federal system
Image Source: https://rb.gy/dlbcyk

This article is written by Dhruv Dubey, This article talks about the various laws China has for the protection of data from cyber offences.


Almost everyone in the twenty-first century has moved their interest towards the internet. The internet and electronic devices are two innovations that will never go out of trend, yet These innovations have brought challenges to numerous huge nations in the form of cybercrime.

China, which is technologically advanced in comparison to other countries, has become a victim of cybercrime. While at several instances China has been looked at as a producer of cybercrime, in this instance they acknowledged that they were targets for cyber crime as well. The Chinese government has enacted a number of key cyber legislation, such as the CAC (China’s Cyberspace Administration), The Civil Code, and more, yet cybercrime is innovating all the time, especially during the covid pandemic. It has been reported that cybercrime spiked 600% during the covid pandemic. Many crucial cyber policies have been established in China, this article will discuss the legislation that has evolved in China. 

Download Now

Authorities responsible for data protection in China

Surely the best way for a country to keep crime under control is to enact laws. In China, there is no single authority responsible for implementing personal data privacy laws. China has established the –

MIIT (Ministry of Industry and Information Technology)

The Ministry of Industry and Information Technology of China was founded in 2008 as an agency under the State Council of China. It was given the responsibility to administer the internet affairs at the state level. Some of the responsibilities include- 

  • To protect China’s information security.
  • To assist in the development of an information system.
  • To lookout after the development of the major technological gadgets and innovation in the field of communication.
  • To look out for China’s industrial planning. 

MPS (Ministry of Public Security)

The Ministry of Public Security is the agency in charge of the country’s public security, which responds to the State Council. It was founded in 1954, and its operations are managed from Beijing, where the head office is located. It is responsible for imposing administrative penalties and conducting criminal investigations against obtaining, selling, or disclosing personal information without authorization. Additional responsibilities include:

  • To supervise public information networks.
  • To investigate criminal activities against the unlawful sale of personal information.

State Administration For Market Regulation

State administration for market regulation is a ministerial-level organization within the People’s Republic of China’s State Council. It was founded in 2018 and the functions are supervised from the headquarters located in Beijing. It is in charge of things like-

  • To safeguard the interest and protect the rights of consumers by supervision and management of the consumer’s personal information in respect to the law. 
  • It is also responsible for information technology construction, news propaganda, and so on. Take technical trade measures as well as prescribed by the rules.

PIPL (Personal Information Protection Law) 

The PIPL (Personal Information Protection Law) is the most recent law enacted in China to safeguard personal data and improve data security. It will take effect on November 1st. The PIPL is based on the European Union’s General Data Protection Regulations (GDPR), which took effect in 2018 alongside the Data Security Law. The big organizations, international corporations, should ensure that they are subject to the new law when it takes effect.

The Personal Information Protection Law’s basic conclusion is that it lays down a basic set of rules for how organizations, whether Chinese or foreign, would gather and manage personal data, including data transmission across two boundaries.” A company’s jurisdiction is determined by PIPL. As already said, changes become necessary as time passes. As a result, China has enacted the PIPL.

What institutions are covered under the PIPL

Personal Information Handlers (“PIHs”), which are similar to GDPR controllers, are protected under this law. According to Article 73, PIHs are described as “individuals and organizations” that, in personal information handling activities, unilaterally decide on handling purposes. Natural persons managing personal information for personal or family concerns are exempt from the PIPL (Article 72).

PIPL claims to have extraterritorial jurisdiction, similar to GDPR.

The law applies to “activities of managing personal information of natural persons inside the territory of the People’s Republic of China,” as per Article 3. This even covers the “handling activities of personal information of an individual within the boundaries of the People’s Republic of China and outside the boundaries of the People’s Republic of China.”

What sorts of content does the PIPL cover

Article 4 of the PIPL defines “personal information” as “all sorts of information, captured via electronic or other methods, related to named or identifiable to a person, not including information after anonymization management.” “Personal information handling” is defined in Article 4 as “the collection, storage, use, processing, transmission, provision, disclosure, and erasure of personal information.


When we compare the two sets of laws, PIPL and GDPR, one can see that they are similar in many ways, such as the fact that PIPL was enacted with GDPR in mind, but there are a few differences. The GDPR, for example, would be much less restrictive than the PIPL. For instance, under PIPL if there is data exchange outside the boundary then the procedure is much more rigid. Another gap is that the PIPL doesn’t have anything in terms of preventing government access to information, like when there is a question of public security or national security the government can access such data as an exception. 

