Chinese Cyber Law

The Cybersecurity Law 2017

The Cybersecurity Law of the People’s Republic of China, adopted by the Standing Committee of the National People’s Congress on 7 November 2016 and effective from 1 June 2017, constitutes the foundational legal instrument governing cybersecurity in China. The Law establishes a comprehensive regulatory framework addressing network security, data protection, and critical information infrastructure. The Cybersecurity Law imposes a multi-level protection scheme (MLPS) requiring network operators to implement security protections commensurate with the classification level of their networks, ranging from Level 1 (lowest) to Level 5 (highest). Operators must fulfil obligations including the adoption of technical measures to prevent network intrusion, data leakage, and system damage; the formulation of incident response plans; the conduct of security assessments; and the reporting of security incidents to competent authorities. The Law imposes heightened obligations on operators of critical information infrastructure — organisations whose failure or destruction would seriously endanger national security, the national economy, people’s livelihoods, or the public interest, as designated by sectoral authorities. CII operators are required to store within China personal information and important data collected or generated during operations in China, to undergo annual security assessments, to conduct security impact assessments prior to procurement of network products and services that may affect national security, and to obtain government security reviews of such procurements.

The Data Security Law 2021

The Data Security Law, adopted on 10 June 2021 and effective from 1 September 2021, establishes a comprehensive legal framework for data security governance in China. The Law adopts a category-based regulatory approach, classifying data based on its importance to national security, public interests, and the legitimate rights and interests of individuals and organisations. The Law distinguishes between state secret data (governed by the Secrecy Law), personal information (governed by the Personal Information Protection Law), core data (relating to national security and critical national interests), important data (whose leakage may harm national security, economic competitiveness, or public interest), and general data (not falling within the preceding categories). The Law establishes a data classification and grading system, requiring organisations to implement differentiated security protection measures based on data category and grade. The Law requires the establishment of a data security review system for data processing activities that affect or may affect national security, mirroring the national security review mechanisms applicable to foreign investments and cross-border data transfers. The Law imposes data security protection obligations on data processors, including the designation of data security officers and relevant departments, the implementation of technical measures, the conduct of regular risk assessments, and the reporting of data security incidents. Violations of the Data Security Law carry substantial penalties, including fines of up to 10 million yuan (approximately $1.4 million) for serious violations, suspension of relevant business operations, revocation of business licences, and criminal liability for responsible persons.

The Personal Information Protection Law 2021

The Personal Information Protection Law, adopted on 20 August 2021 and effective from 1 November 2021, is China’s comprehensive data privacy legislation, drawing structural inspiration from the European Union’s General Data Protection Regulation. The PIPL defines personal information as information recorded electronically or by other means relating to an identified or identifiable natural person (Article 4), and establishes sensitive personal information as a special category including biometric data, religious beliefs, financial account information, location data, and the personal information of minors under the age of fourteen (Article 28). The Law establishes legal bases for processing including consent (which must be freely given, specific, informed, and unambiguous — Article 14), contractual necessity, legal obligations, protection of vital interests, public interest in emergencies, and legitimate interests (Article 13). The PIPL grants data subjects extensive rights, including the right to know, the right to decide, the right to restrict or refuse processing, the right to access and copy, the right to portability, the right to correction, the right to deletion, the right to explanation of processing rules, and the right to death-related data disposition (Articles 44–50). The Law imposes obligations on personal information processors, including conducting personal information protection impact assessments for certain processing activities, designating a personal information protection officer, and implementing data breach notification procedures (notification to affected individuals and to the regulatory authority within a reasonable time). The PIPL’s enforcement provisions authorise the Cyberspace Administration of China and other relevant authorities to impose administrative fines of up to 50 million yuan or five per cent of the previous year’s annual turnover for serious violations, together with potential suspension of business activities and revocation of permits.

