Quick Guide: Cybersecurity and Data Protection: China

The cybersecurity and data protection regime in China (PRC) is rapidly evolving and becoming one of the most stringent in the world. Following the enactment of the Cybersecurity Law of the PRC 2016 (2016 CSL, with effect from 1 June 2017), there has been an abundance of implementing regulations and guidelines proposed, issued or revised to flesh out the essentials and concepts introduced under the 2016 top-tier law (see Legal Update, China passes Cybersecurity Law). On 12 September 2022, the regulator circulated a consultation draft of proposed revisions to the 2016 CSL, see Legal Update, CAC Circulates Draft Revisions to Cybersecurity Law.

There is no single regulatory authority, comparable for instance to the Privacy Commissioner in Hong Kong, which deals exclusively with privacy or data protection matters. Instead, various administrative authorities have claimed jurisdiction over data privacy and security matters, including:

The Cyberspace Administration of China (CAC).
The Ministry of Public Security (MPS).
The Ministry of Industry and Information Technology (MIIT).
The State Administration for Market Regulation (SAMR).

For areas where there is no national legislation, the SAMR and the Standardization Administration of China (SAC) release non-binding guidelines and recommended national standards to fill the gap or work as a trial for future legislation, and these standards should be followed as the starting point for companies drawing up compliance programmes and policies in China. The subcommittee of the SAC responsible for preparing the non-binding guidelines and recommended national standards on data privacy is the National Information Security Standardization Technical Committee (全国信息安全标准化技术委员会) (also known as TC260).

With significant updates arriving frequently since 2016, and expected to continue in the near future, businesses from all walks of life are recommended to consistently monitor the developments and verify the latest situation before reaching any significant decision.

For an overview of the key elements of the 2016 CSL, see Practice Note, Chinese Cybersecurity Law: Overview.

Cybersecurity Risk Classification

Measures on Cybersecurity Classification Evaluating Institutions Management 2018 (网络安全等级保护测评机构管理办法), issued by the MPS on 17 April 2018 with immediate effect.
Regulations on Cybersecurity Classification Protection (Draft for Comments) (网络安全等级保护条例(征求意见稿)), released by the MPS on 27 June 2018 (see Legal Update, MPS circulates draft rules on cybersecurity risk classification).
Notice on Launching the Pilot Multi-Level Protection Scheme for Cybersecurity of Industrial Internet Enterprises 2021 (关于开展工业互联网企业网络安全分类分级管理试点工作的通知), issued by the MIIT with effect from 13 January 2021.
Basic Requirements for Cybersecurity Classification Protection of Radio and Television Networks (GY/T 352-2021) (广播电视网络安全等级保护基本要求), released by the National Radio and Television Administration (NRTA) on 14 July 2021, with immediate effect.
TC260 guidelines:
- Information Security Technology: Baseline for Cybersecurity Classification Protection (GB/T 22239-2019) (信息安全技术 - 网络安全等级保护基本要求), with effect from 1 December 2019;
- Information Security Technology: Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) (信息安全技术 - 网络安全等级保护安全设计技术要求), with effect from 1 December 2019;
- Information Security Technology: Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) (信息安全技术 - 网络安全等级保护测评要求), with effect from 1 December 2019;
- Information Security Technology: Implementation Guidelines for Cybersecurity Classification Protection (GB/T 25058-2019) (信息安全技术 - 网络安全等级保护实施指南), with effect from 1 March 2020; and
- Information Security Technology: Classification Guide for Classified Protection of Cybersecurity (GB/T 22240-2020) (信息安全技术 - 网络安全等级保护定级指南), with effect from 1 November 2020.

For detailed coverage, see:

Critical Information Infrastructure

Guiding Opinions on Implementing the Multi-Level Protection System for Cybersecurity and the Security Protection System for Critical Information Infrastructure 2020 (贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见), publicly issued by the MPS on 22 September 2020.
Regulations on the Security Protection of Critical Information Infrastructure 2021 (关键信息基础设施安全��护条例), issued by the State Council with effect from 1 September 2021 (see Legal Update, State Council issues rules on security protection of critical information infrastructure).
TC260 guidelines:
- Information Security Technology: Methods of Boundary Identification for Critical Information Infrastructure (Draft for Comments) (信息安全技术 - 关键信息基础设施边界确定方法(征求意见稿)), released on 10 August 2020; and
- Information security technology: Methods for Evaluation of Security Protection Capability of Critical Information Infrastructure (Draft for Comments) (信息安全技术 - 关键信息基础设施安全防护能力评价方法(征求意见稿)), released on 10 August 2020.
- Information security technology: Cybersecurity Requirements for Critical Information Infrastructure Protection (GB/T 39204-2022) (信息安全技术 - 关键信息基础设施安全保护要求), with effect from 1 May 2023.

For detailed coverage, see Practice Note, Critical Information Infrastructure Protection in China.

