Global Data Protection Law Guide  China

JunHe LLP

 

What law(s) specifically govern personal data / information?

The Personal Information Protection Law of the People's Republic of China ('PIPL') which came effective on November 1, 2021 is the first comprehensive law that specifically addresses protection of personal information.

In addition, provisions governing personal information protection are also provided in other laws. For example, the Cybersecurity Law of the PRC ('CSL') which came effective on June 1, 2017 provides the rules for personal information protection in Chapter IV; the Data Security Law of the PRC ('DSL') which came effective on September 1, 2021 requires that the data processors should fulfill the duties of data security protection in Chapter IV; the Network Data Security Management Regulation which came effective on January 1, 2025 provides the rules for personal information protection in Chapter III and rules for security of important data in Chapter IV; the Civil Code of the People's Republic of China which came effective on January 1, 2021 expressly provides the right of privacy and personal information protection in Chapter VI of Part IV Personality Rights; the Ninth Amendment to the Criminal Law (promulgated on August 29, 2015) provides that all parties who sell or provide personal information to a third party, in violation of the law, are subject to criminal liability, and that parties who sell or provide personal information obtained during the performance of their duties and provision of services, in violation of the law, are subject to a heavier punishment. Some standards or guidelines issued by National Technical Committee 260 on Cybersecurity of Standardisation Administration of China ('TC260') such as Information Security Technology - Personal Information Security Specification also constitute the recommended guidelines for enterprise data compliance, while they may be not mandatory in practice.

Apart from those mentioned above some laws and regulations are also worthy of attention as they regulate the processing of personal information in specific scenarios. For example, the Measures for Security Assessment of Data Export, the Measures for the Standard Contract for Personal Information Export, and the Regulations on Promoting and Regulating Cross-border Data Transfers ('New CBDT Regulations') further clarify the main routes for cross-border data transfer based on the general requirement of the PIPL; the Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services which came effective on March 1, 2022 provides specific rules on personal information protection in the context of algorithm-generated recommendations; the Interim Measures for the Administration of Generative Artificial Intelligence Services which came into effect on August 15, 2023 also regulates the personal information protection in the generative artificial intelligence services; Promulgation of the Measures for Labelling AI-Generated or Composed Content which came effective on September 1, 2025 provides specific rules for the labelling of AI-generated or composed content; Administrative Measures for Personal Information Protection Compliance Audits which came effective on May 1, 2025 provides specific rules for personal information protection compliance audit; Administrative Measures for the Application Security of Facial Recognition Technology which came effective on June 1, 2025 provides specific rules for the adoption of facial recognition technology.

 

What are the key data protection principles in this jurisdiction?:

Articles 5 to 9 of the PIPL stipulates six principles for personal information protection. These principles serve as general guidelines throughout personal information processing activities, including:

Lawfulness, Justification, Necessity and Good Faith. Personal information shall be processed in accordance with the principles of lawfulness, justification, necessity, and good faith, and not in any manner that is misleading, fraudulent, or coercive. This principle, as the primary principle stipulated by the PIPL, is a prerequisite for the implementation of the processing activities by personal information processors.
Specification and Relevancy. Processing must be conducted for a specified and reasonable purpose and for a purpose directly relevant to the purpose of processing. This principle sets forth the criteria to evaluate the purpose of processing to control the processing activities to the extent that they are 'directly relevant to the purpose of processing'.
Minimum Extent. Firstly, processing activities shall have the least impact on the rights and interests of individuals; secondly, the collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and must not be excessive.
Openness and Transparency. Processing must be conducted in accordance with the principles of openness and transparency by disclosing the rules of personal information processing and the purposes, methods, and scope of processing. The principle of openness and transparency protects the right of personal information subjects to be informed and to give consent, and is a prerequisite for personal information processors to fulfill the obligation of informed consent.
Completeness and Accuracy. Personal information processors must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.
Security Protection. Personal information processors shall be directly responsible for their personal information processing activities, and shall take necessary measures to ensure the security of the personal information processed.

In addition to personal information, the PRC laws also provide processing requirements on general data, among which protection of important data is enhanced. Accordingly, the CSL and the DSL have provided general principles for data protection. According to Article 8 of the DSL, data processors shall observe laws and regulations, respect social morality and ethics, observe business and professional ethics, uphold honesty and trustworthiness, fulfill data security protection obligations, and undertake social responsibilities; and shall not endanger national security and public interests, nor harm the lawful rights and interests of individuals and organisations.

