CHINA Law and Practice Contributed by: James Hu, Yingjie Kang, Huihui Li, Sherry Xu, Bivio Yu and Lisa Zhao, Fangda Partners
ing to promote the sound and sustainable develop - ment of the related industry. It is also worth noting that China has shown an increasingly open and supportive attitude toward for - eign-related intellectual property. In 2025, the National Development and Reform Commission, together with the Ministry of Commerce and the State Administra - tion for Market Regulation, revised the Negative List for Market Access (2025), reducing the number of restricted sectors from 117 to 106. This reform sig - nifies China’s continued efforts to liberalise market access at the institutional level and to foster a more transparent, predictable and equitable business envi - ronment for foreign investors. 11.3 Data Protection and Privacy Considerations Overview of Data Protection Legislation Currently, China’s legal regime for data protection comprises four main pieces of legislation, namely the Personal Information Protection Law (PIPL), the Data Security Law (DSL), the Cyber Security Law (CSL) and the Regulations on Network Data Security Manage - ment (RNDSM) which provide detailed operational guidelines for the implementation of the PIPL, DSL and CSL. The PIPL regulates the processing and protection of personal data, providing several core principles and requirements for personal data processing, such as requirements around lawful basis, transparency, data minimisation, purpose limitation, data completeness and accuracy, and security protection. Under the PIPL, individuals are granted a wide range of rights related to their personal data. Different from the EU General Data Protection Regulation, the PIPL has a strong focus on consent by individuals as to how their personal data is processed, and the concept of “legitimate interest” for processing personal data is not recognised in the PIPL. Several newly promulgated subordinated rules are also worth noting. • The Administrative Measures on Personal Informa - tion Protection Compliance Audit, effective since 1 May 2025, provide the procedures and audit items
for compliance audit under the PIPL. Companies processing personal data of more than ten million individuals are required to conduct the audit every two years. • The Measures for the Administration of the Report - ing of Cybersecurity Incidents, effective since 1 November 2025, further detail the reporting of cybersecurity incidents under the CSL. Data breach involving personal data of one million individuals or more shall be notified to competent authorities within four hours upon discovery. Extraterritorial Effect of Data Protection Laws Both the PIPL and the DSL propose clear extraterrito - rial applicability to data processing activities that take place outside China, which has been substantially fol - lowed by the newly promulgated RNDSM. • The PIPL applies extraterritorially to the process - ing of the personal data of data subjects in China that takes place outside China if such processing is (i) for the purpose of provision of goods and/or services to data subjects in China; (ii) for analys - ing or assessing the behaviour of data subjects in China; or (iii) in other circumstances as provided by Chinese laws and regulations. Foreign companies subject to PIPL’s extraterritorial effect shall set up an organisation or appoint a representative in Chi - na dedicated to data protection and file the name and contact information of any appointed organisa - tion or representative with competent regulators. • The DSL applies extraterritorially where the data processing activities which have taken place outside of China harm the national security, public interests or the legal rights and interests of citizens or organisations of China. Regulation of Cross-Border Data Transfer The DSL, PIPL, RNDSM and certain supporting rules issued by CAC – ie, the Measures on the Security Assessment of Cross-Border Data Transfer, the Pro - visions on the Standard Contract on Cross-Border Transfer of Personal Data and the Standard Contract on Cross-Border Transfer of Personal Data (China SCC), the Measures on Certification on Cross-Border Transfer of Personal Data and the Rules for Implemen - tation of Personal Information Protection Certification, and the Provisions on Promoting and Standardising
146 CHAMBERS.COM
Powered by FlippingBook