Legal & Compliance

China Data Security Law for Foreign Companies: Compliance Guide (2026)

📅 February 9, 2026 ⏱️ 12 min read

China's data regulatory framework — comprising the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) — represents one of the world's most comprehensive data governance systems. For foreign companies operating in China, compliance with these three laws is mandatory and non-compliance can result in severe penalties. This guide explains the key requirements and provides a compliance roadmap.

The Three Pillars of China's Data Law Framework

LawEffective DateFocusKey Regulator
Cybersecurity Law (CSL)June 2017Network security, CIIO obligationsCAC (Cyberspace Administration of China)
Data Security Law (DSL)September 2021Data classification, security protectionCAC + industry regulators
Personal Information Protection Law (PIPL)November 2021Personal data protection (GDPR-like)CAC

Cybersecurity Law (CSL) — Key Requirements

Critical Information Infrastructure Operator (CIIO) Obligations

If your company is designated as a CIIO (common in finance, energy, transportation, healthcare, telecom, and government sectors), you must:

  • Store personal information and important data collected in China within China
  • Conduct security assessments before cross-border data transfers
  • Implement multi-level protection scheme (MLPS) Level 3 or above
  • Conduct annual cybersecurity education and training
  • Report cybersecurity incidents to authorities
  • Use certified network products and services (domestic where required)

Multi-Level Protection Scheme (MLPS 2.0)

All network operators must classify their systems under MLPS:

LevelApplicable ToRequirements
Level 1Minor impact systemsBasic security measures
Level 2Moderate impact (most companies)Standard security, periodic assessment
Level 3CIIOs, significant systemsEnhanced security, annual assessment
Level 4National security-relatedStrict security, semi-annual assessment
Level 5Critical national securityHighest security, special assessment

Data Security Law (DSL) — Key Requirements

Data Classification

The DSL requires companies to classify data into three categories:

CategoryDescriptionProtection Level
Core dataData affecting national security, economic order, or vital public interestsHighest — strict access controls, enhanced security
Important dataData that, if tampered with or leaked, could affect national security or public interestsHigh — security assessments, impact analysis
General dataAll other dataStandard — reasonable security measures
Important: The classification of "important data" and "core data" is determined by industry-specific catalogs issued by sectoral regulators. Companies should monitor industry-specific guidelines to determine if their data qualifies.

DSL Obligations

  • Establish a data security management system
  • Conduct data security risk assessments (annually for important data)
  • Implement data security education and training
  • Report data security incidents to authorities
  • Cooperate with regulatory investigations
  • Maintain data security records and logs
  • Conduct security assessments before exporting important data

Personal Information Protection Law (PIPL) — Key Requirements

Consent and Legal Basis

Processing personal information requires a legal basis, primarily informed consent. Other legal bases include:

  • Necessary for performing a contract
  • Necessary for statutory duties
  • Necessary for public health or safety
  • News reporting for public interest
  • Information disclosed by the individual
  • Other circumstances specified by law

Data Subject Rights

Under PIPL, individuals have the following rights:

RightDescription
Right to know and decideKnow what data is collected and decide on processing
Right to access and copyRequest access to and copies of their data
Right to correct/completeRequest correction of inaccurate data
Right to deletionRequest deletion when processing purpose is achieved or consent withdrawn
Right to restrict processingRequest restriction of processing
Right to portabilityRequest transfer of data to another processor
Right to withdraw consentWithdraw consent at any time
Right to explanationRequest explanation of automated decision-making
Right to reject automated decisionsOpt out of profiling or automated decision-making

Privacy Policy Requirements

Your privacy policy must be:

  • Clear, conspicuous, and easily accessible (in Chinese)
  • Specific about what data is collected, how it's used, and who it's shared with
  • Detailed about retention periods
  • Transparent about data subject rights and how to exercise them
  • Updated when processing activities change

Data Protection Officer (DPO)

Appointing a DPO is required if your company:

  • Processes large volumes of personal information
  • Processes sensitive personal information
  • Provides important internet platform services

The DPO must be disclosed publicly and be responsible for overseeing PIPL compliance.

Cross-Border Data Transfer Rules

Cross-border data transfer is one of the most critical compliance areas for foreign companies. There are three pathways:

Pathway 1: CAC Security Assessment

Required for:

  • Transfer of "important data"
  • CIIOs transferring personal information
  • Processing personal information of > 1 million individuals
  • Cumulative transfer of personal information of > 100,000 individuals since the previous year
  • Cumulative transfer of sensitive personal information of > 10,000 individuals

Pathway 2: Certification

For multinational companies with internal cross-border data flows. Certification by an accredited body (e.g., CAC-accredited certifier) demonstrates compliance. Best for intra-group data transfers.