 

What is the supervisory authority / regulator in charge of data protection?

There is no single specific authority or regulator in China that has responsibility for the supervision of compliance with data protection related laws. In the field of personal information protection, Chapter VI of the PIPL specifies the competent authorities performing personal information protection duties and builds a regulatory structure to govern personal information protection as follows: (a) the national cyberspace department coordinates and arranges the personal information protection; (b) the competent authorities under the State Council govern, supervise and administer the personal information protection within the scope of their duties respectively; and (c) the competent authorities under the local people's government above county level shall perform the duties to govern, supervise and administer the personal information protection as determined in accordance with the applicable laws and regulations. The foregoing authorities are collectively referred to as 'departments with personal information protection duties'.

In practice, apart from the departments with personal information protection duties, the public security authorities and the market regulation authorities are also in charge of practical enforcement and administrative penalties relating to infringement of personal information. The public security authorities also have the authority to investigate criminal offenses relating to infringement of personal information.

Specific industrial regulators will be responsible for the relevant compliance supervision work for the relevant industry. According to Article 6 of the DSL, the competent departments of the industry, telecommunications, transportation, finance, natural resources, health, education, science and technology and other relevant competent departments shall assume the responsibilities of supervising and regulating data security in their respective sectors.

 

Is there a requirement to register with a supervisory authority / regulator?

There is no specific requirement for a personal information processor to register with the supervisory authority. However, it is worth noting that the PIPL and other applicable regulations provides certain filing requirements with the supervisory authority:

• A personal information processor is required to designate a person in charge of personal information protection if it processes personal information up to the amount prescribed by the national cyberspace department, and the name, contact information and other information of the person in charge of personal information protection shall be submitted to the departments with personal information protection duties. In accordance with Administrative Measures for Personal Information Protection Compliance Audits which came effective on May 1, 2025, the ‘amount prescribed by the national cyberspace department’ is set at 1 million. In light of this, the personal information processor processing personal information over 1 million in aggregate should designate a Personal Information Protection Officer (‘PIPO’) and submit filing materials to local cyberspace administration accordingly.
• Personal information processors outside the territory of the People's Republic of China subject to extraterritorial effect of the PIPL shall submit the names, contact information, and other information of the specialised agencies and representatives set up within the People's Republic of China to be responsible for handling personal information protection related matters to the departments with personal information protection duties.
• A personal information processor shall go through the filing procedures with the local cyberspace administration within 30 working days from the day when the number of individuals whose facial information is processed using facial recognition technology reaches 100,000.

Apart from the above filing requirement, some specific service or activities also need to be filed with the relevant authorities, for example, an algorithm recommendation service provider with public opinion attribute or social mobilization ability shall submit relevant information on the Internet Information Service Algorithm Filling System to go through the filing formalities.

 

Is there a requirement to notify the supervisory authority / regulator?

The PIPL requires the personal information processor to notify the supervisory authority in the event of a suspected or actual data breach. According to Article 57(1) of the PIPL, a personal information processor must immediately undertake remedial measures and notify affected individuals and departments with personal information protection duties when leakage, tampering or loss of personal information occurs or may occur. The PIPL requires following specific content to be included in the notification:

• the types of personal information affected;
• the cause of, and possible harm that may result from, the breach;
• any remedial measures taken by the personal information processor and measures individuals can adopt to mitigate harm; and
• the contact information of the personal information processor.

In addition, according to Article 57(2) of the PIPL, if the measures taken by a personal information processor can effectively mitigate the harm caused by the data breach, a personal information processor would not be required to notify affected individuals, unless a regulator determines otherwise.

Similar requirements are stipulated in the CSL, the DSL Network Data Security Management Regulation and other regulations of competent authorities, which provide notification requirements to the authority / regulator for data security incidents or cybersecurity incidents. In addition, there are also specific notification requirements in special industries.

 

Is it possible to register with / notify the supervisory authority / regulator online?

There is not yet a uniform online system for personal information processors to register with/notify the supervisory authorities in China under the PIPL.

