China's data regulatory framework — comprising the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) — represents one of the world's most comprehensive data governance systems. For foreign companies operating in China, compliance with these three laws is mandatory and non-compliance can result in severe penalties. This guide explains the key requirements and provides a compliance roadmap.
The Three Pillars of China's Data Law Framework
| Law | Effective Date | Focus | Key Regulator |
|---|---|---|---|
| Cybersecurity Law (CSL) | June 2017 | Network security, CIIO obligations | CAC (Cyberspace Administration of China) |
| Data Security Law (DSL) | September 2021 | Data classification, security protection | CAC + industry regulators |
| Personal Information Protection Law (PIPL) | November 2021 | Personal data protection (GDPR-like) | CAC |
Cybersecurity Law (CSL) — Key Requirements
Critical Information Infrastructure Operator (CIIO) Obligations
If your company is designated as a CIIO (common in finance, energy, transportation, healthcare, telecom, and government sectors), you must:
- Store personal information and important data collected in China within China
- Conduct security assessments before cross-border data transfers
- Implement multi-level protection scheme (MLPS) Level 3 or above
- Conduct annual cybersecurity education and training
- Report cybersecurity incidents to authorities
- Use certified network products and services (domestic where required)
Multi-Level Protection Scheme (MLPS 2.0)
All network operators must classify their systems under MLPS:
| Level | Applicable To | Requirements |
|---|---|---|
| Level 1 | Minor impact systems | Basic security measures |
| Level 2 | Moderate impact (most companies) | Standard security, periodic assessment |
| Level 3 | CIIOs, significant systems | Enhanced security, annual assessment |
| Level 4 | National security-related | Strict security, semi-annual assessment |
| Level 5 | Critical national security | Highest security, special assessment |
Data Security Law (DSL) — Key Requirements
Data Classification
The DSL requires companies to classify data into three categories:
| Category | Description | Protection Level |
|---|---|---|
| Core data | Data affecting national security, economic order, or vital public interests | Highest — strict access controls, enhanced security |
| Important data | Data that, if tampered with or leaked, could affect national security or public interests | High — security assessments, impact analysis |
| General data | All other data | Standard — reasonable security measures |
DSL Obligations
- Establish a data security management system
- Conduct data security risk assessments (annually for important data)
- Implement data security education and training
- Report data security incidents to authorities
- Cooperate with regulatory investigations
- Maintain data security records and logs
- Conduct security assessments before exporting important data
Personal Information Protection Law (PIPL) — Key Requirements
Consent and Legal Basis
Processing personal information requires a legal basis, primarily informed consent. Other legal bases include:
- Necessary for performing a contract
- Necessary for statutory duties
- Necessary for public health or safety
- News reporting for public interest
- Information disclosed by the individual
- Other circumstances specified by law
Data Subject Rights
Under PIPL, individuals have the following rights:
| Right | Description |
|---|---|
| Right to know and decide | Know what data is collected and decide on processing |
| Right to access and copy | Request access to and copies of their data |
| Right to correct/complete | Request correction of inaccurate data |
| Right to deletion | Request deletion when processing purpose is achieved or consent withdrawn |
| Right to restrict processing | Request restriction of processing |
| Right to portability | Request transfer of data to another processor |
| Right to withdraw consent | Withdraw consent at any time |
| Right to explanation | Request explanation of automated decision-making |
| Right to reject automated decisions | Opt out of profiling or automated decision-making |
Privacy Policy Requirements
Your privacy policy must be:
- Clear, conspicuous, and easily accessible (in Chinese)
- Specific about what data is collected, how it's used, and who it's shared with
- Detailed about retention periods
- Transparent about data subject rights and how to exercise them
- Updated when processing activities change
Data Protection Officer (DPO)
Appointing a DPO is required if your company:
- Processes large volumes of personal information
- Processes sensitive personal information
- Provides important internet platform services
The DPO must be disclosed publicly and be responsible for overseeing PIPL compliance.
