China's data protection or cyber security laws and regulations are as follows:
• Cyber Security Law: approved by the Standing Committee of the National People's Congress (NPC) in 2016 As the legal basis of cybersecurity, the law stipulates the obligations of network operators, network product and service providers, and established security requirements for critical information infrastructures. The Cyber Security Law went into effect on June 1, 2017.
• Civil Code of the People's Republic of China: passed by the Third Session of the 13th National People's Congress On May 28, 2020, which came into force on January 1, 2021 In this code, a separate article for personality rights is set up to protect the citizens' privacy rights and right to reputation.
• Personal Information Protection Law: reviewed by the NPC's Standing Committee on October 13, 2020 for a more systematic and standardized regulation for personal information protection The NPC's Standing Committee approved the law on August 20, 2021, which went into effect on November 1, 2021. The law describes the rules for processing personal information and providing personal information across borders, and stipulates the rights of personal information subjects.
• Data Security Law: incorporated into the legislative plan by NPC's Standing Committee in 2018 for standardizing data processing activities, ensuring data security, and promoting data development and utilization. Established on June 10, 2021, the Data Security Law describes requirements on data classification and hierarchical protection and data security review, and specifies security protection obligations of data processors. The law went into effect on September 1, 2021.
• GB/T 35273-2020 Information Security Technology - Personal Information Security Specifications: established by the State Administration for Market Supervision and the National Information Security Standardization Administration Committee to replace its early version GB/T 35273-2017 for the implementation of the Cyber Security Law. GB/T 35273-2020 is an important guideline for protecting personal information security and strictly regulates personal information processing, including data controllers' activities, such as collection, storage, use, sharing, transfer, and disclosure.