However, for special matters or special entities, there are online platforms for filling or notification, such as the Internet Information Service Algorithm Filing System which is used for filing of the algorithm recommendation service providers.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Chapter IV of the PIPL is the main source of data subject rights. Key data subject rights include:

• Right to know and decide on the processing of their personal information.
• Right to restrict or refuse the processing of their personal information by others.
• Right to access and duplicate their personal information from personal information processors.
• Right to request the transfer of personal information to their designated personal information processors, if the following conditions are met: (i) the true identity of the person making the request can be verified; (ii) the personal information requested for transfer is the personal information that the individual has agreed to provide or has been collected on the basis of a contract; (iii) the transfer of personal information is technically feasible; and (iv) the transfer of personal information does not damage the legitimate rights and interests of others.
• Right to request personal information processors to rectify or supplement relevant information.
• Right to request personal information processors to delete their personal information under any of the following circumstances: (i) the purpose of processing has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the purpose of processing; (ii) personal information processors cease the provision of products or services, or the retention period has expired; (iii) the individuals withdraw consent; (iv) where personal information processors have processed personal information in violation of laws, administrative regulations, or agreements; or (v) other circumstances provided by laws or administrative regulations.
• Right to request personal information processors to explain their personal information processing rules.
• Right to withdraw consent.
• Right of refusing automated-decision making for data subjects.
• Information push and commercial marketing to individuals based on automated decision-making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse; where a decision that has a major impact on an individual's rights and interests is made by means of automated decision-making, the individual shall have the right to request the personal information processor to make explanations and to refuse to accept that the personal information processor makes decisions solely by means of automated decision-making.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Article 52 of the PIPL requires that a personal information processor that processes the personal information reaching the threshold amount specified by the national cyberspace department shall appoint a PIPO. The PIPO shall be responsible for overseeing personal information processing activities as well as the protection measures taken, among others.

By reference to Administrative Measures for Personal Information Protection Compliance Audits which came effective on May 1, 2025, the threshold for appointing a PIPO is set at processing personal information of 1 million individuals.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Article 55 of the PIPL provides the specific applicable circumstances of personal information protection impact assessments. The personal information processors shall conduct the personal information protection impact assessment in advance, and record the processing under the following circumstances:

• Processing sensitive personal information.
• Using personal information to conduct automated decision-making.
• Entrusting personal information processing to another party, providing personal information for another party, or publicising personal information.
• Providing personal information for any party outside the territory of the People's Republic of China.
• Other personal information processing activities which have major impacts on individuals' rights and interests.

The personal information protection impact assessment shall include the following contents:

• whether the purposes and means of personal information processing, are legitimate, justified and necessary;
• the impact on individuals' rights and interests, and security risks; and
• whether the protection measures taken are legitimate, effective, and compatible with the degree of risks.

The report of the personal information protection impact assessment and the processing record shall be retained for at least three years.

 

Does this jurisdiction have any specific data breach notification requirements?

As mentioned above in the reply to question 5, Article 57(1) of the PIPL provides that a personal information processor shall immediately take remedial measures, and notify departments with personal information protection duties and the relevant individuals when leakage, tampering or loss of personal information occurs or may occur. The notice shall include the following matters:

• the categories of personal information that is or may be leaked, tampered with or lost, and the causes and possible harm of the leakage, tampering or loss of the personal information;
• remedial measures taken by the personal information processor and measures the individuals can take to mitigate the harm; and
• the contact information of the personal information processor.

Furthermore, Article 57(2) of the PIPL also states that the departments with personal information protection duties shall have the right to require the personal information processor to notify individuals when it considers that harm may be caused.

 

What restrictions apply to the international transfer of personal data / information?

The PIPL provides three mechanisms for personal information processors to transfer personal information out of China, in other words, personal information processors may transfer personal information out of China by satisfying one of three main routes under the PIPL, including:

• passing a security assessment administered by the national cyberspace department in accordance with Article 40 of the PIPL (‘Security Assessment’).