Cross-Border Data Transfer Rules
Cross-border data transfer is one of the most critical compliance areas for foreign companies. There are three pathways:
Pathway 1: CAC Security Assessment
Required for:
- Transfer of "important data"
- CIIOs transferring personal information
- Processing personal information of > 1 million individuals
- Cumulative transfer of personal information of > 100,000 individuals since the previous year
- Cumulative transfer of sensitive personal information of > 10,000 individuals
Pathway 2: Certification
For multinational companies with internal cross-border data flows. Certification by an accredited body (e.g., CAC-accredited certifier) demonstrates compliance. Best for intra-group data transfers.
Pathway 3: Standard Contract (SCC)
For transfers not meeting the thresholds for CAC assessment:
- Sign the CAC standard contract with the overseas recipient
- File the contract with the provincial CAC
- Conduct a personal information protection impact assessment (PIPIA)
- No CAC approval required, but filing is mandatory
Compliance Checklist for Foreign Companies
1. Data Mapping and Classification
- Inventory all data collected, stored, and processed
- Classify data into core, important, and general categories
- Identify personal information vs. sensitive personal information
- Map data flows (internal, cross-border, to third parties)
2. Governance Structure
- Appoint a Data Protection Officer (if required)
- Establish a data security management team
- Develop data security policies and procedures
- Implement data access controls and authorization systems
3. Technical Safeguards
- Encrypt sensitive personal information
- Implement access logging and monitoring
- Deploy data loss prevention (DLP) systems
- Conduct MLPS assessment and certification
- Regular security vulnerability scanning and penetration testing
4. Privacy Compliance
- Draft and publish compliant privacy policy (in Chinese)
- Implement consent management mechanisms
- Establish data subject rights request process
- Conduct PIPIA for high-risk processing activities
- Maintain records of processing activities
5. Cross-Border Transfer Compliance
- Determine which transfer pathway applies
- Complete CAC security assessment (if required)
- File standard contracts (if using SCC pathway)
- Maintain documentation of transfer compliance
- Monitor for regulatory changes
6. Incident Response
- Develop data breach incident response plan
- Report breaches to CAC within 8 hours of discovery (for serious incidents)
- Notify affected individuals of breaches
- Conduct post-incident reviews and improvements
Penalties for Non-Compliance
| Violation | Maximum Penalty |
|---|---|
| PIPL violation (serious) | Fine up to RMB 50 million or 5% of annual revenue; business suspension; personal fines (RMB 100K-1M) |
| DSL violation (serious) | Fine up to RMB 10 million; business suspension; criminal prosecution |
| CSL violation (CIIO) | Fine up to RMB 1 million; personal fines; criminal prosecution |
| Illegal cross-border transfer | Fine up to RMB 10 million; correction order; business suspension |
| Data breach (failure to report) | Fine up to RMB 1 million; personal fines |
Practical Tips for Foreign Companies
- Data localization: Consider storing Chinese user data on servers located in China to simplify compliance
- Minimize data collection: Collect only what is strictly necessary for your business purpose
- Separate systems: Maintain separate databases for Chinese operations vs. global systems
- Use FTZ benefits: Register in an FTZ to benefit from simplified cross-border data transfer rules
- Engage local counsel: Work with a Chinese law firm specializing in data compliance
- Monitor regulations: CAC regularly issues implementing rules and guidelines; stay current
- Train employees: Conduct regular data security and privacy training for all staff
Conclusion
China's data regulatory framework is comprehensive and strictly enforced. Foreign companies must take proactive steps to comply with the CSL, DSL, and PIPL — from data classification and privacy policies to cross-border transfer procedures and security assessments. While compliance requires significant effort and investment, the penalties for non-compliance are severe. The 2025 Action Plan's FTZ simplification measures offer a pathway to easier compliance for companies registered in Free Trade Zones.
For related guides, see our IP Protection Guide and Foreign Investment Law Guide.