPL.
    • Personal information protection impact assessments are required before transfers of personal information outside mainland China.

    There are also specific requirements for certain PIHs for data localisation and national security assessment, including:

    • CIIOs are required to store personal information and important data collected and produced during their operations in mainland China.
    • PIHs whose processing of personal information reaches thresholds prescribed by the CAC are subject to data localisation requirements. Current thresholds in MSA refer to, among other things, data of one million or more individuals.
    • Banking financial institutions are not permitted to provide personal financial information overseas unless specifically permitted by law and the central bank.
    • If a CIIO or a PIH whose processing personal information reaches a statutory threshold intends to provide such information to an overseas recipient, it must pass a national security assessment.
    • MSA extends the national security assessment requirement to other data handlers if the data to be transferred includes “important data”.
    • MSA also applies the national security assessment requirement to overseas transfers by a PIH who has transferred the personal information of more than 100,000 individuals, or the “sensitive personal information” of more than 10,000 individuals from 1 January of last year on a cumulative basis.

    If a national security assessment is not required, PIHs must either obtain a certification of personal information protection from a designated professional institution, or enter into a data transfer agreement with an overseas recipient that includes standard clauses mandated by the CAC. The draft NDSM extends these requirements to handlers of non-personal data.

    No individual or organisation is permitted to provide data located within mainland China to a foreign judicial or law enforcement agency without first obtaining approval from relevant authorities.


    The PIPL also provides the following penalties and punishments for violations:

    • Initial punishments include corrective orders, warnings, confiscation of illegal gains and suspension of services;
    • If uncorrected, fines up to RMB1 million (USD150,000) per violation and between RMB10,000 and RMB100,000 on persons who have caused or are otherwise responsible for violations;
    • For serious violations, fines up to RMB50 million, or 5% of previous year’s revenue, and business suspensions, or revocation of business licences. Persons liable can be fined RMB100,000 to RMB1 million and banned from holding positions such as directorships.
    • A PIH must prove it has not infringed personal information rights if a data subject incurs damages. If a PIH cannot do this, it may incur tortious liability and be liable for damages based on losses or gains received, or alternatively damages determined by a court.
    • If a PIH infringes the rights of a large number of people, prosecutors, consumer organisations specified by law or certain organisations designated by the CAC may file a lawsuit against the PIH.

    The Data Security Law and Cybersecurity Law contain punishments in connection with violations as well.


    The Cybersecurity Law implements a classified protection system. Upon occurrence of a data breach, the data governance system requires data handlers and network operators to immediately initiate contingency plans, take corresponding remedial measures, notify data subjects as required, and report the incident to the CAC and relevant regulators.

    Under the National Contingency Plans for Cyber Security Incidents and the Emergency Response Plan for Unexpected Network Security Incidents of the Public Internet, cybersecurity incidents are classified into four levels: (1) especially major, (2) major, (3) relatively major and (4) general. The regulations also specify detailed rules regarding regulators, monitoring and early warning systems, emergency and reporting systems, investigations and assessments, and safeguard measures.


    The PIPL mandates the appointment of a data protection officer (DPO) and prescribes the following role and liabilities:

    • Supervision of a PIH’s data processing activities, protection measures, etc.;
    • Reporting directly to the principal of a PIH; and
    • Personal liabilities include fines ranging from RMB10,000 to RMB1 million, depending on the severity of the violation. A DPO also risks being banned from senior positions, negative records in state social credit files, public disclosure and, in a worst-case scenario, administrative detention or criminal prosecution.

    The PIPL does not prescribe the detailed tasks of a DPO but guidance regarding the role can be found in the PIS specification.

    K&L Gates Logo

    44/F Edinburgh Tower, The Landmark
    15 Queen’s Road Central, Hong Kong
    Tel: +852 2230 3500