China’s Data Privacy Laws: A Compliance Guide for US Businesses

China’s Data Privacy Laws: A Compliance Guide for US Businesses

Mainland China has enacted a comprehensive and interlocking data protection framework that reaches US businesses operating in, serving, or receiving data from China. Understanding its three core statutes — and the dense web of implementing regulations beneath them — is now an operational necessity for any US business with Chinese market exposure.

Last reviewed: April 2026  |  Jurisdiction: Mainland China (PRC)

Contents

1. Introduction: A Tripartite Statutory Framework
2. Extraterritorial Reach: Which US Businesses Are Affected?
3. The Personal Information Protection Law (PIPL)
4. Legal Bases for Processing Personal Information
5. Sensitive Personal Information
6. Individual Rights
7. The Data Security Law and Cybersecurity Law
8. Cross-border Data Transfers: The Most Complex Compliance Challenge
9. Data Localization Requirements
10. The Personal Information Protection Officer
11. Regulatory Authority and Enforcement
12. Practical Compliance Considerations for US Businesses
13. Conclusion

1. Introduction: A Tripartite Statutory Framework

Mainland China’s approach to data regulation differs from the European model in a fundamental structural respect: rather than consolidating data protection in a single omnibus statute administered by an independent supervisory authority, China has built its framework across three distinct but interconnected laws, each addressing a different dimension of data governance. Those three laws are the Personal Information Protection Law (PIPL, effective November 1, 2021), the Data Security Law (DSL, effective September 1, 2021), and the Cybersecurity Law (CSL, effective June 1, 2017). Together, they form an integrated regime that governs how personal information is collected and processed, how data assets are classified and secured, and how networks and digital infrastructure operate — all under the supervisory authority of the Cyberspace Administration of China (CAC) and, depending on the context, co-regulators including the Ministry of Public Security and the Ministry of Industry and Information Technology.

PIPL

Personal Information Protection Law

Effective: November 1, 2021

DSL

Data Security Law

Effective: September 1, 2021

CSL

Cybersecurity Law

Effective: June 1, 2017

Beneath these three statutes sits a rapidly expanding layer of implementing regulations, CAC measures, and technical standards. Key instruments include the Measures for Security Assessment of Cross-border Data Transfer (effective September 1, 2022), the Measures for Standard Contract for Cross-border Transfer of Personal Information (effective June 1, 2023), the Regulations on Promoting and Regulating Cross-border Data Flow (effective March 22, 2024), and the Network Data Security Management Regulations (effective January 1, 2025). For US businesses, the combined effect of this framework is a system of obligations that is geographically extensive in its reach, technically demanding in its cross-border transfer requirements, and politically distinctive in that the primary regulatory body is an arm of the Chinese state rather than an independent data protection authority.

This page focuses on the obligations most relevant to US businesses — those arising from the PIPL’s extraterritorial reach, the cross-border data transfer regime, and the data localization requirements that apply to certain categories of operators. It does not address the separate but related requirements of China’s cybersecurity review regime, which applies to platform companies and operators in critical sectors and involves a distinct set of national security considerations.

2. Extraterritorial Reach: Which US Businesses Are Affected?

Article 3 of the PIPL establishes an extraterritorial scope that is functionally comparable to the GDPR’s. The PIPL applies to the processing of personal information of natural persons within the People’s Republic of China. It also applies to processing activities conducted outside China where the purpose is to: (a) provide products or services to natural persons within China; (b) analyze or assess the behavior of natural persons within China; or (c) engage in other circumstances specified by law or administrative regulation.

The practical implications for US businesses are significant. A US company that sells products or services to mainland Chinese consumers through an e-commerce platform, that operates a mobile application with Chinese users, that provides software-as-a-service to Chinese businesses and thereby processes the personal information of their employees or customers, or that analyzes behavioral data of individuals in China — for example, through analytics, advertising, or market research tools — is within the PIPL’s scope regardless of whether it has any physical presence in China. US businesses should conduct a clear-eyed assessment of whether any of their digital products, services, or data processing activities are directed at or touch individuals located in mainland China, because that analysis determines whether the PIPL applies and therefore whether the cross-border transfer regime becomes a compliance obligation.

US businesses that have Chinese subsidiaries, joint ventures, or operational offices in China are subject to the full domestic application of the PIPL as well as the DSL and CSL. For those businesses, the compliance challenge is substantially broader: it encompasses not only the handling of Chinese personal information that flows outward to the US parent, but also the internal governance of Chinese entities’ data processing activities, the classification of data under the DSL framework, and the network security obligations imposed by the CSL on operators of network infrastructure within China.