According to the New CBDT Regulations effective since March 22, 2024, if a data processor triggers any of the following thresholds, it needs to apply for a security assessment of its cross-border transfer of personal information: (1) it is a critical information infrastructure operator (‘CIIO’) that provides any personal information or important data to an overseas recipient; or (2) it is a data processor, other than a CIIO, that provides any important data to an overseas recipient, or that has cumulatively provided the personal information (excluding sensitive personal information) of not less than 1 million individuals or the sensitive personal information of not less than 10,000 individuals to overseas recipients since January 1 of the current year.

• obtaining a personal information protection certification from the relevant specialised institutions according to the provisions issued by the national cyberspace department (‘Certification’).

In accordance with Article 8 of the New CBDT Regulations, where, since January 1 of the current year, a data processor, other than a CIIO, has cumulatively provided to an overseas recipient the personal information (excluding sensitive personal information) of not less than 100,000 individuals but less than 1 million individuals or the sensitive personal information of less than 10,000 individuals, the data processor shall obtain a personal information protection certification or sign a standard contract. On December 16, 2022, TC260 released the Practical Guidelines for Cybersecurity Standards - Security Certification Specification for Cross-border Processing Activities of Personal Information (V2.0) ('Security Certification Specification'), which sets out basic requirements for certification agencies to carry out personal information protection certification for cross-border processing activities of personal information.

• concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department (‘Standard Contract’).

If the thresholds under Article 8 of the New CBDT Regulations as mentioned in Section b above, are triggered, in addition to the Certification, a data processor can also choose to transfer personal information overseas by entering into the Standard Contract formulated by the Cyberspace Administration of China (‘CAC’) with the overseas recipient. The executed Standard Contract must be filed by the data processor along with a personal information protection impact assessment report (see the reply to question 9 above) with the relevant provincial-level CAC within 10 working days after the Standard Contract takes effect.

For transfers of personal information to third parties outside the territory of China, the PIPL also requires that personal information processors shall inform individuals of the following matters:

• the name and contact information of the overseas data recipients;
• the purposes and methods of data processing;
• the types of personal information to be transferred; and
• the methods and procedures for individuals' exercise of the rights provided in the PIPL against the overseas recipient, and other matters.

Personal information processors must also obtain separate consent from individuals for the cross-border transfer of their personal information provided that there is no non-consent basis for processing.

According to Article 55 of the PIPL, the personal information processor should conduct a personal information protection impact assessment on the provision of personal information to an overseas recipient in advance, and keep a record of the processing.

It’s also noteworthy that the New CBDT Regulations set out other adjustments to the cross-border data transfer, such as:

• Establishing specific scenarios where data export paths are not required.

Under the following circumstances, data processors are exempted from the three data export paths (including Security Assessment, Certification and Standard Contract):

• where it is truly necessary to transfer any personal information overseas for the purpose of executing and performing a contract to which the individual is a party concerned, such as cross-border shopping, cross-border consignment, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa application, and examination services;
• where it is truly necessary to transfer any personal information of an employee overseas for the purpose of cross-border human resources management under lawfully established labour policies and pursuant to a lawfully executed collective contract;
• where it is truly necessary to transfer any personal information overseas in emergency for the purpose of protecting the health, life, and property safety of a natural person; or
• where a data processor other than CIIO transfers overseas the personal information of less than 100,000 individuals on a cumulative basis (excluding sensitive personal information) since January 1 of the same year.

It shall be noted that the personal information in the preceding paragraph does not include important data.

The Security Assessment for the export of important data is contingent upon the condition that the data is made available to the public through a catalogue or officially notified by relevant departments or regions. If the data is not notified or publicly released as important data by relevant departments or regions, it is not necessary to report it as important data for Security Assessment.

Free trade zones have the authority to issue a negative list for data export. For any outbound transfer of the data beyond the negative list by data processors in the free trade zone, the Security Assessment, the Standard Contract, and the Certification are exempted.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

The PIPL does provide for certain extraterritorial applications. According to the Article 3(2) of the PIPL, the PIPL applies to processing activities outside of China relating to personal information of individuals in China if the purpose of the processing is to: a. offer goods or services to individuals in China; or b. monitor and evaluate the activities of individuals in China. Furthermore, the PIPL also requires that the above-mentioned personal information processors outside the territory of China to establish special institutions or designate representatives within the territory of China to handle affairs relating to personal information protection, and submit the names of relevant institutions or the names and contact information of representatives to the relevant supervisory authorities.

