For tech companies, especially, where a strong digital foundation is required, there are not only complex rules and regulations to get to grips with, but also risks around control of sensitive data and commercial information.

Moreover, companies aiming to establish an IT presence in the region could find themselves behind China’s Great Firewall (GFW). The GFW heavily regulates and censors the internet, blocks access to many ubiquitous Western websites like Google and Facebook and slows down cross-border internet traffic. Foreign companies are required to adapt to these regulations if they want to do business in China.

China’s cybersecurity environment

China’s regulatory framework now includes several key pieces of legislation. The Cybersecurity Law (CSL), which took effect in June 2017, provides foundational rules focusing on protecting critical information infrastructure and enforcing data localisation requirements. Building on this foundation, the Data Security Law (DSL), implemented in September 2021, introduces a structured approach to data classification, requiring businesses to adopt varying protection measures depending on the data’s sensitivity and its importance to national security. Additionally, the Personal Information Protection Law (PIPL), effective from November 2021, aligns closely with principles seen in the EU’s General Data Protection Regulation (GDPR), emphasising user consent, data minimisation, and granting individuals specific rights, including data access and deletion.

Cross-border data transfers are subject to stringent controls under these laws. Companies wishing to transfer data out of China must now utilise specific mechanisms authorised by the Cyberspace Administration of China (CAC). These include undergoing security assessments administered by CAC, obtaining certifications from accredited institutions, or entering into standardised contractual agreements with international data recipients. Non-compliance can lead to severe repercussions, including fines, operational suspensions, or business disruptions.

On 9 April 2025, the CAC released the “Q&A on Data Cross-Border Security Management Policies”, giving some more practical insights into how companies can comply with this complex framework.

For example, the Q&A states that “general data that does not involve personal information or important data can flow freely across borders”. This is an important development considering that the handling of general data has not been explicitly stipulated in the CSL, the DSL or the PIPL. Dezan Shira and Associates’s China Briefing has produced a detailed guide to the Q&A, which can be accessed here.

Considerations for UK businesses

For UK businesses, particularly those in the technology sector, this regulatory environment necessitates a comprehensive reassessment of data management strategies. Companies may need to implement local data storage solutions to meet localisation requirements fully. Establishing dedicated compliance programs and appointing responsible personnel to manage data protection matters is now essential. Additionally, engaging legal advisors with expertise in Chinese data regulations can significantly mitigate risks associated with non-compliance.

Moreover, increased regulatory enforcement activity by the CAC highlights the necessity for businesses to adopt proactive compliance measures. Regular compliance audits, training programs, and maintaining clear communication channels with regulatory authorities are critical practices for companies operating in China.

Operating digitally within China brings additional challenges, notably the Great Firewall, which restricts access to numerous Western online services. Businesses must plan for alternative digital infrastructure solutions and adapt to mandatory real-name user registrations required for online services. Furthermore, stringent content monitoring rules mean that companies must rigorously review and tailor their digital content to comply with local regulations to avoid censorship or penalties.

To navigate these complexities effectively, UK businesses are advised to conduct thorough compliance audits regularly, establish strong local partnerships for better market integration, invest in staff training on local data protection obligations, closely monitor regulatory changes, and actively engage with local regulatory bodies.

By proactively addressing cybersecurity and data protection risks and adapting swiftly to China’s evolving legal landscape, UK companies can enhance their prospects for successful and sustainable business operations in this critical global market.

The post How to navigate China’s cybersecurity and data privacy laws appeared first on Focus - China Britain Business Council.

The legislative framework in China for governing data security consists of three laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The Measures on the Standard Contract for Cross-border Transfers of Personal Information, which came into effect last June, have the biggest impact on companies in China.

Though the measures have been in effect for some time, their implementation has been slow in practice as there are too many such companies in China and not enough manpower to handle their assessment reports. High compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty are some key factors affecting companies’ willingness to declare cross-border data transfers.

The new rules, aimed at protecting national security, directly impact the cross-border transfer of personal information by businesses operating in China, Chinese companies listed overseas and those in data-rich industries such as retail, internet, health care, automotive, civil aviation and finance.

Corporations that regularly share employee or customer data with their headquarters, share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China may be subject to China’s cross-border data transfer requirements.

The first of the three mechanisms for transferring personal information out of China is the signing of a standard contract with an overseas recipient. The other two are a mandatory security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators, and transfers of important/sensitive personal data and certification by an accredited institution (applicable to intra-group transfers and data processors abroad subject to the extra-territorial application of China’s Personal Information Protection Law).

The latter certification is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities can adopt this option. For example, representative offices set up by foreign entities are not eligible.

Businesses that transfer personal data out of Mainland China on a smaller scale, such as small and medium-sized enterprises, may opt for the standard contract. This option can only be used under certain circumstances:

• The data processor is not a critical information operator
• It processes the personal data of less than 1 million individuals
• Since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred
• Since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred

A personal information protection impact assessment (PIA) must be executed before entering into the standard contract. This step evaluates important matters such as the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, and other security issues. Data systems must be compatible with Chinese law in order to pass the PIA, and it is prohibited to divide data into smaller quantities to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime.

The standard contract, impact assessment report and other supporting documents must be presented to the local cyberspace administration authority within 10 working days of the effective date of the contract.