Important Jurisdictional Note: This page addresses the data protection framework of mainland China only. The laws of the Hong Kong Special Administrative Region and the Macao Special Administrative Region are distinct from mainland Chinese law. Hong Kong operates under its own Personal Data (Privacy) Ordinance (PDPO). US businesses with operations in Hong Kong should seek advice specific to that jurisdiction.

3. The Personal Information Protection Law (PIPL)

The PIPL is China’s most directly comparable instrument to the GDPR and to the Brazil LGPD. Like those laws, it establishes a general framework for the lawful processing of personal information, defines individual rights, requires certain governance measures by organizations, and creates a supervisory and enforcement regime. Personal information is defined broadly under Article 4 as any information related to an identified or identifiable natural person recorded in electronic or other form — explicitly excluding anonymized information. The person or organization that independently determines the purpose and method of processing is the “personal information handler,” a role functionally equivalent to the data controller in European terminology.

One structurally important feature of the PIPL is its treatment of consent. Unlike the GDPR, where consent is one of six legal bases of broadly comparable weight, the PIPL places consent in a position of heightened centrality: many of the most commercially significant processing activities — including behavioral advertising, provision of personal information to third parties, and processing of sensitive personal information — require distinct, specific, and separately obtained consent rather than consent that can be bundled into general terms. Article 14 requires consent to be a voluntary, explicit, and informed statement of the individual’s wishes. This has immediate practical implications for US businesses whose consent frameworks were designed primarily against GDPR or US state law standards: a consent architecture that satisfies the GDPR may not meet the PIPL’s requirements, particularly for activities involving third-party sharing or behavioral profiling of Chinese users.

The PIPL also imposes obligations relating to processing impact assessments. Article 55 requires personal information handlers to conduct a personal information protection impact assessment (PIPIA) prior to engaging in any of the following: processing sensitive personal information; using personal information for automated decision-making; providing personal information to third parties; disclosing personal information publicly; transferring personal information outside China; or engaging in any other processing activity that has a significant impact on individuals’ rights and interests. The PIPIA obligation is broader in its triggering conditions than the GDPR’s DPIA requirement, which applies when processing is “likely to result in a high risk.” US businesses processing personal information of Chinese individuals for any of the listed activities — in particular, transferring that data outside China — must maintain documented impact assessments before undertaking the relevant processing.

4. Legal Bases for Processing Personal Information

Article 13 of the PIPL provides seven lawful bases for the processing of personal information. These are: (1) obtaining the individual’s consent; (2) necessity for the conclusion or performance of a contract to which the individual is a party, or for human resources management in accordance with lawfully established employment rules and lawfully entered collective contracts; (3) necessity for the performance of statutory duties or obligations; (4) necessity for responding to public health emergencies, or for protecting the life, health, or property safety of individuals in emergencies; (5) processing within a reasonable scope for news reporting, public opinion supervision, and other activities in the public interest; (6) processing personal information that has been disclosed by the individual or otherwise lawfully disclosed, within a reasonable scope; and (7) other circumstances specified by laws and administrative regulations.

The contrast with the GDPR’s legal bases is instructive. The PIPL does not include a freestanding “legitimate interests” basis of the kind that GDPR Article 6(1)(f) provides. The closest equivalent — the “reasonable scope” processing of publicly disclosed information under basis 6 — is significantly more limited in scope than the GDPR’s legitimate interests provision, which European businesses and their counsel have deployed across a wide range of commercial processing activities. For US businesses accustomed to relying on legitimate interests as a flexible catch-all basis for analytics, fraud prevention, security monitoring, and similar activities, the absence of a direct PIPL equivalent means that many of those activities must either be reframed under a different basis (most likely consent or contract) or their lawfulness under the PIPL must be assessed on different grounds.

Consent under the PIPL also carries a stricter anti-bundling rule than the GDPR. Article 14 provides that where the handling of personal information is based on consent, the individual must give a voluntary, explicit, and informed consent. Critically, where consent is being sought for multiple, distinct processing purposes, each purpose must be consented to separately. A single, comprehensive consent notice that covers data collection, behavioral profiling, third-party sharing, and cross-border transfer in a single tick-box does not satisfy the PIPL. US businesses must audit their consent collection flows to ensure that distinct purposes are separately presented and separately consented to by Chinese users.

