Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · PIPL

Personal Information Protection Law of the People's Republic of China.

中华人民共和国个人信息保护法

Promulgated by: Standing Committee of the National People’s Congress.
Document No.: Presidential Decree No. 91.
Adopted at the 30th Session of the Standing Committee of the 13th National People’s Congress on August 20, 2021.
Effective November 1, 2021.


Chapter 1 General Provisions

Article 1. This Law is enacted in accordance with the Constitution to protect the rights and interests of personal information, regulate the handling of personal information and promote the reasonable use of personal information.

Article 2. The personal information of a natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of natural persons.

Article 3. This Law shall apply to the handling of the personal information of natural persons within the territory of the People’s Republic of China. This Law shall also apply to the handling of the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:

(I) where the purpose is to provide domestic natural persons with products or services;

(II) where the activities of domestic natural persons are analyzed and evaluated; and

(III) other circumstances as prescribed by laws and administrative regulations.

Article 4. Personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information handled anonymously. The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information.

Article 5. The handling of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to handle personal information by misleading, fraud, coercion or otherwise.

Article 6. The handling of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of handling and shall be conducted in a way that minimizes the impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope for achieving the purpose of handling and it is not allowed to excessively collect personal information.

Article 7. The handling of personal information shall follow the principles of openness and transparency, make public the rules for handling personal information and expressly indicate the purpose, method and scope of such handling.

Article 8. The quality of personal information shall be ensured in the handling of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information.

Article 9. A personal information handler shall be responsible for its handling of personal information and take necessary measures to ensure the security of the personal information handled.

Article 10. No organization or individual may illegally collect, use, process or transmit the personal information of others, illegally buy or sell, provide or make public the personal information of others, or engage in the handling of personal information that endangers the national security or public interests.

Article 11. The State establishes a sound personal information protection system, prevents and punishes the infringement upon personal information rights and interests, strengthens the publicity and education on personal information protection, and promotes the formation of a good environment in which the government, enterprises, relevant social organizations and the public jointly participate in personal information protection.

Article 12. The State actively participates in the development of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and promotes the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations.

Chapter 2 Rules for Handling Personal Information

Section 1 General Provisions

Article 13. Only under any of the following circumstances may a personal information handler handle personal information: (I) where the consent of the individual concerned is obtained;

(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law;

(III) where it is necessary for the performance of statutory duties or statutory obligations;

(IV) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency;

(V) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the handling of personal information is within a reasonable scope;

(VI) where it is necessary to handle the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and

(VII) other circumstances prescribed by laws and administrative regulations. The handling of personal information shall be subject to the consent of the individual concerned in accordance with other relevant provisions of this Law, however, the consent of the individual concerned is not required under the circumstances set forth in Items (II) to (VII) of the preceding paragraph.

Article 14. Where the handling of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. Where laws and administrative regulations provide that the handling of personal information shall be subject to the separate consent or written consent of the individual concerned, such provisions shall prevail. Where the purpose or method of handling personal information or the type of personal information to be handled changes, the consent of the individual concerned shall be obtained again.

Article 15. Where the handling of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information handler shall provide a convenient method for the individual to withdraw his/her consent. Withdrawal of consent by the individual concerned does not affect the validity of any personal information handling activity conducted based on the consent of the individual before such withdrawal.

Article 16. A personal information handler shall not refuse to provide products or services for an individual on the grounds that the individual does not agree to handle his/her personal information or withdraws his/her consent, unless the handling of personal information is necessary for providing products or services.

Article 17. Prior to the handling of an individual’s personal information, the personal information handler shall truthfully, accurately and completely inform the individual of the following matters in a conspicuous manner and in clear and understandable language: (I) the title or name and contact information of the personal information handler;

(II) the purpose and method of handling personal information, and the type and retention period of the handled personal information;

(III) the method and procedure for the individual to exercise the rights provided for in this Law; and

(IV) other matters that shall be informed in accordance with the provisions of laws and administrative regulations. Where any of the matters specified in the preceding paragraph is changed, the individual shall be notified of such change. Where a personal information handler informs individuals of the matters specified in the first Paragraph by formulating rules on handling personal information, such rules shall be open to the public for easy access and storage.

Article 18. A personal information handler is allowed not to inform the individual concerned of the matters prescribed in Paragraph 1 of the preceding article if there are circumstances in which the personal information should be kept confidential as required by laws or administrative regulations or does not need to be informed. Where it is unable to timely inform the individual concerned in an emergency for the purpose of protecting the life, health and property safety of natural persons, the personal information handler shall timely inform the individual after the elimination of the emergency.

Article 19. Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the minimum period necessary for achieving the purpose of handling.

Article 20. Where two or more personal information handlers jointly determine the purpose and method of handling personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s request to any of the personal information handlers to exercise the rights stipulated in this law. Where personal information handlers who jointly handle personal information, thus infringing upon personal information rights and interests and causing damage shall bear joint and several liability in accordance with the law.

