China’s triad of cyberspace and data laws passed by the country’s highest legislature – China’s National People’s Congress Standing Committee (“NPC”) – are now fully effective: the Personal Information Protection Law (《个人信息保护法》), effective November 1, 2021; the Data Security Law (《数据安全法》), effective September 1, 2021; and the Cybersecurity Law (《网络安全法》), effective June 1, 2017 (collectively, “Data Laws”). Together, with their respective implementation rules and regulations by agencies, such as the Cyberspace Administration of China (“CAC”), as well as general and industry standards, China’s cyberspace administration and data protection framework poses major compliance challenges for multi-national companies (“MNCs”) with operations in China.
Unfortunately, the Data Laws mainly set out the general framework for regulation of data in China, with detailed implementation guidelines still to be provided further by implementing regulations and industry standards. Hence, there remains a great deal of ambiguity as to specific requirements and what companies need to do with respect to their internal compliance on data security and personal information protection. Here, we are trying to provide MNCs with a snapshot overview as a reference tool to understand the big picture of China’s existing and ongoing legislation regarding data protection, without getting into too much detail of each such rule.