5. Sensitive Personal Information

The PIPL defines sensitive personal information in Article 28 as personal information that, once leaked or illegally used, is likely to cause harm to the dignity of natural persons or serious harm to personal or property safety. The categories include: biometric identification data; religious beliefs; specific identities (including ethnicity and political status); medical and health information; financial account information; personal location tracking information; and personal information of minors under the age of 14. This definition has several significant points of difference from the EU GDPR’s special categories.

Most notably, financial account information is classified as sensitive personal information under the PIPL — a categorization that has no direct equivalent in the GDPR, where financial data is not a special category. For US financial institutions, fintech companies, payment processors, and any business that handles Chinese users’ bank account, payment card, or investment account information, this means that heightened obligations apply as a matter of course: a separate, specific consent is required for processing financial account data, the processing must have a specific and necessary purpose, and a personal information protection impact assessment must be conducted before commencing the processing. US businesses in the financial sector operating in China should take particular note of this distinction when reviewing the adequacy of their existing consent and governance frameworks.

The classification of personal information of minors under 14 as sensitive across the board is also more expansive than the approach of most Western jurisdictions, where enhanced protections for children are typically implemented through age-specific consent requirements rather than through a blanket sensitive-data classification. Under the PIPL, any processing of a Chinese child’s personal information — however routine — requires a separate specific consent and carries the full weight of the sensitive personal information regime. The PIPL is supplemented on this point by the Provisions on the Protection of Minors’ Personal Information Online (effective January 1, 2024), which impose additional obligations on platform operators regarding minors aged under 18.

6. Individual Rights

Chapter IV of the PIPL (Articles 44–50) sets out a catalog of individual rights that is recognizable in structure to any practitioner familiar with the GDPR. Individuals have the right to know about and to decide on the processing of their personal information, the right to restrict or refuse processing, the right to access and obtain copies of their personal information, the right to have inaccurate or incomplete information corrected or supplemented, the right to have personal information deleted in specified circumstances, and the right to an explanation of automated decision-making rules when automated methods are used to make decisions that have a significant impact on individuals’ rights and interests.

Article 48 provides an additional right that deserves specific attention: individuals may request a personal information handler to explain its personal information processing rules. This obligation to provide explanatory transparency about processing practices goes somewhat further than the GDPR’s transparency requirements, which are met primarily through layered privacy notices. US businesses relying on privacy notice disclosure alone should ensure they have processes to respond to individual explanation requests on a case-by-case basis.

Article 45 also provides a data portability right that the PIPL states should be available where the conditions stipulated by the CAC are met. The CAC has been developing the regulatory infrastructure for data portability, including through mechanisms related to “data export” and personal data mobility between platforms. US businesses operating consumer platforms that serve Chinese users should anticipate further regulatory development in this area and design their systems to accommodate portability requests for Chinese users’ data.

On automated decision-making, Article 24 imposes obligations that apply regardless of whether an individual exercises their rights: personal information handlers using automated decision-making must ensure transparency and fairness in such decisions and must not apply unreasonably differentiated treatment to individuals in terms of transaction conditions. Where automated decision-making is used for commercial marketing or information delivery, individuals must have the option to opt out or to request that decisions are made without automated methods. This applies directly to US businesses using algorithmic recommendation systems, personalized advertising, dynamic pricing, or credit scoring that affects Chinese users.

7. The Data Security Law and Cybersecurity Law

Alongside the PIPL, US businesses with operations in China must engage with the DSL and CSL, which address data governance from the perspectives of national security and data classification rather than individual privacy rights. The DSL, which entered into force on September 1, 2021, establishes a hierarchical data classification system. Data is to be classified according to its importance to national economic and social development and the degree of harm that would result from its alteration, destruction, leakage, or illegal acquisition or use. At the apex of this classification sits “core national data,” the processing of which is subject to strict regulation; below that is “important data,” a category that triggers specific cross-border transfer and security requirements and whose scope is being progressively defined through sector-specific implementing measures.

The concept of “important data” is central to understanding the cross-border transfer obligations described in section 8 of this page. Organizations processing important data are subject to the mandatory security assessment regime administered by the CAC for any transfer of that data outside China. The definition of important data varies by industry sector and is being operationalized through sector-specific standards and catalogues issued by industry regulators. US businesses operating in sensitive sectors — including automotive (where vehicle-generated data has been designated important data by Chinese regulators), financial services, healthcare, mapping and geospatial services, and telecommunications — should pay particular attention to whether their data holdings include material that meets the important data threshold in their sector.