While the Chinese government hopes to develop the digital economy to uplift the country’s gross domestic product, the rules could slow down progress for the industry. Regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth. Moreover, industry experts argue that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion for some companies.

A lack of clarity on the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.

Regulators are trying to shift more of their efforts to helping contracts complete the filing process, which in turn will speed up their approval of security assessments, according to experts.

Companies that need to rectify any non-compliant arrangements occurring before 1 June 2023, have until 30 November 30 to do so.

The post How to comply with China’s new rules for cross-border transfer of personal information appeared first on Focus - China Britain Business Council.

In this article, first published in China Briefing, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduces the PIPL and explains several key considerations for companies to build a roadmap for compliance.

PIPL states that a company should appoint “a person in charge of personal information protection” when processing personal information on a large scale based on the criteria specified by the CAC. Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?

No, it is not mandatory; however, for companies that don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general, in cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. Nevertheless, many companies don’t have enough internal resources to support this, so an external DPO can be very helpful.

Can a company send aggregated information derived from personal information across borders, especially if it doesn’t contain any specific personal information on Chinese citizens?

Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.

A company is exchanging data with its headquarters via SAP. Will this be deemed a cross-border transfer and require a Data Protection Impact Assessment (DPIA)?

If your IT system is located in the UK, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now, we will need to wait for more details from the government.

Many international schools store student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?

Yes. Information from people under 14 years of age will also be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.

Are employee names and mobile phone numbers in an active directory considered personal information?

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual.

Are security logs (e.g., firewalls and active directories) considered personal information (as they are usually linked to an IP address or account name and not directly linkable to the user)?

Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective, we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.

If processed personal information is stored by a third-party vendor such as Google Drive, does it fall to the vendor to formulate proper information protection that complies with the PIPL?

Similar to GDPR, under PIPL, it is the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility for personal information protection. Therefore, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.

If an IP address is a company private IP address, for example, 10.0.0.1, is it considered personal information?

From a technical perspective, yes. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.

This article was first published by China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to info@dezshira.com for more support.

The post What does China’s new data privacy law mean in practice? appeared first on Focus - China Britain Business Council.

Two new regulations making their way into law, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), are predicted to add to the compliance burden of companies needing to move data to and from China. Together with the 2017 Cyber Security Law, these laws form the backbone of China’s cybersecurity regulation.

Data Security Law

Passed on 10 June and coming into effect on 1 September 2021, the DSL governs how data is collected, used, stored, and protected in China, including tightened restrictions on the transfer of data outside of China.

One important element of the law is a grading system that will define and establish a hierarchy of what they consider important data, based on which, companies will also have to classify the data they handle. There will also be different levels of fines and penalties for data protection violations depending on the importance of the data involved. For example, special permission may be required to collect data related to critical information infrastructure (including, but not limited to sectors such as public communications, energy, finance, and e-government) or any data which, if disclosed, might threaten national security, the national economy, or public interests. However,  beyond these, the classifications of important data have not yet been set.

Personal Information Protection Law

Sometimes referred to as China’s answer to the EU’s General Data Protection Regulation (GDPR), the PIPL was passed on 20 August and will be implemented from 1 November.

As Torsten Weller observed in a recent episode of China Business Brief, PIPL does share similarities with GDPR. For example, PIPL has strong consent and personalisation clauses, requiring user consent for the use and sharing of data, as well as an option to opt-out of automated data collection. However, there are some significant differences. For example, PIPL includes a separate clause on what happens to a user’s data after they die, i.e., their close relatives automatically gain the right to manage their data.

For businesses, there are two crucial parts of the law. The first is how data can be transferred outside of China. Companies will have to accept an audit and receive a license — likely from the Ministry of Industry and Information Technology (MIIT) —  in order to transfer data out of China. The other crucial element is the liability clause, which demands that companies have a specific person that supervises data protection policy (can also be external) and who is personally liable for any data violations.

Why have these laws been introduced?

There are two main drivers behind these new laws. The first is growing awareness of consumer data protection. As China’s tech giants like Tencent and Alibaba have grown, there have been increasing numbers of public complaints about misuse of data and user privacy violations. For example, during this year’s 618 shopping festival, several e-commerce companies and telecoms operators were called to a meeting with MIIT over invasive spam marketing text messages. Furthermore, on 18 August, 43 apps, including WeChat, were criticised by MIIT for illegally transferring user data such as contact information and location, and also spamming users with pop-up ads.

The second is national security, as evidenced by the emphasis on “critical information infrastructure” and “core data” in the text of the DSL. This was also made clear when the Cybersecurity Administration of China opened an investigation into Didi just days after its New York IPO, citing the need to “guard against risks to national data security.”

The impact on businesses

Many are wondering whether these new laws will become a burden for companies operating in China, especially those that are conducting R&D activities that involve significant amounts of data. Companies will potentially have to invest in data storage facilities in China or in hiring extra personal to manage data protection as mentioned above. As Torsten Weller pointed out, it will not really be possible for UK companies to operate in China without storing user data here.

Although to date, no detailed implementation guidelines have been released, companies should start reviewing and assessing their data activities to identify areas that could potentially require compliance with these new laws.

The post How will China’s new data protection laws affect your business? appeared first on Focus - China Britain Business Council.