Cybersecurity

Subscribe to Cybersecurity via RSS

On July 18, 2025, the Cyberspace Administration of China (the “CAC”) issued the Notice on Launching the Reporting Mechanism for Personal Information Protection Officers (the “Notice ”). This development marks a significant step in China’s regulatory enforcement of the Personal Information Protection Law (the “PIPL”) and its implementing rules, particularly the Administrative Measures on Compliance Audits of Personal Information Protection, effective June 1, 2025.Continue Reading China Initiates Mandatory Reporting Regime for Personal Information Protection Officers

On January 3, 2025, the Cyberspace Administration of China (the “CAC”) released the Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers (the “Draft Measures”) for public comment. Following the Implementation Rules for Personal Information Protection Certification (the “Implementation Rules”) and the Cybersecurity Standards Practice Guidelines – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A) in 2022, the Draft Measures provides additional details with respect to key aspects of the certification process, including its applicability, evaluation criteria, implementation process, use of certification results, and post-certification supervision. Continue Reading Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers Released for Public Comment

On October 23, 2024, the Ministry of Industry and Information Technology (“MIIT”) launched a pilot program expanding foreign access to value-added telecommunications services in four pilot regions, namely, Beijing, Shanghai, Hainan, and Shenzhen. Foreign enterprises participating in this pilot program can now wholly own and operate internet data centers (IDCs) and engage in online data processing and transaction handling businesses, which would give them opportunities to participate more extensively in China’s computing power and cloud service markets.Continue Reading China Launched Pilot Program Permitting Foreign Enterprises’ Greater Participation in Value-Added Telecommunications Services

中国正式发布《促进和规范数据跨境流动规定》

On March 22, 2024, nearly six months after the release of the “draft Provisions on Regulating and Promoting Cross-border Data Transfer” (the “Draft Rules”), the Cybersecurity Administration of China (the “CAC”) formally released the “Regulations on Facilitating and Regulating Cross-border Data Flow” (the “New Regulations”), which came into effect on the date of release.Continue Reading China Issues Regulations on Facilitating and Regulating Cross-Border Data Flow

On September 28, 2023, the Cybersecurity Administration of China (the “CAC”) published a set of draft Provisions on Regulating and Promoting Cross-border Data Transfer (the “Draft Rules”) to solicit public comments. It has not been publicly announced when the Draft Rules will come into effect. Some legal practitioners speculate that they would take effect before the expiration of the grace period for filing the standard contracts as stipulated in Measures on the Standard Contract for Cross-Border Transfer of Personal Information[i]. However, these remain speculations and are not confirmed by the authorities in any official announcement.Continue Reading China Released Draft Rules Regulating and Promoting Cross-Border Data Transfer

According to the State Council’s Institutional Reform Plan released on March 7, 2023, the State Council will establish a National Bureau of Data (“NBD”), and it will be administrated by the National Development and Reform Commission (“NDRC”). Pursuant to the announced responsibilities, the NBD will be in charge of “coordinating the construction of data infrastructure, integrating and sharing data resources, and promoting the planning and development of digital China, digital economy, and digital society.”Continue Reading China to Establish National Bureau of Data

China’s Cybersecurity Law (the “Cybersecurity Law”) took effect on June 1, 2017. The Cybersecurity Law consists of 79 articles in total. According to Article 2 thereof, the Cybersecurity Law would apply to the construction, operation, maintenance and use of cyberspace within the territory of China, as well as to the supervision and administration of cybersecurity within the territory of China. This blog post will discuss those provisions of the Cybersecurity Law that would be most relevant to the protection of personal information. Any company which collects, stores, or processes personal information within the territory of China may find it useful to get familiar with such provisions.
Continue Reading Cross-Border Transfer of Personal Information under China’s Cybersecurity Law

Recently, thirteen relevant Chinese government agencies (e.g. Cyberspace Administration of China, National Development and Reform Commission of China, China Securities Regulatory Commission, etc.) jointly released amended Cybersecurity Review Measures (the “New Measures”) to amend and supersede the prior version of such measures issued on April 13, 2020. The New Measures will become effective on February 15, 2022.
Continue Reading China Issued Amended Cybersecurity Review Measures

On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (the “Personal Information Protection Law”).  The Personal Information Protection Law will become effective on November 1, 2021, and will then, together with  the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”) and the Data Security Law of the People’s Republic of China (which will become effective on September 1, 2021, the “Data Security Law”), form the foundation of the data security legal regime of China.
Continue Reading Highlights of China’s Recently Adopted Personal Information Protection Law