 

What rules specifically deal with marketing?

According to Article 43 of Advertising Law of the People's Republic of China ('Advertising Law') revised in 2021, organisations or individuals shall distribute advertisements via electronic means only when they obtain consent of the recipients. Advertisements distributed via electronic means shall state the true identity and contact details of the senders, and the method for the recipients to refuse acceptance of future advertisements. Furthermore, Article 44 requires that advertisements posted through the Internet shall not affect normal usage of network by users. Advertisements published in the form of pop-up window on the Internet shall show the close sign prominently and ensure one-click closing of the window.

Article 24(2) of the PIPL requires that information push and commercial marketing to individuals based on automated decision-making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No different rules found in business-to-business and business-to-consumer marketing.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

There are several laws and regulations dealing with electronic marketing (by email, text message, online ads etc.), for example:

• The Measures for the Administration of Internet E-mail Services effective from March 30, 2006.
• The Administrative Provisions on Short Message Services effective from June 30, 2015.
• The Administrative Provisions on Internet Pop-up Window Information Push Services effective from September 30, 2022.
• As mentioned in the reply to Question 13, Article 24(2) of the PIPL requires that information push and commercial marketing to individuals based on automated decision making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse.

 

What rules specifically deal with cookies?

China has no specific rules on cookies. By reference to App related guidelines, including the Guide to Self-evaluation of Collection and Use of Personal Information by Mobile Internet Applications (Apps) issued in July, 2020, the Practical Guide to Cybersecurity Standards: Frequently Asked Questions and Handling Guidelines for Personal Information Protection of Mobile Internet Applications (Apps) issued in September, 2020, etc., when using cookies and similar technologies (including scripts, clickstreams, web beacons, Flash cookies, embedded web links, etc.) to collect personal information, the App operator should briefly explain the relevant mechanisms, as well as the purpose and type of personal information collected. In addition, such guidelines also prohibit the collection of personal information by using cookies and similar technologies or enabling permissions, interface, etc. without the individual's prior consent.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Personal information processors who violate the PIPL with respect to their processing of personal information may be subject to penalties including:

• warnings;
• an order to correct the alleged violations;
• the disgorgement of profits;
• the provisional suspension or termination of the electronic applications or relevant business found to be in violation of the PIPL;
• fines; and
• Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than RMB 1 million and responsible personnel may be subject to fines between RMB 10,000 to 100,000.
• In the event of serious violations of the PIPL, entities may be subject to fines of up to RMB 50 million, or 5% of annual revenue. Further, individuals directly responsible for serious violations of the PIPL may be fined between RMB 100,000 and RMB 1 million.
• Prohibition of persons in charge

In the event of serious violations of the PIPL, individuals directly responsible may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time. In addition, the violations of the PIPL may be recorded in the credit archives and be published in accordance with the provisions of the relevant laws and regulations.

In addition, civil and criminal liabilities are also included under the PIPL:

• the personal information processor shall assume liability for damage and other tort liability if it cannot prove that it is not at fault.
• if the violation constitutes a crime, the violator shall be held criminally liable in accordance with the law.
• If the personal information processor violates the provisions of the PIPL, infringing the rights and interests of many individuals, the People's Procuratorate, the consumer organisation as provided by law or the organisation determined by the national cyberspace department may file a lawsuit with the People's court in accordance with the law.

Legal liabilities under other laws and regulations such as consumer rights protection law, advertisement law, may also be applicable depending on the specific circumstance of violation.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Multinational organisations located outside China are advised to be aware of the following aspects when processing personal information of individuals in China:

• Assess whether it is subject to extraterritorial jurisdiction of PIPL. It is advisable for the multinational organization to assess whether it processes personal information of natural persons located within China for the purpose of providing products or services to individuals within the PRC, or to analyze or assess the conduct of individuals within the PRC, in order to determine the entities that are subject to compliance requirements under the PIPL.
• If extraterritorial applicability of the PIPL is triggered, the multinational organization should pay attention to its specific obligations under the PIPL, including but not limited to setting up specialised agencies or designate representatives within the territory of the PRC to be responsible for handling personal information protection related matters, and submitting the names, contact information, and other information of the agencies and representatives to the departments with personal information protection duties, and pass cross-border data transfer assessment if the threshold is triggered.
• Determine the methods of cross-border data transfer and the implementation of data localisation in accordance with applicable laws and regulations. If extraterritorial applicability of the PIPL is triggered, the multinational organisation should go through the procedures of Security Assessment/Standard Contract/Certification (as applicable), in accordance with relevant laws and regulations governing cross-border data transfer.
• Consider localized adjustments to group policies. Though the scope of personal information protection laws in China may be similar as data protection laws in other jurisdictions (especially the GDPR), China also has certain special rules and requirements. Therefore, internal policies of multinational organisations may need to be reviewed and updated to adapt to local law requirements.

