In this post, I try to keep track of all data privacy laws in China available in English. If no full translation is available, I do my best to link to some relevant comments published by observers. I find it convenient to have all of them gathered in one place, and I hope it can be helpful to you as well.
I order them by year, with a short description and a link to where you can read the full text in English, and one to the original source in Chinese. If you spot something missing, please let me know.
I’ve written a detailed post comparing Chinese privacy rules to the EU and the U.S. models, especially China’s Cybersecurity Law. You can also check my law review article on China data privacy laws, underlying the rational behind China’s approach on data protection.
Disclaimer: This is an ongoing work, to be completed [currently being updated (November 2022)]. I focus on laws specifically targeting data protection, but there are other data privacy rules scattered in different laws. Pay attention to the rules concerning your specific sector.
Contents
Outbound Data Transfer Security Assessment Measures (2022)
Type: Guidelines
Translation: English
Effective: 1 September 2022
Online Data Security Management Regulations (2021) DRAFT
Type: Binding law (draft)
Translation: English
Effective: Draft for comment
Comments: These regulations will eventually implement parts of the the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law.
Personal Information Protection Law [PIPL] (2021)
Type: Binding law
Translation: English
Effective: November 1st, 2021
Comments: China’s PIPL comparison with EU GDPR and US laws.
Data Security Law (2021)
Type: Binding law
Translation: English
Effective: September 1, 2021
Personal Financial Information Protection Technical Specification (2020)
Type: Guidelines
Effective: February 13, 2020
Comments: InsidePrivacy.com, NortonRoseFullbright.com
China’s Encryption Law (2020)
Type: Binding law
Passed: October 26, 2019
Effective: January 1, 2020
Original: Chinese
Comments: InsidePrivacy.com
China’s Multi-Level Protection Scheme [MLPS] (2019)
Type: Standards
Effective: MLPS became MLPS 2.0 when three new standards were adopted in 2019
Comments: These standards focus on cybersecurity requirements. The need for network operators to implement security requirements according to MLPS comes from Article 21 of the Cybersecurity Law.
Personal Information Outbound Transfer Security Assessment Measures [DRAFT – outdated] (2019)
Type: Guidelines (draft)
Passed: May 28, 2019 (draft – outdated, see above the new guidelines from 2022)
Translation: English
To go further: Five Big Questions Raised by China’s New Draft Cross-Border Data Rules
China’s Personal Information Security Specification (2018)
Type: Guidelines
Effective: May 2018
Translation: English
Cybersecurity Law of the People’s Republic of China (2017)
Type: Binding law
Passed: November 6, 2016
Effective: June 1, 2017
Translation: English
Consumer Protection Law and its amendements (2014)
Type: Binding law
Adopted: October 25, 2013
Effective: March 15, 2014
Translation: English
Comments: Articles 14 and 29 are especially relevant to data protection.
Decision concerning Strengthening Network Information Protection (2012)
Adopted: December 28, 2012
Translation: English