Article 21. Where a personal information handler entrusts others with the handling of personal information, it shall agree with the agent on the purpose, time limit and method of entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties, and supervise the personal information handling activities of the agent. The agent shall handle personal information as agreed and shall not handle personal information beyond the agreed purpose and method of handling ; where the entrustment contract is not effective, invalid, revoked or terminated, the agent shall return personal information to the personal information handler or delete it, and shall not retain it. Without the consent of the personal information handler, the agent shall not re-entrust others with the handling of personal information.

Article 22. Where a personal information handler needs to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, etc., it shall inform the individual concerned of the name and contact information of the recipient. The recipient shall continue to fulfill its obligations as a personal information handler. Where the recipient changes the original purpose and method of handling, it shall obtain the consent of the individual concerned anew in accordance with this Law.

Article 23. Where a personal information handler provides other personal information handlers with the personal information of an individual it handles, it shall inform the individual of the name and contact information of the recipient, purpose and method of handling and type of personal information, and shall obtain the individual’s separate consent. The recipient shall handle personal information within the scope of the above purpose and method of handling and type of personal information. It shall obtain the consent of the individual anew in accordance with this Law in case of changes in the original purpose and method of handling.

Article 24. Where a personal information handler makes use of personal information to make automatic decision, it shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions. Information pushing and commercial marketing to an individual through automated decision- making shall be accompanied by options that do not target the individual’s personal characteristics, or convenient rejection ways shall be provided to the individual. Where a decision is made through automatic decision-making that has a significant impact on an individual’s rights and interests, the individual shall have the right to require the personal information handler to make an explanation and reject the decision made by the personal information handler only through automatic decision- making.

Article 25. A personal information handler shall not make public the personal information of an individual it handles, except with the individual’s separate consent.

Article 26. The image capturing, and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with the relevant provisions of the State, and conspicuous prompting signs shall be set up. An individual’s personal image and personal identification information collected may only be used for the purpose of maintaining public security and shall not be used for any other purpose, except with the individual’s separate consent.

Article 27. A personal information handler may, within a reasonable scope, handle the personal information that is disclosed by the individual concerned himself/herself or other personal information that has been legally publicized, unless the individual expressly refuses such handling. A personal information handler shall obtain the consent of an individual in accordance with the provisions of this Law if the handling of the individual’s disclosed personal information has a major impact on the rights and interests of the individual.

Section 2 Rules for Handling Sensitive Personal Information

Article 28. Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. Only for a specific purpose and sufficient necessity, and strict protection measures have been taken, may a personal information handler handle sensitive personal information.

Article 29. The handling of sensitive personal information of an individual shall be subject to the individual’s separate consent; where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the written consent, such provisions shall prevail.

Article 30. For the sensitive personal information of an individual, the personal information handler shall, in addition to the matters specified in Paragraph 1 of Article 17 hereof, inform the individual of the necessity of handling his/her sensitive personal information and the impact on his/her personal rights and interests, except for the circumstances that may be exempted from informing the individual of such information in accordance with this Law.

Article 31. To handle the personal information of a minor under the age of 14, a personal information handler shall obtain the consent of the minor’s parents or other guardians. To handle the personal information of minors under the age of 14, a personal information handler shall formulate specialized rules for handling personal information.

Article 32. Where laws and administrative regulations provide that the handling of sensitive personal information shall be subject to the relevant administrative license or other restrictions, such provisions shall prevail.

Section 3 Special Provisions on Handling Personal Information by State Organs

Article 33. This Law shall apply to the activities of a State organ to handle personal information; where there are special provisions in this Section, such provisions shall apply.

Article 34. A State organ shall handle personal information for the purpose of performing its statutory duties in accordance with the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for the performance of its statutory duties.

Article 35. A State organ handling personal information for the purpose of performing its statutory duties shall perform its obligation of informing in accordance with this Law, except for the circumstances stipulated in Paragraph 1 of Article 18 hereof, or the informing will hinder the State organ from performing its statutory duties.

Article 36. The personal information handled by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a security evaluation shall be conducted. Relevant authorities may be required to provide support and assistance for the security evaluation.

Article 37. Where organizations with functions of administering public affairs as authorized by laws and regulations handle personal information for the purpose of performing their statutory duties, the provisions of this Law on handling personal information by State organs shall apply.

Chapter 3 Rules for Cross-border Provision of Personal Information

Article 38. Where a personal information handler really needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions: (I) it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof;

(II) it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China;

(III) it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; and

(IV) it shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China. Where the international treaties or agreements concluded or acceded to by the People’s Republic of China contain provisions on the conditions for provision of personal information outside the territory of the People’s Republic of China, such provisions may prevail. The personal information handler shall take necessary measures to ensure that the activities of handling personal information by the overseas recipient meet the standards for protection of personal information as prescribed herein.

Article 39. To provide the personal information of an individual to an overseas recipient outside the territory of the People’s Republic of China, the personal information handler shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of handling, type of personal information and the method and procedure for the individual to exercise the rights stipulated herein against the overseas recipient, and shall obtain the individual’s separate consent.

Article 40. Critical information infrastructure operators and personal information handlers whose quantity of handling of personal information reaches that as prescribed by the Cyberspace Administration of China (“CAC”) shall store personal information collected and generated within the territory of the People’s Republic of China within the territory of the People’s Republic of China. Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail.

Article 41. The competent authorities of the People’s Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China or under the principles of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for providing the personal information stored within the territory of China. Without the approval of the competent authorities of the People’s Republic of China, no personal information handler may provide the personal information stored within the territory of the People’s Republic of China to foreign judicial or law enforcement authorities.

Article 42. Where an overseas organization or individual engages in the personal information handling activities infringing upon the personal information rights and interests of citizens of the People’s Republic of China or endangering the national security and public interests of the People’s Republic of China, the CAC may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual.

Article 43. Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in terms of protection of personal information, the People’s Republic of China may take reciprocal measures against such country or region as the case may be.

Chapter 4 Rights of Individuals in Activities of Handling Personal Information

Article 44. An individual has the right to know and make decisions on the handling of his/her personal information, and the right to restrict or refuse others to handle his/her personal information, unless otherwise provided for by laws and administrative regulations.

Article 45. An individual is entitled to consult or copy his/her personal information from a personal information handler, except for the circumstances stipulated in Paragraph 1 of Article 18 and Article 35 hereof. Where an individual requests to consult or copy his/her personal information, the personal information handler shall provide such information in a timely manner. Where an individual requests to transfer his/her personal information to a personal information handler designated by him/her, which meets the conditions stipulated by the CAC, the personal information handler shall provide a way for the transfer.

Article 46. Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information handler to make corrections or supplements. Where an individual requests for corrections or supplements to his/her personal information, the personal information handler shall make verification and make corrections or supplements to such information in a timely manner.

Article 47. Under any of the following circumstances, a personal information handler shall take the initiative to delete personal information; if the personal information handler fails to delete such information, the individual concerned is entitled to request the deletion of such information: (I) where the purpose of handling has been achieved, it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose;

(II) where the personal information handler ceases to provide products or services, or the storage period has expired;

(III) where the individual withdraws his/her consent;

(IV) where the personal information handler handles personal information in violation of laws, administrative regulations or the agreement; or

(V) other circumstances stipulated by laws and administrative regulations. Where the storage period as stipulated by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information handler shall stop the handling other than storage and necessary security protection measures.

Article 48. Individuals are entitled to request a personal information handler to explain its handling rules for personal information.

Article 49. Where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless otherwise arranged by the deceased prior to his/her death.

Article 50. A personal information handler shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual’s request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information handler refuses an individual’s request for exercising his/her rights, the individual may file a lawsuit with a people’s court in accordance with the law.

Chapter 5 Obligations of Personal Information Handlers

Article 51. A personal information handler shall, according to the purpose and method of handling personal information, types of personal information, impacts on personal rights and interests and possible security risks, take the following measures to ensure the compliance of personal information handling activities with provisions of laws and administrative regulations and prevent unauthorized access and divulgence, falsification and loss of personal information: (I) formulating internal management systems and operating procedures;

(II) implementing category-based management of personal information;

(III) taking corresponding technical security measures such as encryption and de-identification;

(IV) reasonably determining the authority to handle personal information and conducting security education and training for relevant employees on a regular basis;

(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and

(VI) other measures stipulated by laws and administrative regulations.

Article 52. Where the quantity of personal information handled reaches that specified by the CAC, the personal information handler shall designate a person in charge of personal information protection to be responsible for supervising the activities of handling of personal information and the adopted protection measures. The personal information handler shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the authorities performing duties of personal information protection.

Article 53. Any personal information handler outside the territory of the People’s Republic of China as prescribed in Paragraph 2 of Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for handling matters relating to personal information protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection.

Article 54. A personal information handler shall regularly conduct compliance audits on its handling of personal information in accordance with laws and administrative regulations.

Article 55. Under any of the following circumstances, a personal information handler shall conduct an impact assessment on personal information protection beforehand and keep a record of the handling: (I) handling sensitive personal information;

(II) making use of personal information to make automatic decision-making;

(III) entrusting others to handle personal information, providing other personal information handlers with personal information and publicizing personal information;

(IV) providing personal information to overseas parties; or

(V) other personal information handling activities that have significant impact on personal rights and interests.

Article 56. An impact assessment on personal information protection shall include the following contents: (I) whether the purpose and method of handling personal information are lawful, legitimate, and necessary;

(II) impact on personal rights and interests and security risks; and

(III) whether the protection measures taken are lawful, effective and commensurate with the degree of risks. The report on personal information protection impact assessment and records of handling shall be kept for at least three years.

Article 57. Where personal information has been or may be divulged, tampered with or lost, the personal information handler shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (I) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information;

(II) the remedial measures taken by the personal information handler and the measures that can be taken by the individuals to mitigate harm; and

(III) the contact information of the personal information handler. Where the personal information handler has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information handler may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information handler to notify the individuals concerned.

Article 58. Any personal information handler that provides important Internet platform services with a large number of users and complicated business type shall perform the following obligations: (I) establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection;

(II) following the principles of openness, fairness and impartiality, formulating platform rules specifying the standards for the handling of personal information by product or service providers on the platform and their obligations to protect personal information;

(III) ceasing to provide services to product or service providers on the platform that handle personal information in serious violation of laws and administrative regulations; and

(IV) regularly releasing social responsibility reports on personal information protection for social supervision.

Article 59. The agent that accepts the entrustment of a personal information handler to handle personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information handled and assist the personal information handler to perform the obligations stipulated in this Law.

Chapter 6 Authorities Performing Duties of Personal Information Protection

Article 60. The CAC is responsible for coordinating the protection of personal information and relevant supervision and administration work. Relevant departments of the State Council are responsible for protecting, supervising and administering the protection of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations. The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering the protection of personal information shall be determined in accordance with relevant provisions of the State. The departments mentioned in the preceding two paragraphs are collectively referred to as the authorities performing duties of personal information protection.

Article 61. Authorities performing duties of personal information protection shall perform the following duties of personal information protection: (I) carrying out publicity and education on personal information protection, and guiding and supervising personal information handlers to protect personal information;

(II) accepting and handling complaints and reports related to personal information protection;

(III) organizing the evaluation of applications and other organizations on the protection of personal information, and disclosing the evaluation results;

(IV) investigating and handling illegal personal information handling activities; and

(V) other duties stipulated by laws and administrative regulations.

Article 62. The CAC shall make overall planning and coordinate relevant authorities to promote the following work of personal information protection in accordance with this Law: (I) formulating specific rules and standards for personal information protection;

(II) formulating specialized rules and standards for personal information protection for small personal information handlers, handling sensitive personal information and new technologies and applications such as face recognition and artificial intelligence;

(III) supporting the research, development and popularization of secure and convenient electronic identity authentication technologies, and promoting the development of public services for network identity authentication;

(IV) promoting the development of a socialized service system for personal information protection, and supporting relevant organizations in carrying out evaluation and authentication services on personal information protection; and

(V) improving the mechanism for complaints and whistleblowing reports on personal information protection.

Article 63. Authorities performing duties of personal information protection may take the following measures when performing such duties: (I) inquiring the parties concerned and investigating the circumstances relating to personal information handling activities;

(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information handling ; activities of the parties concerned;

(III) carrying out on-site inspection and investigation of personal information handling activities suspected of violating laws; and

(IV) checking the equipment and articles relating to personal information handling activities; and the equipment and articles that are proved to be used for illegal personal information handling activities may be seized or detained upon written reports to and approval by the person chiefly in charge of the authority concerned. The parties concerned shall provide assistance and cooperation in ; the performance of duties of personal information protection by the authorities concerned in accordance with the law and shall not refuse or obstruct such performance.

Article 64. Where authorities performing duties of personal information protection find in their performance of such duties that there are high risks in personal information handling activities or personal information security incidents have occurred, they may, according to prescribed authority and procedures, have an interview with the legal representative or person chiefly in charge of the personal information handler concerned, or require such handler to entrust a specialized agency to conduct a compliance audit on its personal information handling activities. The personal information handler shall take measures to make rectification and eliminate hidden dangers as required. Where authorities performing duties of personal information protection find in their performance of such duties that illegal handling of personal information is suspected of constituting crimes, they shall timely refer the case to the public security authorities for handling in accordance with the law.

Article 65. Any organization or individual shall have the right to complain or report illegal personal information handling activities to the authorities performing duties of personal information protection. The said authorities receiving such complaints or reports shall timely handle them in accordance with the law and notify the complainants or reporters of the handling results. Authorities performing duties of personal information protection shall make public the contact information for accepting complaints or reports.

Article 66. In the event that personal information is handled in violation of the provisions of this Law, or that personal information is handled without performing the obligation of protecting personal information as stipulated in this Law, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally handles personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed on it concurrently; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the preceding paragraph with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time.

Article 67. Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations and shall be disclosed to the public.

Article 68. Where a State organ fails to perform its obligation of protecting personal information as stipulated in this Law, its superior organ or the authorities performing duties of personal information protection shall order it to make corrections; and impose sanctions on the person directly in charge and other directly liable persons in accordance with the law. Where any staff member of the authorities performing duties of personal information protection neglects his/her duty, abuses his/her power, plays favoritism and commits irregularities, which does not constitute a crime, sanctions shall be imposed on him/her in accordance with the law.

Article 69. Where the handling of personal information infringes upon personal information rights and interests and causes damage, the personal information handler concerned shall bear liability for damages and other tort liabilities if it cannot prove that it is not at fault. The liability for damages specified in the preceding paragraph shall be determined based on the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler; if the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information handler are difficult to be determined, the amount of damages shall be determined in accordance with the actual circumstances.

Article 70. Where any personal information handler handles personal information in violation of this Law, which infringes upon the rights and interests of a large number of individuals, the People’s Procuratorate, the consumer organizations specified by law and the organizations determined by the CAC may bring a lawsuit to a people’s court in accordance with the law.

Article 71. Where any violation of the provisions hereof constitutes a violation of public security administration, a public security administrative punishment shall be imposed in accordance with the law; and if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Chapter 8 Supplementary Provisions

Article 72. This Law shall not apply to the handling of personal information by a natural person for his or her personal or family affairs. Where there are legal provisions on the handling of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.

Article 73. For the purposes of this Law, the following terms shall have the following meanings: (I) “Personal information handler ” refers to an organization or individual that independently determines the handling purpose and method in the handling of personal information.

(II) “Automatic decision-making” refers to the activities of automatically analyzing and evaluating an individual’s behavior habits, hobbies or economic, health or credit status through computer programs and making decisions.

(III) “De-identification” refers to the process in which personal information is handled so that it is impossible to identify certain natural persons without the aid of additional information.

(IV) “Anonymization” refers to the process in which personal information is handled so that it is impossible to identify certain natural persons and that it cannot be recovered.

Article 74. This Law shall come into force as of November 1, 2021 2021.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

50 briefs reference this law.

  • § 01 · SECURITY-REVIEW

    One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era

    With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.

    security-review · national-security · cybersecurity-review
  • § 02 · AI-COMPANION

    Ten Questions Before July 15: A Compliance Q&A on China's AI Anthropomorphic Interaction Measures

    Two days before the Interim Measures for the Management of AI Anthropomorphic Interaction Services take effect on July 15, 2026, compliance practitioners Chen Huan and Li Qiyao distill the final text into ten questions AI companies keep asking: what counts as an anthropomorphic interaction service (and what is excluded), the content red lines, training-data duties, mandatory registration fields including age and emergency contacts, the two-hour usage reminder, the ban on virtual intimate relationships for minors, the separate-consent gate on training with sensitive interaction data, the five security-assessment triggers, and the penalty ladder topping out at RMB 200,000 where life and health are harmed.

    ai-companion · anthropomorphic-interaction · minors-protection
  • § 03 · CYBERSECURITY

    NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter

    The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026.

    cybersecurity · financial-sector · critical-information-infrastructure
  • § 04 · E-COMMERCE-LAW

    China's 2026 Draft E-Commerce Law Amendment: From Marketplace Transactions to Platform-Economy Governance

    On July 4, 2026, the State Administration for Market Regulation and the Ministry of Commerce released the Draft Amendment to the E-Commerce Law for public comment, with comments due August 4, 2026. The draft has 20 articles and, according to the official notice and Xinhua Q&A, moves in five directions: expanding the law's adjustment scope beyond platforms and in-platform operators to other platform-economy participants; strengthening the platform responsibility system with richer, more graduated regulatory tools; building an integrated supervision mechanism for cross-sector platform operations, including consistent online/offline business supervision and stronger department and central-local coordination; targeting prominent illegal conduct in e-commerce; and deepening open cooperation by aligning rules, regulation, management and standards with international practice, supporting industry self-discipline and orderly outbound expansion, and adding countermeasure tools to protect Chinese enterprises. DCC reads the amendment as an attempt to reposition the E-Commerce Law from a transaction/platform statute into a platform-economy governance statute, with operational implications for platform rulemaking, merchant and worker protection, consumer governance, data/network security clauses, competition compliance, and outbound platform expansion.

    e-commerce-law · platform-economy · platform-governance
  • § 05 · DATA-PROPERTY-RIGHTS

    China's Data Property Rights Registration Guide Is Final: The Draft-to-Trial Diff

    On 1 July 2026, the National Data Administration issued the Data Property Rights Registration Work Guide (Trial), converting its April 2026 consultation draft into China's first national framework for registering the Right to Hold Data, Right to Use Data and Right to Operate Data. The final text keeps the same six-chapter, 42-article structure, but the diff is not cosmetic: security and public-interest gates are stronger; derived data is now defined; the national infrastructure shifts from a service platform to a service system; registrars face tighter qualification, disclosure, annual-evaluation, change-reporting and exit rules; public-data registration is softened from mandatory to conditional/voluntary wording; unclear contractual entitlement receives a cure path; evidence preservation, not certificate issuance, now starts the validity period; and certificate use is sharpened for data-asset balance-sheet entry, financing guarantees and valuation-based equity contribution.

    data-property-rights · data-registration · data-economy
  • § 06 · AI-GOVERNANCE

    China's AI-Companion Rule Takes Effect July 15 — A Clause-by-Clause Field Guide to What Actually Changed

    China's Interim Measures for AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理暂行办法) — the world's first dedicated rule on 'companion'-style AI — take effect on 15 July 2026. This DCC brief synthesises three Chinese-language readings published in the days before the effective date: 数据合规肖大国's article-by-article practitioner walkthrough, 网安寻路人 (Hong Yanqing)'s multi-part work on how to scope anthropomorphic interaction (including his 'Sentiment Interaction Event / SIE' indicator system), and AI前沿信息笔记's read of the business-model logic the rule is really aimed at. Three throughlines: (1) what changed between the consultation draft and the final text — real fines were added, a 'continuity (持续性)' qualifier now narrows scope, the emergency-contact duty was widened beyond vulnerable groups, and the mandatory 'human takeover' of at-risk conversations was dropped; (2) the scope question the rule leaves under-specified — which services are 'continuous emotional interaction' at all — and the SIE-style indicator approach practitioners are reaching for to answer it; and (3) the paradigm shift the rule marks, from *content-safety* governance (AI as tool) to *relationship* governance (AI as social role), which finally gives regulators a handle on attention-economy and emotional-dependency business models. For overseas counsel shipping companion, emotional-AI or character-AI products into China: this is the operational checklist and the open-question list, two weeks out.

    ai-governance · companion-ai · anthropomorphic-ai
  • § 07 · ENFORCEMENT

    MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures

    On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.

    enforcement · miit · app-compliance
  • § 08 · AI-AGENTS

    TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations

    On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.

    ai-agents · ai-governance · tc260
  • § 09 · PIPL

    When Is a Business Partner a 'Joint Handler'? A Shanghai Insurance-Policy Leak Works Through PIPL Article 20

    A consumer bought insurance through a broker, on a platform company's website, from an insurer — and later found her full policy, personal details included, retrievable by searching her own phone number. The Shanghai judgment behind case (2024)沪01民终410号 had to decide which of the three companies were 'joint handlers' of her personal information under PIPL Article 20, and therefore jointly and severally liable. Writing on 数据何规, Lu Ying and Zhang Bingbin work through the allocation: the platform operating the website was the direct handler; the broker that steered the purchase through a site it presented as its own was a joint handler; the insurer — with an independent, contract-related purpose and no role in downstream processing decisions — was not. The article distills three identification factors (common purpose and conduct; pre-agreed division of roles as joint determination; the appearance presented to the user), separates joint processing from sharing and entrusted processing, and argues that PIPL Article 20(2) is an independent claim basis: a victim can sue all joint handlers for joint and several damages directly. For any broker/platform/underwriter or comparable multi-party data chain, this is the operative test.

    pipl · joint-processing · civil-liability
  • § 10 · ENFORCEMENT

    From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window

    On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals.

    enforcement · app-compliance · miit
  • § 11 · IMPORTANT-DATA

    Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'

    With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.

    important-data · risk-assessment · network-data
  • § 12 · GBT-35273

    From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard

    On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.

    gbt-35273 · personal-information · pipl
  • § 13 · ENFORCEMENT

    Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases

    In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.

    enforcement · cross-border-data · pipl
  • § 14 · ENFORCEMENT

    CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation

    On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority.

    enforcement · cac · app-compliance
  • § 15 · DATA-PROPERTY-RIGHTS

    Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control

    Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control.

    data-property-rights · parallel-property-rights · derivative-data
  • § 16 · DATA-PROPERTY-RIGHTS

    Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty

    Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it.

    data-property-rights · data-operation-right · data-economy
  • § 17 · DATA-PROPERTY-RIGHTS

    When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control

    Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy.

    data-property-rights · data-use-right · data-economy
  • § 18 · DATA-ECONOMY

    What a 'Data-Asset ABS' Actually Securitises — The Collateral Is Data, the Cash Flow Is Not

    The name misleads. A Chinese 'data-asset ABS' (数据资产证券化) is labelled as such when data-pledged collateral exceeds 50% of the asset pool — but the underlying assets that actually generate the repayment cash flow are conventional financial claims: supply-chain receivables, trust-loan beneficiary rights, or finance-lease claims. Data is the collateral, the credit-enhancement, or the pricing-and-monitoring tool — not the cash-flow source. This brief, the second in DCC's data-asset-ABS series, unpacks the mechanism overseas counsel need to price the risk: the four live deal structures (trust-loan, receivables, finance-lease, data-empowerment); the difference between accounting recognition (入表) and legal right-confirmation (确权); and the four legal infirmities that make these deals fragile — unsettled data property rights, the true-sale problem created by data's non-exclusivity, the limits of bankruptcy isolation when asset value depends on the originator's continued operation, and the PIPL/DSL eligibility gates. It reads the flagship deals (平安-如皋, 华鑫-鑫欣, 青岛, 杭州高新金投) for what each actually did.

    data-economy · data-asset-abs · securitisation
  • § 19 · DATA-ECONOMY

    From Collateral to Cash Flow: The 'Secondary Licensing' Model That Would Make Data-Asset ABS Real