The CSL, which predates both the PIPL and DSL, established the foundational obligations for “network operators” — a broad category that encompasses any operator of networks, information systems, or platforms using the internet in China. Network operators must comply with network security obligations including implementing security management systems, adopting technical security measures, retaining network logs for at least six months, and complying with data localization requirements when designated as critical information infrastructure operators (CIIOs). A CIIO is an operator in sectors vital to national security and public interest — including energy, transportation, finance, health, and large-scale internet platforms — whose disruption would seriously harm national security or the national economy. The designation of CIIO status carries the most significant compliance burden in the entire Chinese data governance framework, including mandatory local storage of personal information and important data and restrictions on cross-border data flows that differ from the standard PIPL transfer regime.

8. Cross-border Data Transfers: The Most Complex Compliance Challenge

The cross-border transfer provisions of the PIPL and its implementing measures represent the most operationally demanding aspect of China’s data protection framework for US businesses. Article 38 of the PIPL establishes that personal information may only be transferred outside China through one of the following mechanisms: (a) passing a security assessment organized by the CAC; (b) obtaining personal information protection certification from a qualified professional institution recognized by the CAC; (c) entering into a standard contract (SC) with the overseas recipient in the form published by the CAC; or (d) complying with other conditions specified by laws, administrative regulations, or the CAC.

The allocation of transfers among these mechanisms is not left to the choice of the transferring entity; it is determined by mandatory thresholds, set out in the Measures for Security Assessment of Cross-border Data Transfer and subsequently modified by the Regulations on Promoting and Regulating Cross-border Data Flow (the 2024 Regulations), which took effect on March 22, 2024. The 2024 Regulations represented a significant liberalization of the original PIPL transfer thresholds and introduced a range of exemptions designed to facilitate routine commercial data flows.

Mandatory CAC Security Assessment

A security assessment organized by the CAC is mandatory — and cannot be substituted with standard contracts or certification — in the following circumstances: where a critical information infrastructure operator transfers any personal information or important data outside China; where any handler transfers “important data” outside China; where a non-CIIO handler has processed the personal information of one million or more individuals and proposes to transfer personal information outside China; or where a handler has cumulatively transferred abroad the personal information of 100,000 or more individuals, or the sensitive personal information of 10,000 or more individuals, since January 1 of the preceding year. The security assessment process requires submission of an application to the CAC through the relevant provincial CAC office, accompanied by a self-assessment report, a copy of the transfer contract, and supporting documentation. The CAC has 45 working days to complete its review (extendable in complex cases). Approval is valid for two years, after which re-assessment is required.

Standard Contract Filing

For transfers that do not meet the security assessment thresholds, handlers may use the CAC-issued standard contract template, which was published pursuant to the Measures for Standard Contract for Cross-border Transfer of Personal Information (effective June 1, 2023). The standard contract is a non-negotiable template that must be used in the form prescribed by the CAC; it cannot be materially modified. The handler must also complete a personal information protection impact assessment prior to executing the standard contract, and must file the executed contract with the relevant provincial CAC office within ten business days of the contract taking effect. US businesses that are contractual recipients of personal information from Chinese entities should ensure that their Chinese counterparts have completed the SC filing, and should anticipate that contract-based data flows from China will be subject to this administrative filing requirement.

Exemptions Under the 2024 Regulations

The 2024 Regulations created important categories of exempted transfers that do not require the use of any cross-border transfer mechanism. These exemptions cover: personal data collected and generated outside China but processed by a Chinese handler for internal purposes; data sharing necessary for the conclusion or performance of a contract directly with the individual (including international trade, cross-border transportation, visa application processing, and similar transactional contexts); data sharing necessary for cross-border human resources management within a multinational enterprise group; and transfers involving fewer than 100,000 individuals’ non-sensitive personal information cumulatively per calendar year. US businesses should review whether their transfers fall within one of these exemptions before investing in the standard contract or security assessment pathway — but should be cautious about relying on exemptions without a documented analysis, given the pace at which CAC interpretation and guidance continues to develop.

US-China Transfer Comparison: No mechanism equivalent to the EU-US Data Privacy Framework exists for US-China data flows. There is no mutual adequacy arrangement, no recognized US certification scheme, and no consolidated intergovernmental transfer framework. Each outbound transfer from China to the US must be individually structured under one of the PIPL mechanisms, taking account of the mandatory thresholds and exemptions described above.

