If your company operates in China, collects data from Chinese users, or transfers data across borders, you are operating under one of the world’s most complex data governance regimes. China’s trio of landmark data laws — the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL) — form an interconnected framework that imposes strict obligations on data storage, classification, cross-border transfer, and security. Non-compliance carries fines up to RMB 50 million, business suspension, and criminal liability for executives.
This guide breaks down what foreign businesses actually need to do — not just what the laws say.
The Three-Law Framework: How CSL, DSL, and PIPL Interact
China’s data governance regime isn’t a single statute — it’s a layered system of laws, regulations, and standards that overlap and reinforce each other.
The Cybersecurity Law, effective June 2017, established China’s foundational data sovereignty principles. It introduced the concept of Critical Information Infrastructure (CII) operators — entities in sectors like energy, finance, transport, water, healthcare, and government services — and required them to store personal data and “important data” collected within China on domestic servers. It also mandated security assessments before any cross-border transfer.
The Data Security Law, effective September 2021, expanded this framework by introducing a national data classification and grading system. Data is categorized based on importance to national security, economic security, and social stability. “Core national data” is the most sensitive tier, with the strictest handling restrictions. The DSL applies to data processing activities both within and outside China when those activities affect China’s national security or public interests.
The Personal Information Protection Law, effective November 2021, is China’s equivalent of GDPR — but with significant differences. PIPL governs the collection, use, processing, and transfer of personal information of individuals located in China. It applies to any organization processing such data, regardless of whether the processor is inside or outside China. Foreign companies with no legal entity in China are still required to designate a China-based representative responsible for compliance.
Together, these three laws create overlapping compliance obligations that affect virtually every foreign company with Chinese operations, employees, customers, or digital users.
Data Localization Requirements: Who Must Store What in China
The localization mandate is the most operationally disruptive requirement for multinationals.
Under CSL and DSL, CII operators must store personal information and important data collected in China on domestic servers. The Cyberspace Administration of China (CAC) has designated CII operators in: public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense, and any other sectors designated by the State Council.
For companies that are not CII operators, the requirement shifts slightly: personal information and important data must be stored locally unless the company passes a government security assessment or meets an alternative transfer mechanism. There is no blanket exemption for small volumes or low-sensitivity data.
Practically speaking, most foreign multinationals operating in China need a China-hosted infrastructure environment. Common approaches include:
- Alibaba Cloud (Aliyun) or Tencent Cloud domestic zones — widely used by multinationals to segment Chinese operations data
- AWS China (operated by SINNET in Beijing or NWCD in Ningxia) — technically separate entities from global AWS
- Microsoft Azure China (operated by 21Vianet) — similarly ring-fenced from global Azure
The key technical challenge: Chinese cloud zones are not extensions of global cloud infrastructure. Data cannot flow between them and their global counterparts without going through a formal cross-border transfer mechanism.
Cross-Border Data Transfer: Three Pathways and What Each Requires
Moving data out of China requires navigating one of three regulatory pathways established under PIPL and the CAC’s Provisions on Regulating and Promoting Cross-Border Data Flows (effective March 2024).
Pathway 1: CAC Security Assessment
Mandatory for: CII operators transferring any personal information; any organization transferring personal information of more than 1 million individuals; organizations that have transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since January 1 of the prior year.
The CAC assessment reviews the data handling practices of both the domestic processor and the foreign recipient, the security of the transfer, and potential national security implications. Processing time is 57 working days (extensible). Approval is valid for two years.
Pathway 2: Standard Contract
For companies below the volume thresholds above. The CAC published its official Standard Contract for Cross-Border Transfer of Personal Information in June 2023, closely modeled on but distinct from the EU’s Standard Contractual Clauses. Companies must execute this contract with overseas recipients, conduct a Personal Information Protection Impact Assessment (PIPIA), and file the executed contract with local provincial CAC authorities within 10 working days.
Pathway 3: Certification by Designated Institution
Available for intra-group cross-border transfers. The personal information processor must obtain certification from a CAC-designated institution. As of early 2026, only a handful of institutions are authorized to issue such certifications, and processing timelines can stretch to six months or more.
The March 2024 provisions also introduced free trade zone (FTZ) exemptions — data flows within designated FTZs (such as Shanghai, Hainan, and Shenzhen) may be subject to lighter requirements defined by provincial governments. This is a significant development for companies using FTZ structures for their China operations. For more on leveraging free trade zone structures, see our guide to China market entry strategies for western companies.
PIPL Obligations: Consent, Purpose Limitation, and Individual Rights
Beyond localization and cross-border transfer, PIPL imposes substantive obligations on how personal information is collected and used.
Consent requirements are stricter than many Western frameworks. Separate, specific consent is required for: sensitive personal information (biometrics, health data, financial information, location, children’s data under 14); provision of personal information to third parties; cross-border transfers; and automated decision-making that has significant effects on individuals.
Pre-ticked boxes, bundled consent, and overly broad privacy notices are non-compliant. The CAC has initiated enforcement actions against major domestic platforms for consent failures — foreign companies should not assume enforcement will be softer for them.
Purpose limitation and data minimization apply strictly. Data collected for one purpose cannot be repurposed without new consent. This creates real operational friction for companies used to broad data sharing within multinational groups — for example, feeding Chinese customer data into a global CRM system without a proper legal basis is likely non-compliant.
