Photo of Lindsay Zhu

Lindsay Zhu

Contact:Read more about Lindsay Zhu

Recently, the Cyberspace Administration of China issued new comprehensive provisional measures, which went into effect on August 15, 2023, and govern the development and use of generative AI (GAI) in China. The measures cover “GAI services” (including foreign-invested GAI services) provided within the PRC, including the text, pictures, audios, videos and other content they generate.

Our global data team has prepared a practical guide that compares three standard contracts, as a means of facilitating international data transfers, namely:

  • The EU’s standard contractual clauses (effective since June 2021)
  • The People’s Republic of China’s (PRC) standard contract (issued in March 2023)
  • The Association of Southeast Asian Nations’ (ASEAN) model contractual clauses (published in January 2021).


Continue Reading A Guide Comparing EU, China, ASEAN Standard Contracts for Data Transfers

At long last, China has issued the Standard Contract terms and the Measures for implementing them. Click here for more detailed analysis, but, in short:

  1. They apply to any personal information data export from China, except those of a heightened concern (i.e. critical information or large volume and/or sensitive data transfers) or where a voluntary

The past week witnessed two major developments relating to data export from China. On one hand, the data export-related regulation was officially adopted which expands the scope of government assessment. On the other hand, the long-awaited draft personal data export standard contract and the rules relating to the application of the contract were released for

China Publishes New Draft Measure on Cross-Border Data Transfer

On October 29, 2021, China released the Draft Measures on Data Cross-Border Security Assessment (the “Draft Measures”) for public comments. Following its two previous versions in 2017 and 2019, this new draft is developed based on the very recent adoption of the Personal Information Protection Law

As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities.
Continue Reading New PRC Personal Information Protection Law Passed: A Deeper Dive into the Provisions

After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).

  • Fundamental Principle. The fundamental principles under the PIPL is that collection and processing PI should be limited only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may be found a violation of the PIPL, even if individual consent is obtained or other formality is fulfilled. PI processing and compliance program should be set up always with the fundamental principles in mind.


Continue Reading NEW: China’s Personal Information Protection Law

The People’s Republic of China (China), has been active lately in passing several new laws and regulations relating to data privacy and security. Here are 2 of the recent laws which tend to focus more on those handling data national security and/or public interest (ala Critical Information Infrastructure or Important Data).
Continue Reading China Passes New Data Privacy and Security Laws

China continues to be a hotbed of activity in the areas of privacy and cybersecurity legislation.  For background on the draft Personal Information Protection Law (“PIPL”) and proposed modifications published in April 2021, please see:

China’s Personal Information Protection Law: What It Means to Companies (Client Alert)

China Releases Second Draft of the Personal Information Protection Law: Comparison of Proposed Changes to First Draft (Security & Privacy // Bytes Blog)

China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)

In a related development, on April 26, 2021, the Ministry of Industry and Information and Technology of People’s Republic of China (the “MIIT”) issued draft Interim Measures on Personal Information Protection of Mobile Internet Applications “Measures”), for public comments.

This draft Measures follow several rounds of enforcement actions relating to mobile applications (“apps”) in recent years, targeting the over-collection of users’ personal information (“PI”) by demanding access to camera, microphone, photos, contact lists, etc. Currently, these activities are covered by two app-related practical guidelines, and the proposed Measures are the first comprehensive rules on the topic. The draft Measures specify various requirements and obligations applicable to app developers, distribution platforms, third-party app service providers, mobile device manufacturers and network access service providers. Other important provisions may be summarized as follows:
Continue Reading China Issues Draft Interim Measures on Personal Information Protection of Mobile Internet Applications