 

What upcoming data protection developments should multinational organisations be aware of?

Compliance assessment of cross-border data transfer

Multinational information organisations need to be aware of the new requirements of assessment in the context of cross-border data transfer. It is advisable to inform individuals of relevant matters, obtain separate consent of individuals, and conduct a prior personal information protection impact assessment and a prior self-assessment of the risk of data export. Furthermore, entities also need to take effective measures such as agreements to supervise overseas recipients to use data in accordance with the requirements of Chinese relevant laws and fulfill data security protection obligations.

Personal Information Protection Impact Assessment

The personal information protection impact assessment will be an important system for the protection of personal information in the future. The personal information processors need to conduct personal information protection impact assessment in the following scenarios at least: processing sensitive personal information, using personal information for automated decision-making, entrusting the processing activities of personal information, providing personal data to other data processors, cross-border data transfer to offshore recipients.

Adequate models of internal governance and legitimate channels for the exercise of individual rights

Currently, companies in the Chinese market are constantly optimising the way for data subjects to exercise their rights in respect of personal information, especially in the field of Apps (including mini programs) and improving their internal governance rules. Hence, more attention will need to be paid to this area.

Detailed standards and guidelines in personal information protection

In order to improve the experience of end users on the Internet, the CAC, MIIT and other relevant supervisory regulators have been increasingly emphasising on the regulation of Apps, SDKs and other services provided by third parties. In addition, detailed standards and guidelines addressing various aspects of personal information protection, including but not limited to sensitive personal information protection, anonymisation and de-identification, data security incident management, data grading and data classification, protection on minors’ personal information, personal information protection compliance audit, large network platform, etc., are periodically issued and updated. Multinational information organisations need to pay close attention to the regulatory activities and issuance of detailed standards and guidelines in their corresponding industry sectors and take compliance measures timely.

Regulation of artificial intelligence, algorithms, new technologies and new applications

The CAC is making overall planning and coordinating relevant competent authorities to promote the work of personal information protection, including but not limited to formulating specialised rules and standards for personal information protection for new technologies and applications such as face recognition and artificial intelligence. The supervision on artificial intelligence, algorithms, new technologies and new applications is a new trend in China and the PRC authorities put more attention on how to protect personal information and data security in new technologies and new applications. Multinationals providing the products or services in respect of above-mentioned new technologies or new application should closely monitor the progress of new regulations in China.

Different legal requirements for enterprises registered in Free Trade Zone and the Great Bay Area

China is exploring more flexible rules for cross-border data transfer in the Free Trade Zone Area and the Guangdong-Hong Kong-Macao Great Bay Area, in order to balance data security and economic development. Free trade zones have the authority to issue a negative list for data export and the cross-border transfer of data beyond the negative list are exempted from the Security Assessment, the Standard Contract and the Certification. For instance, Free Trade Zone Areas in Beijing, Shanghai, Zhejiang, Jiangsu and several other provinces have issued corresponding negative lists, as well as other facilitative measures for cross-border data transfers. Multinational organisations registered in Free Trade Zone Areas could pay attention to the policies and measures implemented by the competent authorities in their areas. The Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) exempt the quantity restrictions on cross-border transfer of personal information under the PRC data cross-border security management framework. It also simplifies the content of the relevant personal information protection impact assessments. Therefore, multinational organisations should pay close attention to development in these areas and choose the best business structure and operation mode for the organisations. 

 

Search by:

Need more information?
Contact a member firm:

DONG, Xiao (Marissa)

JunHe LLP

China

 

Disclaimer:

© 2025, JunHe LLP. All rights reserved by JunHe LLP as author and the owner of the copyright.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025