Furthermore, corporations cannot send personal information related to judicial matters or related to law implementation without first receiving the Chinese government’s permission, which shows the Chinese government’s excess over such data.

Cybersecurity Law of the PRC

The Cybersecurity Law was the first legislation in China to comparably regulate the country’s cyber network. On June 1, 2017, it came into effect. This legislation is the central regulator for cyber networks. Meanwhile, the President said, without cyber security, there is no national security. This remark is sufficient to show China’s commitment to cyber security. 

Now, cybersecurity is considered a fundamental law. This Cybersecurity Law is a combination of previously existing cybersecurity laws and regulations from many levels and fields, resulting in a well-structured macro-law. This Law also establishes fundamental guidelines on a number of subjects that aren’t urgent immediately but are important in the long run. When new issues occur, these standards will serve as a legal reference.

What does this have to do with data security

As previously stated, China has developed a variety of privacy laws, whether we’re talking about sector-specific legislation like the internet or e-commerce, or whether we’re talking about basic constitutional provisions related to cybercrime or regional legislation like Shanghai’s consumer protection rule. As a result of the establishment of The Cybersecurity Law in 2017, the following responsibilities have changed.

Since the law came into effect, administrative enforcement has risen, with the Ministry of Industry and Information Technology publishing weekly reports of organizations that are in violation of the personal data rules or similarly, a public list of major firms that have infringed privacy regulations could be published. 

Also, any municipal or religious law that clashes with such laws are overshadowed by the introduction of the cybersecurity legislation or any other law at the federal level. We can say cybersecurity has modified or can be considered to have brought uniformity to privacy infringement.

Cyber Laws : key objectives

  • This law places a higher emphasis on personal data security and individual protection.
  • The law establishes guidelines for the collection and use of personal data.
  • Enterprises should concentrate not only on “information security,” but also on “personal protection insurance,” which is more important.


  • The consequences of breaking the law are clearly stated and include the suspension of corporate operations.
  • Serious illegal activity may result in the dissolution of companies or the cancellation of licenses.
  • The most severe penalty might be RMB a million.

Civil Code

The National People’s Congress passed a pending proposal, the Civil Code, on May 28, 2020, making it the first of its type in Chinese history. The Civil Code, which came into force on January 1, 2021, is a historic piece of legislation that organizes China’s privacy protections.

Part Four of the Civil Code says that the “Right of Privacy” is one of the “Rights of Personality”, and includes a chapter on “Privacy and Personal Information Protection,” which provides extensive regulations to safeguard privacy and personal information.

The Civil Code, which has recently aroused intense debate in China, is the first Code issued by the People’s Republic of China since it was founded. When the Civil Code took effect, all enforced civil laws (such as the Marriage Act, the Law of Succession, the General Rules of Civil Law, the Adoption Law, the Guarantee Law, the Contract Law, the Property Law, the Tort Law, ) repealed at the same time. There are seven Parts and supplementary provisions in the Civil Code.

What is privacy according to the Code

Privacy is defined as “a natural person’s peace of mind and the private space, private activities, and private information which he or she is unwilling to let others know” by Chapter Six of Part Four of the Civil Code (“Chapter Six”), and it lists the following actions that are not allowed to be conducted by any organisation or individual without consent:

  • Disturbing the peace of other people’s private lives via telephone, text message, instant messaging tool, email, leaflets, etc.
  • Entering, shooting, and peeping into other people’s private spaces such as houses, hotel rooms, etc.  
  • Processing private information of other people.
  • Invading the Right to Privacy of other people in general.

The Cybersecurity Law, which was passed in 2017, systematically controls the protection of personal information, while the Civil Code, which also regulates this field, elaborates, extends, and develops the Cybersecurity Law in some ways.

Personal Information is defined in Chapter Six as “all kinds of information recorded electronically or in other ways [that] allows the identification of a natural person’s identity, including natural persons’ names, dates of birth, ID numbers, biologically identifiable personal information, addresses, telephone numbers, email addresses and whereabouts, and so on.” The Cybersecurity Law excludes “email addresses and whereabouts” from the list of instances.

National Standard of the People’s Republic of China for Information Security Technology : Personal Data Security Specification

In May 2017, the Personal Information Security Standard was adopted. It lays down how personal data (also known as “individual data”) should be collected, used, and disseminated. While the 2017 Cybersecurity Law is now the most authoritative law securing personal data, this Specification is the successful highlight of a developing framework in terms of personal data.

It was produced by a drafting group with input from national and local cyber protection and standard associations, and web (internet) organizations, and it was given by the national information technology principle setting organization known as TC260.

On March 6, 2020, the Standardization Administration of China (SAC) and State Administration for Market Regulation (SAMR) jointly published the Personal Information Security Specification proposed by the National Information Security Standardization Technical Committee as an amendment to and replacement for the November 2017 version. On October 1, 2020, the amended legislation came into effect. Just after the law came into force after 6 months the law was repealed. The reason being some unnecessary powers were given to organizations and also the unclarity with few provisions.

Criminal Law

The history of China says that China had a tradition of adopting civil laws earlier. But after the end of the cultural revolution in the late 1970s, the Republic of China was established. The Republic of China established a complete legal system with the Constitution, Civil Law, Procedural Law, Criminal Law, etc. 

The People’s Republic of China’s Criminal Law was introduced on July 1, 1979, and amended on March 14, 1997. It specifies the punishments, definitions, and procedures that apply to criminal offences, targeting cybercrime also. The Criminal Law appears to be a reduced version of the current Chinese Criminal Code from 1935.

The infringement of privacy and personal data is addressed under the Criminal Code, they are as follows-

  • Offence violating an individual’s personal data falls under Article 253 (1)
  • Offence refusing to fulfil information network falls under Article 286 (1)
  • Violating/sharing someone’s credit card information falls under Article 177 (1)

These provisions are discussed below

Article 253 (1) 

Before the Amendment 2015, according to Article 253 (1) of the Criminal Code, any person performing state duty, particularly in the fields of telecommunications, finance, transportation, education, or medical treatment, who violates state policy or sells any information gathered while performing state duty will be sentenced to not more than 3 years in prison and fined.

Article 286 (1)

Article 286 (1) of the Criminal Code states that if an operator fails to protect data as required by law and administrative regulation, and even refuses to repair an act that has violated safety, and such an order is issued by a legal authority, the operator must pay a fine.

Article 177 (1)

Anyone who conducts any of the following acts of forging or modifying financial invoices will be condemned to a maximum of five years in prison or criminal detention, as well as a fine of not less than 20,000 yuan. 

  • Providing false or altering bills of exchange, promissory notes, or cheques; 
  • Falsifying or altering bank settlement certificates, such as certificates of entrustment with receipt of payment, certificates of remittance, and deposit receipts; 
  • Falsifying or altering letters of credit or their attached bills and documents; or 
  • Creating fake credit cards, illegally revealing the information related to individuals credit cards. 

Cyberspace administration of China

The Central Cyberspace Affair Commission’s Office, often known as the Cyberspace Administration (CAC), is the People’s Republic of China’s central regulator and control agency. CAC was established in 2014. Beijing is where the company’s headquarters are located. It serves the same purpose as the Chinese Communist Party’s international propaganda office. They work on the implementation and creation of policies based on the Chinese internet on a variety of subjects. 

  • The CAC is in charge of internet content regulation and cyberspace security. Its key functions include organizing, directing, and regulating online content management, as well as processing administrative approvals for businesses’ usage of online news reporting. 
  • The CAC is the governing agency for online content providers. In 2014, the State Council Information Office of China (SCIO) outsourced some operations to CAC, including license issuance and management for providing internet news information.
  • The CAC has been engaged with checking the security of gadgets manufactured by other countries.
  • The CAC was also tasked with chasing down internet users and online sites that spread “rumors” like exploration in the port city.

Sector-specific laws

Many specific laws are existing in the sector of automobiles, telecom, banking, insurance, medical that deal with data protection such as 

  • Administration of population health information.
  • Medical record information.
  • Administration of internet email service.
  • Personal Information of telecommunication and internet users.
  • Peoples bank for china for the protection of financial consumer rights.

These sector-specific laws deal with particular sector issues related to data protection.


China is one of the world’s most populous countries. Generation after generation, society has moved to the internet world. It has been stated that as technology advances, it poses a threat to society, such as cybercrime, data theft, and so on. As previously said, to combat such crimes, the government must have such an impact that an individual feels secure in the digital era. Furthermore, China’s recent revisions and laws prioritize the individual Right to Privacy and will continue to do so in the future.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here