September 28, 2020
Since the issuance of the Cyber Security Law (网络安全法)[1] in November 2016, China’s legislature and various government departments have released numerous laws and regulations addressing the protection of personal information, many of which we have listed for reference in Exhibit A below. Although China’s rules are not consolidated in a single unified piece of legislation comparable to Europe’s General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”), the rules do look similar in some areas, such as user rights and data minimization, but look different in others, including government approval requirements for cross-border data transfers. This article provides a summary of China’s current and proposed laws and regulations that address personal information protection. We have also prepared a table in Exhibit B below, which compares China’s rules with those set forth in the GDPR and the CCPA.