China’s Data Protection Laws: A Practical Guide for Foreign Companies

ByJianxing Pan

China’s Data Protection Laws: What Foreign Companies Actually Need to Know

Three laws, four compliance paths, and one mistake that can cost you your business in China. A practical guide based on real cross-border data compliance work.

The Three-Law Framework

China’s data protection regime rests on three pillars, all enacted or substantially revised within a three-year window:

  • Cybersecurity Law (CSL) — effective June 2017, requires Critical Information Infrastructure Operators (CIIOs) to store personal information and important data within China and conduct security assessments before exporting data abroad.
  • Data Security Law (DSL) — effective September 2021, establishes a classification and grading system for all data, not just personal data, and imposes obligations on all data processors.
  • Personal Information Protection Law (PIPL) — effective November 2021, China’s answer to GDPR. Regulates the collection, use, storage, transfer, and deletion of personal information. Extraterritorial reach: applies to entities outside China that process personal information of individuals inside China.

For a foreign company operating in China — or selling to Chinese consumers from abroad — all three laws potentially apply. The question is which provisions apply to you, and what you need to do about them.

The Threshold Question: Are You a CIIO?

The single most important classification under China’s data regime is whether you are a Critical Information Infrastructure Operator (CIIO). The obligations are dramatically different:

Obligation CIIO Non-CIIO (Ordinary Processor)
Data localization Must store in China No localization requirement
Cross-border transfer mechanism Mandatory security assessment Standard contract, certification, or security assessment
Security assessment timeline Months Standard contract: filing only (days to weeks)

CIIO designation is not self-selected — it is determined by the relevant industry regulator. In practice, payment institutions, licensed financial institutions, telecommunications operators, and operators of large-scale cloud platforms are the most likely to be designated. Ordinary commercial enterprises — manufacturers, trading companies, e-commerce sellers — are generally not CIIOs unless they operate critical network infrastructure.

If you are a foreign company that is not a CIIO — which describes the vast majority of our clients — the most practical compliance path for cross-border data transfers is the Standard Contract route under the PIPL.

The Standard Contract Path: Not as Hard as It Sounds

Under the Measures for Standard Contracts for Cross-Border Transfer of Personal Information (effective June 2023), an ordinary personal information processor can transfer personal information abroad by signing the CAC-issued standard contract with the overseas recipient and filing it with the provincial cyberspace administration.

The process:

  1. Conduct a personal information protection impact assessment (PIPIA). This is required before any cross-border transfer. The assessment must evaluate: the legality and proportionality of the transfer purpose, the volume and sensitivity of the data, the recipient’s data protection capabilities, and the risks to data subjects.
  2. Sign the CAC standard contract. The contract terms are prescribed by regulation and cannot be modified in substance. They require the overseas recipient to provide the same level of protection as the PIPL.
  3. File with the provincial cyberspace administration. The signed contract and PIPIA report are filed — not approved — with the provincial CAC office. Filing must be completed within 10 working days after the contract takes effect.

The standard contract route is available to processors that: (a) are not CIIOs, (b) handle personal information of fewer than 1 million individuals per year, and (c) have transferred personal information of fewer than 10,000 individuals cumulatively since the previous year’s January 1. Processors exceeding these thresholds must use the security assessment route.

The Most Common Mistake: Confusing Enterprise Data with Personal Data

In our advisory work for a cross-border payment company, the single most valuable piece of advice we gave was this: enterprise information is not personal information.

Transmitting a merchant’s business license, company name, unified social credit code, and business scope to an overseas payment institution does not trigger PIPL cross-border transfer obligations — because none of that is “personal information” as defined by the law. Personal information is information relating to an identified or identifiable natural person.

But the moment you also transmit: the legal representative’s ID card, the shareholder’s passport number, cardholder names and payment card numbers, transaction records containing payer details, or the merchant contact person’s mobile phone number — you have crossed the line into personal information export.

The practical solution we implemented: separate the data streams. Enterprise registration data travels through one channel. Personal information — ID documents, cardholder data, contact information — travels through the standard contract channel. Do not bundle them. Bundling is not efficiency; bundling is risk.

Separate Consent: What the Word “Separate” Actually Means

PIPL Article 39 requires that personal information subjects give “separate consent” (单独同意) to cross-border transfer. The word “separate” is not decorative. It means:

  • You cannot bury the consent in a general privacy policy or terms of service. You need a standalone document.
  • You cannot present it as one checkbox among many. The consent to cross-border transfer must be visually and functionally distinct from other consents.
  • You must disclose: the identity and contact details of the overseas recipient, the purpose and method of processing, the categories of personal information, and the procedures for the individual to exercise their rights against the overseas recipient.

We draft a one-page Personal Information Cross-Border Transfer Notice and Consent Form for our clients. It sits alongside — not inside — the main service agreement. The data subject signs it separately. It is filed with the account-opening documents. This is not complicated, but it must actually be done.

What Happens If You Get It Wrong

The consequences of PIPL non-compliance are substantial:

  • Administrative penalties: fines of up to RMB 50 million or 5% of the preceding year’s annual revenue, whichever is higher.
  • Individual liability: directly responsible persons can be fined up to RMB 1 million and may be barred from holding certain positions.
  • Business suspension: the regulator can order suspension of business operations, revocation of licenses, and shutdown of websites or applications.
  • Criminal liability: in cases involving the illegal sale or provision of personal information, Criminal Law Article 253-2 provides for imprisonment of up to seven years.
  • Civil liability: PIPL Article 69 creates a private right of action. Data subjects can sue for damages, and the burden of proof — on whether the processor was at fault — is reversed. The processor must prove it was not at fault.

Practical Steps for Foreign Companies

  1. Map your data flows. What personal information do you collect in China? Where is it stored? Who has access to it? Does any of it leave China — including through remote access by overseas personnel? If your answer to the last question is “I don’t know,” that is your first compliance gap.
  2. Determine whether you are a CIIO. If you are not in finance, telecoms, energy, or critical infrastructure, you probably are not. But confirm this with Chinese counsel — do not self-diagnose.
  3. If you transfer personal information abroad, pick your compliance path. For most ordinary processors, the standard contract is the most practical option. Conduct the PIPIA. Sign the CAC contract. File it.
  4. Separate enterprise data from personal data. The less personal information you transmit, the smaller your compliance burden. Segregate the data streams.
  5. Implement separate consent. A standalone cross-border transfer consent form. Signed separately. Filed separately. This is not optional.
  6. Document everything. In an enforcement action, the difference between a fine and a warning is often the quality of your documentation. Can you show the regulator your PIPIA report, your signed standard contract, your filing receipt, and your consent forms? If yes, you are in a far better position than the company that cannot.

Conclusion

China’s data protection laws are not a paper tiger. Enforcement is increasing — the CAC has conducted public investigations, issued fines, and ordered compliance rectifications against both domestic and foreign companies. But compliance is not a black box. The standard contract path is well-defined. The enterprise-versus-personal data distinction is clear. Separate consent is a process question, not a technological one.

The foreign companies that get this right are not the ones with the biggest legal budgets. They are the ones that treat data compliance as an operational requirement — like tax filing or financial reporting — rather than a legal afterthought.

This article is based on the author’s experience advising cross-border payment and technology companies on PRC data compliance. All client-identifying details have been removed. It is for informational purposes only and does not constitute legal advice. Data compliance obligations are fact-specific; consult qualified PRC counsel for your situation.

Author: Jianxing Pan
Partner, Beijing ChangAn Law Firm
Offices in Beijing and Shenzhen
lawyerpan@vip.163.com

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *