China Laws on Data Security and Personal Information Protection

On April 29, 2021, China’s National People’s Congress (NPC) published second drafts of the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) for feedback from the public.

There are no major structural changes to the second drafts of the DSL and PIPL. The DSL second draft adjusts treatment of important data, the data classification system, and adds to penalties for violations of data collection, data export, and other obligations. The PIPL second draft adds that no consent is required for processing previously publicly disclosed personal information and further restricts sending Chinese personal information to foreign law enforcement agencies without approval of the Chinese regulator. The DSL and PIPL, together with the Cybersecurity Law, will form the basic legal framework for Chinese information security and data policy, and will impact any company that processes Chinese assets, even if it does not have an office in China. You could find the previous market intelligence report of the first draft of the DSL published here.

Interested parties may submit comments by the May 28 due date at the following links: DSL and PIPL.

For more information contact Office.Beijing@trade.gov.