China

Subscribe to China via RSS

The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.

By Hui Xu and Bianca H. Lee

The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect since November 1, 2021. There was no formal guidance on or implementation of this requirement prior to the publication of the Measures, aside from a draft version of the Measures. The Measures took effect on May 1, 2025 (an unofficial English translation can be found here). 

Compliance audits are mandatory for personal information processors (PI Processors) subject to PIPL, as stipulated in Articles 54 and 64 of the PIPL and Article 27 of the Regulations on Network Data Security Management (Network Data Regulations).

The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021.

By Hui Xu, Kieran Donovan, and Bianca Lee

On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (PIPL), the first legislation dedicated to protecting personal information in China. PIPL will take effect on November 1, 2021. PIPL previously

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law.

By Hui Xu and Kieran Donovan

On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed Data Security

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security.

By Jennifer Archie, Gail Crawford, Serrin Turner, Hui Xu & Lex Kuo

The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.

What this means for China’s internet users

Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017.