Point of View: China’s Cybersecurity Law: Personal Information Protection Overview
As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this Point of View (POV) highlights a key area pertaining to personal information protection.
Personal information is defined as information that can be used individually or in combination with other information to identify a person. Requirements around the dissemination and management of personal information by network operators are prescribed within the Cybersecurity Law and are closely linked to the national standard of personal information protection, the Personal Information Security Specification (“the Specification”).
The enforcement of personal information protection is primarily based on the Territoriality Principle: all legal entities operating in mainland China must comply with legal requirements, and authorities can prosecute offenses committed within the Chinese border. This means that both local and multi-national companies operating within mainland China are accountable for personal information protection and must comply with requirements outlined in the Cybersecurity Law and the Specification. It is therefore essential that companies understand these requirements and address the potential compliance challenges discussed in this POV.