Data & Privacy · China
Data protection & privacy laws in China (2026)
China shaded by its data & privacy status
China operates a comprehensive, GDPR-influenced personal-data regime anchored by the PIPL, which sets out legal bases for processing, individual rights, consent rules, and cross-border transfer mechanisms. It sits alongside two other 'pillar' laws — the Data Security Law (governing data classification and 'important data') and the Cybersecurity Law (governing network security and critical information infrastructure). The CAC is the lead regulator, with enforcement intensifying in 2025-2026 through amended CSL penalties and new cross-border certification measures.
Key points
The PIPL, effective 1 November 2021, is China's dedicated, omnibus personal-data law establishing legal bases for processing, consent (including 'separate consent' for sensitive data and transfers), and individual rights such as access, correction, deletion, and portability.
The Cyberspace Administration of China (CAC) leads overall planning, coordination, and enforcement of personal-information protection, issuing implementing rules, conducting investigations, levying fines, and ordering suspension of non-compliant services; relevant ministries and county-level-and-above departments share sectoral supervision.
The PIPL (personal data) operates alongside the Data Security Law (data classification and 'important data' protection) and the Cybersecurity Law (network security and critical information infrastructure operators), forming China's integrated data-governance architecture.
Transfers of personal data abroad require one of three routes — a CAC security assessment, certification by an accredited body, or CAC standard contractual clauses — plus separate notice and consent; new Measures on Certification for Cross-Border Transfer of Personal Information took effect 1 January 2026.
Handlers must adopt internal management systems and technical security measures, conduct personal-information protection impact assessments for high-risk processing, and notify the supervisory authority and affected individuals of data breaches with remedial action.
Amendments to the Cybersecurity Law, effective 1 January 2026, raise the general administrative fine cap from RMB 1 million to RMB 10 million, broaden extraterritorial reach, and remove the prior-warning requirement, allowing immediate fines; the CAC's January 2026 PIPL Q&A signals a shift toward documentation and accountability enforcement.
Timeline - major decisions & events
The first major overhaul of the 2017 CSL raises maximum fines to RMB 10 million, aligns penalties with the PIPL, broadens extraterritorial enforcement, and adds AI governance provisions. It marks a tightening and consolidation of China's data/cyber enforcement regime.
U.S. Library of Congress (Global Legal Monitor) ↗Issued by the State Council on Sept 30, 2024, these administrative regulations operationalize the CSL, DSL and PIPL together, clarifying personal-information rules, important-data management and cross-border obligations for domestic and foreign processors.
State Council (gov.cn) ↗The Provisions on Promoting and Regulating Cross-Border Data Flows introduced volume thresholds and broad exemptions (e.g. employee data, contract-necessary transfers, <100,000 individuals), substantially relaxing the export-compliance burden to attract investment.
U.S. Library of Congress (Global Legal Monitor) ↗The CAC's Standard Contractual Clauses Measures created a China-specific SCC mechanism (alongside security assessment and certification) as a lawful route for exporting personal information overseas under the PIPL.
China Briefing ↗The CAC's Measures required mandatory government security review for large-scale or sensitive cross-border data exports and by critical information infrastructure operators, the first hard implementation of the PIPL/DSL export regime.
China Briefing ↗The CAC concluded a year-long probe finding 16 violations of the CSL, DSL and PIPL, including illegal collection of 64.7 billion records and sensitive data. It remains China's largest data-protection penalty and signaled aggressive enforcement.
DigiChina (Stanford), translating CAC ↗Adopted Aug 20, 2021, the PIPL is China's first comprehensive national personal-data law—a GDPR-style regime establishing consent rules, individual rights, processing principles and cross-border transfer requirements. It is the cornerstone of the current framework.
DigiChina (Stanford), translating NPC ↗Adopted May 28, 2020, China's first Civil Code dedicated a chapter (Book IV) to privacy and personal information, defining the right to privacy and consent-based processing as civil rights and laying groundwork for the PIPL.
China.org.cn ↗China's first overarching cyber law introduced data-localization for critical information infrastructure, network-operator security duties and early personal-information protection rules—the foundation of the data-governance architecture.
Wikipedia (CSL overview) ↗This 12-clause NPC Standing Committee decision was China's first national instrument with the force of law to protect citizens' electronic personal data, requiring consent, real-name registration and limits on disclosure—an early privacy milestone.
U.S. Library of Congress (Global Legal Monitor) ↗China - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →