China's data law, mapped.
A five-minute orientation for overseas counsel: four foundation laws, six regulators, the Subject × Object compliance grid that organizes everything else, and the four cross-border paths your data transfer fits into.
Four laws.
China's data regime rests on four pillars enacted across 2017–2021. Everything else — the regulations, the departmental rules, the standards — implements or interprets one of these.
- CSL 2017 · 2025 amendment
Cybersecurity Law
网络安全法
Network security baseline. Defines Critical Information Infrastructure Operators (CIIOs), Multi-Level Protection Scheme (MLPS), and the basic data-security posture every network operator must maintain.
- DSL 2021
Data Security Law
数据安全法
Data security framework across the lifecycle. Introduces data classification and grading, the important-data and national-core-data tiers, and security-review duties for data activities affecting national security.
- PIPL 2021
Personal Information Protection Law
个人信息保护法
China's PI statute. Lawful bases, individual rights (access / copy / correction / deletion / portability), separate-consent requirements, cross-border transfer paths, and the PI Protection Officer (PIPO) regime.
- Civil Code (PI) 2020
Civil Code, Personality Rights Book — Chapter on Privacy and PI
民法典·人格权编·隐私权和个人信息保护
Civil-law underpinning for privacy and PI rights at the individual level. Functions as the private-law counterpart to PIPL's administrative regime — the basis for individual-level civil claims.
Six authorities.
Six categories of regulators with overlapping mandates. For most overseas-facing data questions, CAC is the lead. For criminal exposure, MPS. For sector-specific rules, the relevant industry regulator stacks on top of the general regime.
- CACCyberspace Administration of China国家网信办
Lead regulator. Drafts and enforces the core data and PI rules. Owns the data-export security assessment, the SCC filing regime, and the PI protection certification pathway. Co-supervises algorithm and generative-AI filings with MIIT.
- MIITMinistry of Industry and Information Technology工信部
Telecom and internet-services sector regulator. Industrial-data security. Mobile app personal-information enforcement. Co-leads industrial and telecom CIIO supervision with CAC.
- MPSMinistry of Public Security公安部
Criminal enforcement of PI infringement under Criminal Law Article 253-1. CIIO security inspection. Cybersecurity classified-protection enforcement.
- SAMRState Administration for Market Regulation国家市场监管总局
Data-related anti-monopoly enforcement (including the 2024 'first data anti-monopoly' decision against a financial-data provider). Market regulation for digital products and platforms.
- NDANational Data Administration国家数据局
Data-element market governance. Public-data authorized operation. Data property rights registration. Operator of the national data infrastructure layer that the Shenzhen Data Exchange (and regional exchanges) plug into.
- IndustryIndustry regulators (sector-specific)行业主管部门
PBoC and NFRA (financial data), NHC (health data), MNR (geographic / surveying data), MoE (education data), MoT (transport / connected-vehicle data), CAAC (civil aviation), and others. Issue sector-specific important-data catalogues and operational standards.
Subject × Object.
The single most useful mental model for the Chinese regime — from the Joint Guide. Every concrete obligation in CSL, DSL, PIPL, the Network Data Security Regulation, the cross-border rules, the audit measures, and the sector regulations slots into one cell of this grid.
- SUBJECT AXIS what an organization must do — the obligations that follow from being a data processor.
- OBJECT AXIS what each data type requires — the obligations that follow from holding that data.
| DATA TYPE ↓ SUBJECT → | Org structure | Policy & people | Classification & grading | Partners | Risk assessment | Incident response |
|---|---|---|---|---|---|---|
| General data default tier | Baseline data-security team; no statutory PIPO trigger. | DSL Art 27: internal management; security training; access control. | GB/T 43697-2024 baseline. No mandatory tier label. | Standard data-sharing diligence; contractual security obligations. | Activity-triggered risk assessment if data flow changes. | DSL Art 29 / NDR: incident-reporting per sector escalation matrix. |
| Important data DSL-defined; sector catalogues | Designated security officer; reporting line to regulator. | DSL Art 27, NDR Ch. III: enhanced policy + audit logs. | Mandatory: identified per sector catalogue or self-assessment (GB/T 43697-2024 Annex G). | Approval / filing required for entrustment that includes important data. | Annual risk assessment + activity-triggered assessment (NDR Art 36). | Direct reporting to sector regulator + CAC within statutory window. |
| Personal information PIPL governs | PIPO mandatory if processing 1M+ individuals' PI (CAC reporting since July 2025). | PIPL Arts 51-52: full PI compliance system; training; published rules. | Sensitive vs general PI distinction. Per TC260 Sensitive PI Identification Guide. | Entrusted processing contracts (Art 21); joint controllers (Art 20); separate consent for sharing. | PIA mandatory for sensitive PI, automated decisioning, cross-border (Art 55). | Art 57: notify regulator + individuals; PI Audit Measures since 2026. |
| Public data Data 20 Articles + NDA registration | Registration with a designated registration institution (e.g., SZDEX). | NDA Implementation Specifications for public-data authorized operation. | Per source-data classification (party / government / public-service entity). | Authorized-operation entity bears compliance + data-source-classification respect. | Required: source legality, scope of authorization, third-party rights protection. | Reported to NDA-coordinated mechanism + implementing institution. |
| Industry-specific data sector regulators set rules | Per sector — e.g., PBoC for financial data; NHC for health. | Sector regulator policies stack on top of DSL/PIPL. | Sector important-data catalogue (auto, finance, surveying, health, etc.). | Sector-specific filing or approval for partnerships. | Sector risk assessment standards (e.g., YD/T 3956-2024 for telecom). | Sector regulator + national mechanism dual-line reporting. |
Four paths.
Every cross-border data transfer to or from China maps to one of four pathways. The volume of personal information involved, the sensitivity of the data, and whether the transferor is a CIIO together determine which path applies. The 2024 CBDF Provisions broadened the exemption category significantly.
- PATH 01Security Assessment数据出境安全评估TRIGGERS
- Any important-data export, or
- PI of 1M+ individuals exported cumulatively per year, or
- Sensitive PI of 10k+ individuals exported cumulatively per year, or
- CIIO exporting any PI / important data.
PROCESS- CAC review
- 30-60 day cycle
- PATH 02Standard Contract (SCC)标准合同备案TRIGGERS
- PI 100k–1M individuals exported per year (non-sensitive), or
- Sensitive PI <10k individuals exported per year.
- Filed with provincial CAC.
PROCESS- CAC SCC Measures (June 2023)
- PIPIA required
- PATH 03PI Protection Certification个人信息保护认证TRIGGERS
- Voluntary alternative to SCC filing for the same volumes.
- Useful for intra-group / multinational transfers.
PROCESS- TC260 / accredited certifying body
- PI Certification Measures
- PATH 04Exemption豁免TRIGGERS
- <100k individuals' non-sensitive PI/year, AND
- Non-CIIO, non-important-data, AND
- Cross-border PI required for contract performance / HR / emergency response.
PROCESS- 2024 CBDF Provisions Art 3-5
- No filing
Where to next.
- The legal corpus — every statute, regulation, departmental rule, standard, and judicial interpretation DCC tracks (34+ entries, full text where published).
- Bilingual glossary — 360+ Chinese data-compliance terms with canonical English translations, organized by domain.
- Briefs — analysis from Chinese counsel and KOLs, translated and edited for overseas readers.
- SCC + PIPIA templates — official CAC templates for the cross-border PI compliance pathway, in Chinese and English.
- The Joint Guide entry — the source document this page distills, with chapter index and link to the official PDF.