    If today's data-asset ABS is '1.0' — data as collateral behind a conventional debt claim — then '2.0' is the version where the data's own cash flow (licensing fees, data-service subscriptions) directly repays the securities, upgrading data from credit-enhancement tool to genuine underlying asset. This third brief in DCC's data-asset-ABS series examines the structure most likely to get there: the 'secondary licensing' (二次许可) model borrowed from intellectual-property ABS, in which a holder exclusively licenses data to an originator for an upfront lump sum, then takes a reverse exclusive licence back and pays periodic fees that become the ABS cash flow — ownership never moving. It maps the obstacles (data's non-exclusivity defeats 'exclusive licence' and 'exclusive possession'; PIPL/DSL cap what can be licensed; valuation is immature), the finance-lease-of-data variant, and the early policy encouragement (Anhui's March 2026 measures endorsing reverse-licensing). The irony the June 2026 halt exposed: regulators want real data cash flow — which is exactly what 2.0 promises but cannot yet deliver at scale.

    data-economy · data-asset-abs · securitisation
  • § 20 · DATA-PROPERTY-RIGHTS

    Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little

    Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.

    data-property-rights · data-holding-right · data-economy
  • § 21 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
  • § 22 · ANONYMIZATION

    Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime

    Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.

    anonymization · personal-information · data-economy
  • § 23 · DATA-PROPERTY-RIGHTS

    The 'Rights Block' — Xu Ke's Structural Theory Behind China's Data-Property Framework

    Xu Ke's highly-cited (255×) 政法论坛 article on the structure of data rights — the theoretical scaffolding that the Data 20 Articles' three-rights framework rests on. He maps the field's two warring paradigms (formalist 'empowerment' vs substantivist 'conduct regulation'), argues both fail alone, and integrates them via a 'reflexive law' approach. The payoff is a taxonomy of three possible rights structures — rights-ball, rights-bundle, rights-block — and the case that the 'data rights block' (数据权利块) best fits data's 'one principle, many manifestations' character. For overseas counsel, this is the conceptual map that explains why Chinese data rights are structured the way they are — and why Western property and IP analogies keep failing.

    data-property-rights · data-rights-theory · data-twenty
  • § 24 · DATA-ASSET

    When Does Data Become an Asset? Xu Ke on Identifying and Defining Data Assets

    Xu Ke (UIBE), writing for a practitioner audience, draws the line between data resource (国家视角, public/strategic) and data asset (市场主体视角, commercial), then between the broad sense (anything that creates value for the enterprise) and the narrow sense (meets the MOF accounting-standard test for on-balance-sheet recognition — owned/controlled, generates economic benefit, reliably measurable). He works the three-rights framework into operational boundaries by data type (personal / enterprise / government) and flags the practical questions overseas counsel face when a Chinese counterparty wants to put data on its balance sheet.

    data-asset · data-property-rights · data-on-balance-sheet
  • § 25 · ANONYMIZATION

    From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative

    The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.

    anonymization · personal-information · de-identification
  • § 26 · AI-GOVERNANCE

    Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy

    Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.

    ai-governance · genai · personal-information
  • § 27 · PERSONAL-INFORMATION

    Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It

    Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.

    personal-information · platform-economy · gig-economy
  • § 28 · DATA-ECONOMY

    Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'

    Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.

    data-economy · data-broker · data-exchange
  • § 29 · DATA-PROPERTY-RIGHTS

    Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights

    Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.

    data-property-rights · data-twenty · data-source-rights
  • § 30 · ENFORCEMENT

    Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine

    In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.

    enforcement · samr · platform-liability
  • § 31 · AI-GOVERNANCE

    Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI

    Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.

    ai-governance · open-source · training-data
  • § 32 · ENFORCEMENT

    MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

    MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

    enforcement · miit · app-compliance
  • § 33 · DATA-PROPERTY-RIGHTS

    Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical

    NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.

    data-property-rights · data-twenty · data-processor
  • § 34 · DATA-PROPERTY-RIGHTS

    Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights

    NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.

    data-property-rights · data-twenty · entrusted-processing
  • § 35 · PUBLIC-DATA

    Authorized to Operate, Not Authorized to Ignore: Public-Data Operators Still Owe the Full PIPL/DSL Stack

    China's public-data authorized-operation regime — established by the January 2025 Implementation Specifications and its companion instruments — does not exempt operators from the personal information and data-security duties that sit underneath it. This brief, drawn from the Shenzhen Data Exchange's DEXC+ compliance column, sets out six specific areas where authorized operators routinely fall short: failure to classify data before operating it, misreading the operator's role in multi-party processing chains, skipping notification obligations, misidentifying the lawful basis for processing, misapplying consent that was gathered for a different purpose, and omitting the separate impact-assessment and annual risk-evaluation obligations under PIPL and the Network Data Security Regulations. The operational takeaway for overseas counsel advising operators or investors: government authorization is the entry ticket to the public-data market, not a waiver of the compliance checklist that governs what happens once inside.