Critical Information Infrastructure Rules

The Regulations on the Security Protection of Critical Information Infrastructure, effective from 1 September 2021, implement the Cybersecurity Law’s CII framework in detail. The Regulations provide criteria for the identification of CII sectors, which include public communications and information services, energy, transportation, water resources, finance, electronic government services, national defence, science and technology industries, and other sectors designated by the State Council. Sectoral regulators in consultation with the CAC are responsible for identifying specific CII entities within their sectors. The Regulations impose annual security risk assessments, mandatory security testing, and incident response planning obligations. CII operators are required to establish dedicated network security departments, conduct background checks on personnel in critical positions, and implement a security product and service procurement review process for products and services that may affect national security. The Regulations also require CII operators to undergo periodic penetration testing and vulnerability scanning conducted by the CAC or designated third-party organisations.

The Role of the Cyberspace Administration of China

The Cyberspace Administration of China, established in 2014 as a central-level agency directly under the State Council, serves as the principal regulator and policymaker for internet and cybersecurity matters in China. The CAC is responsible for the formulation and enforcement of regulations implementing the Cybersecurity Law, the Data Security Law, and the PIPL. The CAC operates a framework of administrative approval, inspection, and enforcement powers, including the authority to conduct security assessments of cross-border data transfers, to review network products and services for national security implications, to order the blocking or removal of content that violates Chinese law, and to issue administrative penalties for non-compliance with cybersecurity and data protection obligations. The CAC’s enforcement activity has included the imposition of significant penalties against technology companies, including a record fine of 8.026 billion yuan (approximately $1.1 billion) imposed on Didi Global Inc. in 2022 for violations of the Cybersecurity Law, the Data Security Law, and the PIPL, following the company’s data security investigation under Article 37 of the Cybersecurity Law (cross-border data transfer restrictions). The CAC also conducts the Security Assessment for Cross-Border Data Transfers, which requires CII operators and data processors processing personal information of more than one million individuals to undergo government assessment before transferring data abroad.

Cross-Border Data Transfer Rules

China has established a multi-layered regulatory regime for cross-border data transfers, implemented through the PIPL, the Data Security Law, and implementing regulations including the Measures for the Security Assessment of Cross-Border Data Transfers (effective 1 September 2022) and the Standard Contract for Cross-Border Transfers of Personal Information (effective 1 June 2023). The regime distinguishes between three mechanisms for lawful cross-border data transfer: the security assessment conducted by the CAC (required where data processors transfer important data or personal information of more than one million individuals, or where they have transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals in the preceding year); the conclusion of standard contracts in the form prescribed by the CAC (available where the volume thresholds for security assessment are not met); and certification by accredited professional bodies. In April 2024, the CAC issued the Provisions on Facilitating and Regulating Cross-Border Data Flow, which introduced streamlined procedures for certain categories of data transfer, including exemptions for the transfer of personal information necessary for international trade, cross-border transportation, academic cooperation, and cross-border manufacturing, effective as of March 2024.

The Draft Artificial Intelligence Law

China has been at the forefront of AI governance, enacting the Interim Measures for the Management of Generative AI Services in 2023 and publishing a draft Artificial Intelligence Law for public comment in 2024. The draft AI Law proposes a comprehensive regulatory framework addressing AI safety, ethics, intellectual property, and international cooperation. The Law would establish a classification system for AI systems based on risk levels, with high-risk systems subject to prior authorisation, mandatory testing, and ongoing monitoring obligations. The draft Law addresses the intersection of AI and cybersecurity, requiring AI developers and deployers to implement security measures to prevent the use of AI systems for cyber attacks, the generation of malicious code, or the automated exploitation of vulnerabilities. The legislation would also impose obligations on AI providers regarding transparency, explainability, and human oversight of AI decision-making. The CAC, the Ministry of Science and Technology, and the Ministry of Industry and Information Technology share regulatory authority over different aspects of AI governance, with the draft Law contemplating a unified AI regulatory agency. The law-making process remains ongoing as of 2026, with significant unresolved issues including the scope of extraterritorial application, the allocation of liability for AI-caused harm, and the relationship between the AI Law and existing cybersecurity and data protection legislation.