9. Data Localization Requirements

China’s data localization requirements apply to two principal categories of entity: critical information infrastructure operators and handlers that have processed the personal information of one million or more individuals. Article 40 of the PIPL requires both categories to store within China the personal information they collect and generate within China. The localization obligation under the CSL (Article 37) extends to both personal information and important data collected and generated within China by CIIOs. Transfers of locally stored data outside China are subject to the security assessment regime described above.

The practical significance of data localization for US businesses depends critically on the scale and nature of their Chinese operations. US businesses that operate Chinese subsidiaries, large consumer-facing digital platforms, or services that accumulate data from a significant Chinese user base must assess whether they meet the CIIO designation criteria or the one-million-individual processing threshold. A US cloud services company, social media platform, or e-commerce provider serving the Chinese market at scale may find that its Chinese data must be stored in China-based infrastructure rather than in global data centers — a requirement that has direct implications for data architecture, IT infrastructure investment, and the operational independence of Chinese entities within a global group structure.

10. The Personal Information Protection Officer

Article 52 of the PIPL requires handlers that process personal information above volume thresholds established by the CAC to designate a personal information protection officer (PIPO). The CAC has not specified the precise volume threshold in the PIPL itself, and clarification has been anticipated through supplementary regulation. In the interim, many practitioners apply a working assumption that the requirement mirrors the security assessment threshold — i.e., handlers processing personal information of one million or more individuals — although businesses should monitor CAC guidance as it develops.

The PIPO is responsible for supervising the handler’s personal information processing activities and the adoption of protective measures. The PIPO’s name and contact details must be publicly disclosed. For overseas handlers subject to the PIPL’s extraterritorial reach under Article 53, a dedicated entity or representative must be established or designated within China to handle personal information protection matters. This representative must be registered with the CAC and is the point of contact for individuals exercising their rights and for the regulator. US businesses subject to the PIPL on an extraterritorial basis should determine whether their processing volume triggers the PIPO requirement and, if so, ensure that a China-based representative is established, registered, and operationally functional. Failure to designate a China-based representative is a compliance gap that has been specifically flagged in CAC enforcement actions.

11. Regulatory Authority and Enforcement

The primary regulator for the PIPL, DSL, and internet-related aspects of the CSL is the Cyberspace Administration of China (CAC), a government body under the Central Cyberspace Affairs Commission that functions as an arm of the Chinese state and Communist Party apparatus rather than as an independent supervisory authority. This is a structural characteristic of China’s regulatory model that has no equivalent in the EU or Brazil and that US businesses should keep in mind when assessing the nature of regulatory risk in China. The Ministry of Public Security, the National Development and Reform Commission, and sector-specific regulators (such as the People’s Bank of China for financial data) also play roles in enforcement in their respective domains.

The PIPL’s enforcement toolkit under Article 66 includes: orders to correct violations with a deadline; warnings; confiscation of illegal gains; administrative fines of up to RMB 1 million for less serious violations; and, for serious violations, administrative fines of up to RMB 50 million or 5% of the preceding year’s annual turnover — whichever is higher. Additionally, the handler’s business operations may be suspended, and relevant licenses may be revoked. Perhaps most significantly from a US corporate perspective, the PIPL provides that individuals directly responsible for violations — including senior management personnel — may personally be fined up to RMB 1 million and may be barred from serving as directors, supervisors, or senior management of companies for a period of years.

CAC enforcement has been active and visible since the PIPL took effect, with high-profile actions against both domestic and foreign technology companies. The CAC’s enforcement has extended to the removal of non-compliant apps from Chinese app stores, fines, and in certain cases forced business suspensions. US businesses should not treat the PIPL as aspirational or unenforced; the CAC has demonstrated both the will and the institutional capacity to pursue regulatory action against entities that fail to meet the law’s requirements.

Feature	PIPL (China)	GDPR (EU)
Primary Regulator	CAC (government body, not independent)	National DPAs (independent supervisory authorities)
Maximum Fine	RMB 50 million or 5% of annual turnover	€20 million or 4% of global annual turnover
Individual Liability	Yes — personal fines up to RMB 1 million; disqualification from roles	Member state law varies; generally no direct GDPR fine on individuals
Legitimate Interests Basis	Not available as a general basis	Available (Art. 6(1)(f)) with balancing test
Sensitive Data — Financial Accounts	Yes — classified as sensitive PI	No — not a special category under GDPR
Cross-border Transfer Mechanism	CAC security assessment, SCC filing, or certification	Adequacy decisions, SCCs, BCRs, derogations
Data Localization	Yes — mandatory for CIIOs and high-volume handlers	No general localization requirement
PIPIA / DPIA Triggers	Broader — required for sensitive PI, third-party sharing, transfers, profiling	Required for “high risk” processing (Art. 35)

12. Practical Compliance Considerations for US Businesses

Map Your China Data Flows Comprehensively

The starting point for any China privacy compliance program is a rigorous data mapping exercise that identifies every category of personal information collected from or relating to individuals in China, the business processes that generate or use that data, the systems and infrastructure in which it is stored, and — critically — every outbound data flow that moves personal information from a China location to a location outside China. This last element is particularly important because it determines which cross-border transfer mechanism applies and whether any regulatory filing or approval is required before the flow can lawfully occur. Many US businesses discover during this exercise that cross-border flows occur through channels they had not consciously designed — for example, through HR systems that push employee data to a global instance, through cloud backup services, or through global analytics and monitoring tools that ingest data from China-based users.

Separate Your Consent Architecture for Chinese Users

The PIPL’s prohibition on bundled consent and its requirement for separate, purpose-specific consent means that consent collection flows designed for GDPR or US state law compliance are typically inadequate for Chinese users. US businesses should design a China-specific consent layer that presents each processing purpose — including behavioral profiling, third-party sharing, and any cross-border transfer — as a discrete consent choice that users may accept or decline independently. The consent record must be maintained and attributable to the individual, and mechanisms must exist for users to withdraw each consent separately without it affecting the validity of other consents they have given.

Establish and Register Your China-Based Representative

US businesses subject to the PIPL on an extraterritorial basis that process personal information of Chinese individuals must establish or designate an entity or representative within China. This representative must be registered with the CAC and must be operationally equipped to receive and respond to individual rights requests and to engage with the CAC on regulatory matters. Identifying and onboarding a qualified China-based representative — whether an affiliated entity, a law firm, or a specialized compliance service provider — is a foundational compliance step that should be completed before or concurrently with the commencement of outbound data processing.

Structure Cross-border Transfer Mechanisms Before They Are Needed

One of the most common compliance failures among US businesses is continuing to transfer personal information out of China without having implemented the applicable cross-border transfer mechanism. The 2024 Regulations’ exemptions provide useful relief for lower-volume flows, but higher-volume processors and those handling sensitive data must complete the standard contract filing (including the required personal information protection impact assessment) or, where the mandatory threshold is met, submit to and obtain approval through the CAC security assessment process. These are not quick processes: the SC filing requires a completed PIPIA and contract execution before the filing can be made, and the security assessment can take several months. US businesses should begin the required process well in advance of any commercial launch or operational need to transfer data.

Monitor the Rapidly Evolving Regulatory Landscape

China’s data governance framework is one of the most actively developing regulatory environments in the world. The period from 2021 to 2025 saw not only the three core statutes come into force but also a continuous stream of implementing measures, sector-specific catalogues of important data, new provisions on minors’ data, standard contract publication, the 2024 cross-border flow Regulations, and the Network Data Security Management Regulations effective January 1, 2025. US businesses should maintain a dedicated regulatory monitoring function — or engage Chinese counsel and US privacy counsel working in coordination — to track and respond to this output in a timely and documented manner.

13. Conclusion

China’s data privacy framework is substantively comprehensive, extraterritorially assertive, and operationally demanding in ways that distinguish it meaningfully from both the GDPR and the Brazil LGPD. The absence of a legitimate interests basis, the mandatory security assessment for high-volume cross-border transfers, the data localization obligations for CIIOs and large-scale processors, the classification of financial data as sensitive personal information, and the requirement for China-based representatives and personal information protection officers together constitute a compliance burden that cannot be met by importing programs designed for other jurisdictions. The framework is also politically distinctive: the CAC is not an independent regulator, and compliance with China’s data governance requirements necessarily involves engagement with a state and regulatory apparatus whose interests are broader than the protection of individual privacy rights.

For US businesses operating in or targeting China, the path forward requires a dedicated China compliance program — built on Chinese law, implemented with local counsel and local infrastructure, and maintained through active monitoring of a regulatory landscape that continues to develop at pace. The investment in that program is not merely a matter of legal risk management; it is an operational prerequisite for any commercial activity that involves the personal information of individuals in China.

Advising US Businesses on Chinese Data Protection Compliance

Our data protection practice advises US businesses on China’s PIPL, DSL, and CSL compliance requirements, including cross-border transfer structuring, standard contract filing, security assessment preparation, and representative designation. If you are assessing your obligations under China’s data governance framework or building a China-specific privacy program, we welcome the opportunity to assist.