Pathway 3: Standard Contract (SCC)

For transfers not meeting the thresholds for CAC assessment:

  • Sign the CAC standard contract with the overseas recipient
  • File the contract with the provincial CAC
  • Conduct a personal information protection impact assessment (PIPIA)
  • No CAC approval required, but filing is mandatory
2025 FTZ Simplification: The 2025 Action Plan introduced a "negative list" approach for FTZs. Data not on the FTZ negative list can be transferred without security assessment, significantly simplifying compliance for FTZ-registered companies.

Compliance Checklist for Foreign Companies

1. Data Mapping and Classification

  • Inventory all data collected, stored, and processed
  • Classify data into core, important, and general categories
  • Identify personal information vs. sensitive personal information
  • Map data flows (internal, cross-border, to third parties)

2. Governance Structure

  • Appoint a Data Protection Officer (if required)
  • Establish a data security management team
  • Develop data security policies and procedures
  • Implement data access controls and authorization systems

3. Technical Safeguards

  • Encrypt sensitive personal information
  • Implement access logging and monitoring
  • Deploy data loss prevention (DLP) systems
  • Conduct MLPS assessment and certification
  • Regular security vulnerability scanning and penetration testing

4. Privacy Compliance

  • Draft and publish compliant privacy policy (in Chinese)
  • Implement consent management mechanisms
  • Establish data subject rights request process
  • Conduct PIPIA for high-risk processing activities
  • Maintain records of processing activities

5. Cross-Border Transfer Compliance

  • Determine which transfer pathway applies
  • Complete CAC security assessment (if required)
  • File standard contracts (if using SCC pathway)
  • Maintain documentation of transfer compliance
  • Monitor for regulatory changes

6. Incident Response

  • Develop data breach incident response plan
  • Report breaches to CAC within 8 hours of discovery (for serious incidents)
  • Notify affected individuals of breaches
  • Conduct post-incident reviews and improvements

Penalties for Non-Compliance

ViolationMaximum Penalty
PIPL violation (serious)Fine up to RMB 50 million or 5% of annual revenue; business suspension; personal fines (RMB 100K-1M)
DSL violation (serious)Fine up to RMB 10 million; business suspension; criminal prosecution
CSL violation (CIIO)Fine up to RMB 1 million; personal fines; criminal prosecution
Illegal cross-border transferFine up to RMB 10 million; correction order; business suspension
Data breach (failure to report)Fine up to RMB 1 million; personal fines

Practical Tips for Foreign Companies

  • Data localization: Consider storing Chinese user data on servers located in China to simplify compliance
  • Minimize data collection: Collect only what is strictly necessary for your business purpose
  • Separate systems: Maintain separate databases for Chinese operations vs. global systems
  • Use FTZ benefits: Register in an FTZ to benefit from simplified cross-border data transfer rules
  • Engage local counsel: Work with a Chinese law firm specializing in data compliance
  • Monitor regulations: CAC regularly issues implementing rules and guidelines; stay current
  • Train employees: Conduct regular data security and privacy training for all staff

Conclusion

China's data regulatory framework is comprehensive and strictly enforced. Foreign companies must take proactive steps to comply with the CSL, DSL, and PIPL — from data classification and privacy policies to cross-border transfer procedures and security assessments. While compliance requires significant effort and investment, the penalties for non-compliance are severe. The 2025 Action Plan's FTZ simplification measures offer a pathway to easier compliance for companies registered in Free Trade Zones.

For related guides, see our IP Protection Guide and Foreign Investment Law Guide.

Frequently Asked Questions

What is China's Data Security Law?
The Data Security Law (DSL), effective September 2021, establishes a framework for data classification, protection, and cross-border transfer in China. It categorizes data into "important data" and "core data" with varying protection requirements, and mandates security assessments for certain data processing activities.
Do foreign companies in China need to comply with the Data Security Law?
Yes. All entities operating in China — including foreign-invested enterprises — must comply with the DSL, the Personal Information Protection Law (PIPL), and the Cybersecurity Law (CSL). Non-compliance can result in fines up to RMB 10 million, business suspension, and personal liability for responsible individuals.
Can foreign companies transfer data out of China?
Yes, but cross-border data transfers require compliance: (1) Security assessment by CAC for important data and large-volume personal data, (2) Certification by an accredited body, or (3) Standard contract filing with CAC. The 2025 Action Plan introduced simplified procedures for FTZ companies.
What is the Personal Information Protection Law (PIPL)?
The PIPL, effective November 2021, is China's comprehensive personal data protection law (similar to GDPR). It requires consent for data collection, specifies data subject rights, mandates data protection impact assessments, and regulates cross-border transfers of personal information.

Ready to take the next step?

Use our free interactive tools to check market access, estimate costs, and discover tax incentives for your China entry.