    public-data · data-economy · pipl
  • § 36 · SENSITIVE-PERSONAL-INFORMATION

    Seven Highlights of China's New Sensitive Personal Information Processing Standard — and What They Mean in Practice

    GB/T 45574-2025 《数据安全技术 敏感个人信息处理安全要求》 (Data Security Technology — Security Requirements for Processing Sensitive Personal Information) is China's first dedicated national standard on sensitive personal information (敏感个人信息), effective 1 November 2025. Authored by Wang Yi, Zhao Yanming, and Zeng Lingwei of the Shenzhen Data Exchange DEXC+ program, this brief walks through the seven highlights the standard introduces: a recalibrated scope of what counts as sensitive personal information under PIPL, dynamic classification logic, a new linkage between sensitive-PI volume and the important data threshold, industry-specific and group-specific protections, data-security-maturity requirements, a model written-consent template, and tightened lifecycle obligations covering collection, storage, display, and audit. The operational takeaway for overseas counsel: the standard converts PIPL's high-level sensitive-PI obligations into testable, auditable requirements — compliance teams should treat it as the primary implementation guide for PIPL Article 28 and beyond.

    sensitive-personal-information · pipl · national-standard
  • § 37 · PIA

    The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products

    China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product.

    pia · personal-information-protection · data-trading
  • § 38 · IMPORTANT-DATA

    'Important Data' Is a Category, Not a Tier

    Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.

    important-data · dsl · commentary
  • § 39 · FOREIGN-INVESTMENT-SECURITY-REVIEW

    Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export

    Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.

    foreign-investment-security-review · manus · ai-agent
  • § 40 · CRIMINAL-LIABILITY

    When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold

    Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.

    criminal-liability · pipl · judicial-interpretation
  • § 41 · FACIAL-RECOGNITION

    When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework

    Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.

    facial-recognition · public-surveillance · pipl-article-26
  • § 42 · AI-GOVERNANCE

    Where China's Draft AI Anthropomorphic-Interaction Measures Need Work — A Scholar's Reform Map

    Li Wenlong (科技利维坦) walks through the directions in which he would amend China's draft Interim Measures for the Administration of AI Anthropomorphic Interaction Services (人工智能拟人化互动服务管理办法) — the country's first dedicated rule on 'companion'-style AI. His critique is structural, not cosmetic: the core definition of '拟人化 (anthropomorphisation)' is too broad because it anchors on human-like expression rather than the real harm (relational dependency); the invented concept of '交互数据 (interaction data)' should be deleted and folded back into PIPL rather than blanket-prohibited; Chapter 2 mixes three incompatible duty types and should be split; the '1M registered / 100k MAU' security-assessment trigger is borrowed from other regimes and does not track real risk; and the training-data duties are horizontal obligations misplaced in a vertical rule. For overseas counsel building companion-AI or emotional-AI products for the China market: this is a map of where the draft is likely to move, and which duties fall on deployers versus base-model providers.

    ai-governance · companion-ai · anthropomorphic-ai
  • § 43 · AI-GOVERNANCE

    AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click

    Li Wenlong (科技利维坦) takes the Doubao phone assistant — an AI that 'reads your screen' and acts across apps — and asks whether the consent/authorisation mechanism that traditional data law leans on can survive the agent era. His four challenges: the app-bounded 'private' environment dissolves as data and permissions move across apps (with Nissenbaum's Contextual Integrity as the only real conceptual anchor, and far from operational); agents that *act* (not just retrieve) push informed consent past the point of failure already reached by personalised ads; purpose limitation collapses because an agent chooses its own path, means and decisions from a low-information instruction, edging into automated decision-making; and ultra vires agency shifts liability from user to platform, with China's 'hallucination case' and the Air Canada case as the only thin precedents. For overseas counsel building or advising on agentic AI in China: a map of why 'authorisation' is becoming a problem of agency, system control, liability allocation and autonomy — not a checkbox — and why transparency is now a prerequisite, not a feature.

    ai-governance · ai-agents · pipl
  • § 44 · CSL

    China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed

    On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.

    csl · csl-2025-amendment · ai-governance
  • § 45 · CROSS-BORDER

    Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

    When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

    cross-border · data-sovereignty · mlat
  • § 46 · PERSONAL-INFORMATION

    PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer

    The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.

    personal-information · pipl · gdpr-comparison
  • § 47 · PERSONAL-INFORMATION

    Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes

    Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.

    personal-information · pipl · app-compliance
  • § 48 · CROSS-BORDER

    Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet

    Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.

    cross-border · trusted-data-space · confidential-computing
  • § 49 · FACIAL-RECOGNITION

    Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers

    The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.

    facial-recognition · frt-measures · sensitive-personal-information
  • § 50 · PUBLIC-DATA

    Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.

    A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.

    public-data · credit-reference · authorized-operation
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →