Our Expert in China
China’s data-protection regime entered a new phase on 1 January 2026 when the amended Cybersecurity Law (CSL) took effect, introducing tiered penalties, AI-specific reporting obligations, and sharply higher fines for platform operators. Combined with the maturing enforcement of the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), the regulatory environment now demands that general counsel, chief privacy officers, and compliance teams treat data governance as a board-level operational priority rather than a back-office legal exercise. For multinational businesses processing personal information inside the People’s Republic of China, or transferring it out, the need for experienced data protection lawyers China-side has never been more acute.
This guide provides the actionable compliance playbook that in-house teams require right now: structured timelines, DPO filing walkthroughs, cross-border transfer decision trees, and sector-specific checklists for adtech, CDP, and AI platforms.
The amended CSL, adopted by the Standing Committee of the National People’s Congress on 28 October 2025 and effective 1 January 2026, significantly raises the stakes for non-compliance. Penalties for serious violations can now reach RMB 50 million or five per cent of the preceding year’s revenue, and the Cyberspace Administration of China (CAC) has signalled aggressive enforcement across AI products, mobile applications, and cross-border data flows.
This guide is written for GCs, Chief Privacy/Data Officers, Heads of Compliance, in-house legal teams at platforms and SaaS providers, and AI product owners who need to translate these changes into operational reality within the next 90 days. Three immediate actions should be on every compliance team’s agenda: (1) verify whether your organisation must complete a DPO filing under the updated rules; (2) reassess your cross-border data transfer pathway against the current CAC thresholds; and (3) audit AI product data flows for new reporting obligations.
| Timeframe | Priority action | Owner |
|---|---|---|
| 0–7 days | Assemble a complete data map covering personal information categories, storage locations, and cross-border flows | DPO / Privacy Lead |
| 7–30 days | Prepare or update DPO filing documentation; initiate PIPL Data Protection Impact Assessment (DPIA) for high-risk processing; confirm cross-border transfer route | Legal & Compliance |
| 30–90 days | Complete remediation (contract updates, technical controls, vendor clauses); submit filings; conduct tabletop incident-response drill | Cross-functional team (Legal, IT, Product) |
China’s data-protection framework rests on three pillar statutes, each administered primarily by the CAC with support from sector regulators. Understanding how these three laws interlock is the essential starting point for any data protection lawyers China engagement.
The Personal Information Protection Law, effective since 1 November 2021, is China’s equivalent of the EU’s GDPR. It governs the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information of natural persons within mainland China. Key obligations include obtaining consent (or establishing another lawful basis), conducting DPIAs before sensitive-data processing, appointing dedicated personnel responsible for personal-information protection, and providing data-subject rights including access, correction, deletion, and portability.
The cybersecurity law amendment 2026 represents the most significant revision to the CSL since its original enactment in 2017. It introduces a graduated penalty regime, AI product incident-reporting mandates, expanded obligations for critical information infrastructure (CII) operators, and enhanced personal-data-breach notification requirements. Industry observers expect the enforcement posture to intensify throughout 2026 as the CAC builds out sector-specific implementation rules.
The Data Security Law, effective since 1 September 2021, governs the security of all data, not merely personal information. It establishes a tiered data-classification system (core, important, and general data) and mandates security reviews for cross-border transfers of “important data.” For businesses that also handle personal information, the DSL operates in parallel with the PIPL, creating overlapping compliance obligations that must be addressed in an integrated manner.
| Law | Primary focus | Immediate impact on businesses (2026) |
|---|---|---|
| PIPL | Personal information protection; consent; data-subject rights; cross-border transfers | DPO filing; DPIA for sensitive processing; standard contracts or certification for cross-border transfers |
| CSL (amended) | Network security; CII protection; incident reporting; AI product obligations | Higher penalties (up to RMB 50 M / 5% revenue); AI incident reporting; expanded CII operator duties |
| DSL | Data classification; important-data security; government data security reviews | Mandatory important-data cataloguing; security assessment for outbound important data |
The cybersecurity law amendment 2026 was adopted on 28 October 2025 and came into force on 1 January 2026. It represents a deliberate convergence of cybersecurity, data-protection, and AI-governance objectives into a single enforcement framework.
Platform operators, defined broadly to capture any network service provider that enables user-generated content, e-commerce transactions, or data-driven services, now face expanded obligations. These include mandatory annual cybersecurity risk assessments, real-time vulnerability monitoring and reporting, and enhanced cooperation obligations during CAC investigations. Platforms that process the personal information of more than one million individuals face additional scrutiny, including mandatory security assessments before any cross-border data transfer.
The amended CSL introduces sector-first AI product provisions. Operators deploying generative AI or automated decision-making systems are now required to conduct algorithm-impact assessments, maintain audit logs of training-data sources, and report material AI-related security incidents to the CAC. Early indications suggest that the CAC intends to interpret “AI-related security incident” broadly, covering data poisoning, model inversion attacks, and unintended discriminatory outputs.
The penalty ceiling has been dramatically increased. For the most serious violations, including failure to comply with CII protection requirements or obstructing regulatory investigations, fines can reach RMB 50 million or five per cent of the preceding year’s domestic revenue, whichever is higher. Responsible individuals can be personally fined up to RMB 1 million and barred from serving as directors, supervisors, or senior managers. Industry observers expect the first enforcement waves to target cross-border data transfers and AI products that have not completed the required filings.
| Date | Rule change / milestone | Action required |
|---|---|---|
| 28 Oct 2025 | NPC Standing Committee adopts CSL amendment | Legal review of amendment text; gap analysis against existing compliance programme |
| 1 Jan 2026 | Amended CSL enters into force | Ensure all compliance measures are operational; complete any outstanding DPO and security assessment filings |
| Q1 2026 (ongoing) | CAC issues sector-specific implementation guidelines | Monitor CAC announcements; update internal policies as guidelines are published |
| Q2 2026 (expected) | First enforcement actions under amended penalty regime | Conduct internal audit; prepare incident-response documentation; brief senior management |
The DPO filing requirements under the PIPL and the amended CSL represent one of the most operationally consequential compliance tasks for 2026. Unlike the EU model where a Data Protection Officer has a defined statutory role, China’s framework requires the designation of a “person responsible for personal information protection” and, for qualifying entities, a formal filing of that person’s details with the CAC or its local counterpart.
Filing obligations apply to several categories of data handlers:
The filing form, submitted through the CAC’s online portal or the relevant provincial-level cyberspace administration, requires the following information as a minimum:
Filing alone is not sufficient. The CAC expects the designated person to exercise genuine operational authority. A PIPL compliance checklist for the DPO function should include: a written charter defining the DPO’s mandate and authority; direct and regular reporting access to senior management; a dedicated budget for compliance activities; and documented procedures for responding to data-subject requests and regulatory inquiries. Organisations should also prepare a DPO transition plan to ensure continuity if the designated person changes role or leaves the organisation, as re-filing is required within a prescribed period.
| Entity type | Filing requirement | Implementation steps |
|---|---|---|
| B2C platform with >1 M users (China) | DPO filing; PIPL DPIA; possible CSL security assessment for cross-border transfer | 0–7 days: assemble data map; 7–30 days: prepare DPIA & filing; 30–90 days: remediation |
| Foreign company providing SaaS to Chinese customers | PIPL compliance; choose cross-border route (certification, SCCs, security assessment) | 0–30 days: data-flow mapping; 30–90 days: legal and technical implementation |
| Critical Information Infrastructure (CII) operator | Strict CSL controls; localised data storage; regulator pre-approval for cross-border transfer | 0–7 days: specialist counsel & CTO operations meeting; 7–90 days: full remediation & regulator engagement |
Cross-border data transfer remains the single most complex compliance challenge for multinational organisations operating in China. The PIPL, CSL, and DSL each impose requirements that must be satisfied concurrently, and the choice of transfer mechanism has significant implications for cost, timeline, and ongoing operational burden.
The PIPL provides three primary lawful pathways for transferring personal information outside mainland China:
The choice between pathways is not discretionary where mandatory thresholds are met. Organisations should apply the following decision logic: first, determine whether you are a CII operator (security assessment is mandatory); second, calculate the cumulative volume of personal information transferred abroad since the preceding 1 January; third, assess whether any “important data” under the DSL is included in the transfer (if so, a security assessment is required regardless of personal-information volume). Only if none of these triggers apply should the organisation consider the SCC or certification routes. The likely practical effect for most large platforms will be that the security-assessment pathway is unavoidable.
Organisations using international cloud providers (AWS, Azure, GCP, or Alibaba Cloud international regions) must implement additional operational controls. Encryption in transit and at rest should use algorithms approved by the State Cryptography Administration. Key management systems (KMS) must be configured so that decryption keys for data stored on mainland China infrastructure are not accessible from overseas nodes. Vendor contracts should include audit rights, incident-notification provisions aligned with PIPL and CSL timelines, and data-deletion clauses that are enforceable under Chinese law.
| Transfer method | Pros & cons | Required evidence |
|---|---|---|
| CAC security assessment | Pro: definitive regulatory clearance. Con: lengthy process; may take several months; re-assessment required for material changes | DPIA report; security assessment application form; data-flow diagram; recipient-country legal-environment analysis; technical-safeguard documentation |
| Standard contractual clauses (SCCs) | Pro: faster to implement; lower cost. Con: not available if mandatory-assessment thresholds are triggered; limited contractual flexibility | Signed CAC-template contract; completed DPIA; filing with provincial-level CAC within 10 working days of execution |
| PIPL certification | Pro: covers intra-group transfers efficiently; recognised across subsidiaries. Con: requires accredited-body audit; ongoing re-certification cost | Certification application; on-site audit report; internal personal-information protection rules; re-certification plan |
Data localization requirements under the CSL and PIPL mean that certain categories of data must be stored and processed on infrastructure physically located within mainland China. Understanding when localisation is mandatory, and designing hybrid architectures that satisfy both regulatory and operational requirements, is essential for platform and AI businesses.
CII operators must store personal information and “important data” collected and generated within mainland China on domestic infrastructure. Even non-CII handlers processing data of more than one million individuals must pass a security assessment before any cross-border transfer, which in practice incentivises localisation as the default architecture. Recommended practice is to implement logical data segregation at the database layer, with clear metadata tagging that identifies each record’s regulatory classification (personal, sensitive, important, or general) and its permissible geographic scope. For AI businesses, training data derived from personal information of Chinese residents should be processed in-country unless a valid cross-border transfer pathway has been established.
Encryption alone does not satisfy data-localisation obligations, the data must reside on mainland China infrastructure regardless of encryption status. However, robust encryption is a critical component of the technical safeguards that regulators expect. Organisations should deploy hardware security modules (HSMs) within their China data centres, ensure that encryption keys are generated and stored domestically, and maintain separate key hierarchies for China-resident data and data processed in other jurisdictions.
| Action | Owner | Deadline |
|---|---|---|
| Tag all data records with regulatory classification (personal / sensitive / important / general) | Data Engineering | 30 days |
| Deploy HSMs in mainland China data centres; segregate key hierarchies | InfoSec / Cloud Ops | 60 days |
| Review AI training-data pipelines for cross-border data flows; redirect to domestic infrastructure where required | ML Engineering & Legal | 90 days |
| Update data-retention policy to reflect CSL and PIPL minimum/maximum retention periods | Legal & Data Governance | 30 days |
Mobile applications remain a primary enforcement focus for the CAC. The CAC app personal information provisions impose specific requirements on how apps collect, use, and share personal information, with particular scrutiny of permission requests, third-party SDK data sharing, and privacy-notice transparency.
Every app must present a standalone privacy notice that clearly identifies the types of personal information collected, the purposes for each type, and the retention period. Consent must be granular, users must be able to decline non-essential data collection without losing access to core app functionality. The CAC has specifically targeted “bundled consent” practices, where apps require users to agree to all data-collection purposes as a single package. Compliance teams should audit all permission dialogs and ensure that each requested permission is individually justified and independently revocable.
App-store compliance is a gatekeeper obligation. Domestic app stores in China are expected to verify that listed apps comply with CAC personal-information provisions before approving publication. Organisations should maintain a current SDK inventory, map data flows from each third-party SDK, and ensure that SDK providers have signed data-processing agreements that comply with PIPL requirements. Any SDK that transmits personal information outside mainland China must be assessed against the cross-border transfer rules described above.
Enforcement activity has accelerated in 2026. The CAC, provincial-level cyberspace administrations, and the Ministry of Public Security are all active in investigations, audits, and penalty proceedings. A structured regulator-engagement playbook is no longer optional.
Regulatory audits typically examine four areas: (1) the completeness and accuracy of DPO filing documentation; (2) evidence that DPIAs have been conducted for all high-risk processing activities; (3) the technical and organisational measures in place to protect personal information; and (4) records demonstrating lawful cross-border data transfers. Compliance teams should maintain a standing audit-readiness file that includes current data maps, DPIA reports, DPO filing confirmations, cross-border transfer evidence, and incident-response logs.
Under the PIPL, personal-information handlers must notify the CAC and affected individuals “promptly” when a data breach occurs that causes or may cause harm. The amended CSL introduces more specific timelines for certain categories of breach. Organisations should prepare pre-drafted notification templates, designate a breach-response coordinator, and conduct annual tabletop exercises to test response times and escalation paths.
Where regulators identify non-compliance, early and constructive engagement typically results in better outcomes. Experienced data protection lawyers China-based can advise on remediation proposals, negotiate penalty reductions through voluntary compliance commitments, and represent organisations in administrative proceedings. The amended CSL explicitly provides for mitigated penalties where organisations can demonstrate proactive remediation measures and cooperation with the investigation.
| Timeframe | Incident-response action | Responsible party |
|---|---|---|
| 0–1 hours | Activate incident-response team; contain the breach; preserve forensic evidence | InfoSec Lead |
| 1–24 hours | Conduct preliminary impact assessment; classify severity; notify DPO and General Counsel | DPO & Legal |
| 24–72 hours | Prepare regulator notification; notify affected individuals if harm threshold is met; engage external counsel | Legal & External Counsel |
| 72 hours – 30 days | Complete root-cause analysis; implement remediation; submit follow-up report to CAC if required | Cross-functional team |
An international programmatic-advertising platform operating a demand-side platform (DSP) in China discovered that its real-time bidding (RTB) data flows were transmitting device identifiers and behavioural signals to overseas servers without a completed security assessment. The remediation involved deploying a China-resident bidding node, reconfiguring data pipelines to anonymise personal identifiers before any cross-border transmission, and completing the CAC security-assessment filing. The compliance timeline was approximately 90 days from detection to full remediation.
A global CDP vendor serving Chinese retail clients was aggregating customer profiles that included sensitive personal information (purchase history linked to financial-account data). The vendor had relied on the PIPL certification route for intra-group transfers but had not updated its certification scope to reflect new data categories added by client integrations. The corrective action required a re-certification audit, updated DPIAs, and revised data-processing agreements with all affected retail clients.
A generative-AI company training large language models on user-interaction data from Chinese consumers needed to address two concurrent obligations: the PIPL requirement for a DPIA covering the use of personal information in model training, and the amended CSL’s algorithm-impact-assessment mandate. The company implemented a data-minimisation pipeline that stripped identifiable information before ingestion into the training dataset, conducted a combined DPIA and algorithm-impact assessment, and filed its AI product incident-reporting protocol with the CAC. Industry observers expect this combined-assessment approach to become standard practice for AI businesses in China.
The convergence of the PIPL, the amended CSL, and the DSL has created one of the world’s most demanding data-protection regimes. For general counsel and compliance leaders, the priority is clear: move from legal analysis to operational implementation. Every organisation processing personal information in China, or transferring it out, should have a complete data map, a confirmed DPO filing, a validated cross-border transfer pathway, and a tested incident-response plan. Engaging data protection lawyers China-based with hands-on regulatory experience is the most reliable way to ensure that compliance programmes withstand CAC scrutiny and protect the business from the significantly enhanced penalties now in force.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Maggie Meng at Beijing Global Law Office, a member of the Global Law Experts network.
posted 3 minutes ago
posted 27 minutes ago
posted 54 minutes ago
posted 1 hour ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message