Individual rights under PIPL include: right to access, right to correction, right to deletion (in specified circumstances), right to restrict processing, right to receive a data copy, and right to opt out of automated decision-making. Companies must establish accessible mechanisms for exercising these rights.
Data breach notification must occur “immediately” upon discovery, with notification to both affected individuals and the CAC. China’s cyber incident reporting system also requires notification to the Ministry of Public Security for serious incidents. See our coverage of China’s regulatory requirements for foreign businesses for context on the broader compliance landscape.
Important Data: The Classification System Foreign Companies Underestimate
Outside of personal information, the DSL’s “important data” concept is one of the least understood and most significant compliance challenges for foreign businesses.
“Important data” refers to data that, if tampered with, destroyed, leaked, or illegally obtained, could harm national security, economic operation, social stability, or public health and safety. Crucially, each industry sector is required to define its own important data catalog, and those industry-specific catalogs are still being developed. As of 2026, published important data catalogs exist for: financial data (PBOC and CSRC have issued draft and final guidance), automotive data (the Automotive Data Security Management Regulations, effective October 2021, explicitly list location data, vehicle operating data, and road environment data as important), and certain aspects of healthcare data.
For multinationals, the practical implication is significant: you may be holding “important data” without knowing it. A foreign company operating manufacturing facilities in China may collect production, logistics, or geographic data that falls under important data classifications. An autonomous vehicle technology company almost certainly does.
Companies should conduct an internal data audit against published and draft sector catalogs, and build a conservative compliance posture while awaiting finalized guidance. The US-China Business Council (USCBC) has published practical guidance on navigating the important data framework: uschina.org.
Enforcement Trends: Who Is Getting Fined and Why
CAC enforcement has accelerated dramatically since 2022. Key enforcement patterns to understand:
App and platform audits have been the primary mechanism to date. The CAC’s “App Special Rectification” campaigns have resulted in removal orders and fines for thousands of apps — both domestic and foreign — for violations including excessive data collection, unauthorized sharing with third parties, failure to provide privacy policies, and unclear consent mechanisms. DiDi’s 2022 fine of RMB 8.026 billion (approximately $1.2 billion) for serious violations of CSL, DSL, and PIPL remains the landmark case.
Cross-border data transfer enforcement is escalating. The CAC’s enforcement apparatus has focused more on actual data flows since the 2024 provisions. Companies that have been transferring HR data, customer data, or operational data to overseas headquarters without completing the appropriate transfer mechanisms are in a vulnerable position.
Executive liability is real. PIPL explicitly provides for personal liability of directly responsible executives. Fines for individuals can reach RMB 1 million, and criminal referrals for serious violations are increasingly being made to the Ministry of Public Security.
The official CAC enforcement database and regulatory updates are accessible at cac.gov.cn — monitoring this resource is advisable for any company with significant China data operations.
Practical Compliance Roadmap for Foreign Companies
Getting compliant requires structured work across legal, IT, and operations teams. A workable roadmap:
Step 1 — Data Mapping. Conduct a comprehensive inventory of what personal information and potentially important data you collect, where it is stored, how it flows (including to HQ systems, HR platforms, analytics tools, and cloud services), and who has access. This is non-negotiable as the foundation of any compliance program.
Step 2 — Infrastructure Audit. Determine whether your current IT infrastructure routes Chinese data through overseas systems. If using global SaaS tools (Salesforce, Workday, SAP, Google Workspace, Microsoft 365 with global tenancy), you likely have unresolved localization issues. Evaluate China-specific configurations, domestic deployments, or alternative local vendors.
Step 3 — Transfer Mechanism Selection. Based on your data volumes and entity structure, determine which of the three cross-border transfer pathways applies to each data flow. Execute Standard Contracts with overseas recipients where applicable and complete PIPIAs.
Step 4 — Policy and Notice Updates. Update Chinese-language privacy policies, employee data notices, and customer consent flows to meet PIPL standards. Audit consent mechanisms on websites, apps, and offline collection points.
Step 5 — Incident Response Planning. Establish a China-specific incident response plan with notification timelines mapped to CAC and MPS requirements. Ensure your China legal team and DPO equivalent are integrated into the response chain.
For a broader understanding of operating within China’s legal framework, our guide to protecting intellectual property in China covers complementary aspects of the regulatory landscape. And for context on how China’s digital ecosystem shapes compliance requirements in practice, see how China’s digital ecosystem differs from the West.
The US Commercial Service China team also maintains a current overview of regulatory requirements for US businesses: trade.gov/china.
The Bottom Line
China’s data laws are not theoretical risk — they are an active compliance requirement with real enforcement consequences. The framework is complex partly by design: it gives regulators broad discretion to act when national security or economic interests are implicated, while also creating genuine consumer protection obligations. For foreign businesses, the right posture is to treat China data compliance as a board-level issue, not an IT ticket. The companies that have been caught flatfooted are those that applied a “wait and see” approach while continuing to operate data flows that were never legal under Chinese law.
Build the infrastructure, execute the contracts, train your China team on PIPL obligations, and monitor CAC guidance as sector-specific important data catalogs continue to be published. The framework will continue to evolve — and staying ahead of it is far less costly than the alternative.