Personal Information

Interpretation on Several Issues on the Application of Law to the Adjudication of Criminal Cases involving the Infringement of Citizens' Personal Information 2017 (关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释), issued by the Supreme People's Court (SPC) and Supreme People's Procuratorate (SPP) with effect from 1 June 2017 (see Legal Update, SPC and SPP release interpretation on criminal infringement of personal information).
Guidelines on Internet Personal Information Security Protection 2019 (互联网个人信息安全保护指南), issued by the MPS on 19 April 2019 with immediate effect (see Legal Update, MPS issues guidelines on internet personal information security protection).
Circular on Ensuring Effective Personal Information Protection and Utilisation of Big Data to Support Joint Efforts for Epidemic Prevention and Control 2020 (关于做好个人信息保护利用大数据支撑联防联控工作的通知), issued by the CAC on 4 February 2020 with immediate effect (see Legal Update, CAC issues notice on protecting personal information collected during effort to control epidemic and Article, Personal information protection during epidemic: answers to six frequently asked questions by companies in China).
Civil Code of the PRC 2020 (民法典), issued by the National People's Congress (NPC) with effect from 1 January 2021 (see Legal Update, China enacts first Civil Code).
Provisions on Several Issues concerning the Application of Law in the Trial of Civil Cases Related to the Use of Facial Recognition Technology to Process Personal Information 2021 (关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), issued by the SPC with effect from 1 August 2021 (see Legal Update, SPC issues interpretation on use of facial recognition to process personal information).
Personal Information Protection Law of the PRC 2021 (个人信息保护法), issued by the NPC Standing Committee with effect from 1 November 2021 (see Article, China enacts Personal Information Protection Law).
Measures for Credit Investigation Services Management 2021 (征信业务管理办法), issued by the PBOC with effect from 1 January 2022 (see Legal Update, PBOC issues rules on credit investigation services).
TC260 guidelines:
- Information Security Technology: Personal Information Security Specification (GB/T 35273-2020) (信息安全技术 - 个人信息安全规范), with effect from 1 October 2020, replacing its 2017 version released in December 2017 (see Legal Update, TC260 issues amended personal information security standard);
- Information Security Technology - Guide for De-Identifying Personal Information (GB/T 37694-2019) (信息安全技术 - 个人信息去标识化指南), with effect from 1 March 2020;
- Information Technology: Security Techniques: Practice Guidelines for the Protection of Personally Identifiable Information (PII) in Public Clouds by PII Processors (Draft for Comments) (信息技术 - 安全技术 - 个人可识别信��(PII)处理者在公有云中保护PII的实践指南)(征求意见稿)), released on 15 July 2020;
- Information Security Technology: Security Impact Assessment Guide of Personal Information (GB/T 39335-2020) (信息安全技术 - 个人信息安全影响评估指南), with effect from 1 June 2021;
- Information Security Technology - Guide for Health Data Security (GB/T 39725-2020) (信息安全技术 - 健康医疗数据安全指南), with effect from 1 July 2021;
- Information Security Technology: Risk Assessment Method for Information Security (GB/T 20984-2022) (信息安全技术 - 信息安全风险评估方法), with effect from 1 November 2022;
- Information Security Technology: Guidelines for Personal Information Security Engineering (GB/T 41817-2022) (信息安全技术 - 个人信息安全工程指南, with effect from 1 May 2023;
- Information Security Technology: Implementation Guidelines for Notification and Consent in Personal Information Processing (GB/T 42574-2023) (信息安全技术 - 个人信息处理中告知和同意的实施指南), with effect from 1 December 2023.

For detailed coverage, see:

Children's Personal Information

Law of the PRC on the Protection of Minors 2020 (中华人民共和国未成年人保护法), issued by the NPC Standing Committee with effect from 1 June 2021.
Provisions on Online Protection of Children's Personal Information 2019 (儿童个人信息网络保护规定), issued by the CAC on 22 August 2019 with effect from 1 October 2019 (see Legal Update, CAC issues final rules on network protection of children's personal information).
Regulations on the Network Protection of Minors 2023 (未成年人网络保护条例), issued by the State Council with effect from 1 January 2024 (see Legal Update, State Council Issues Specific Rules to Protect Minors Online).

For detailed coverage, see:

Practice Note, Data Collection and Processing: Children's Personal Information (China).

Personal Financial Information

Personal Financial Information Technical Protection Specification (JR/T 0171-2020) (个人金融信息保护技术规范), issued by the People's Bank of China (PBOC) with effect from 13 February 2020 (see Legal Update, PBOC issues national standard on protection of personal financial information).
Implementation Measures for Protection of the Rights and Interests of Financial Consumers 2020 (中国人民银行金融消费者权益保护实施办法), issued by the PBOC with effect from 1 November 2020.

For detailed coverage, see:

Practice Note, Data Collection and Processing: Personal Financial Information (China).

Data Secuirty

Measures on Data Security Management (Draft for Comments) (数据安全管理办法(征求意见稿)), released by the CAC on 28 May 2019 (see Legal Update, CAC circulates draft measures on data security).
Guidelines for the Construction of Data Security Standard System in the Telecommunications and Internet Industries (Draft for Comments) (电信和互联网行业数据安全标准体系建设指南(征求意见稿)), released by the MIIT on 11 August 2020.
Measures on Regulatory Data Security Management (Trial) 2020 (中国银保监会监管数据安全管理办法(试行)), circulated by the China Banking and Insurance Regulatory Commission with effect from 23 September 2020.
Data Security Law of the PRC 2021 (数据安全法), issued by the NPC Standing Committee with effect from 1 September 2021 (see Article, China enacts Data Security Law).
Several Provisions on the Management of Automobile Data Security (Trial) 2021 (汽车数据安全管理若干规定(试行)), issued by the CAC, National Development and Reform Commission (NDRC), MIIT, MPS and the Ministry of Transport (MOT), with effect from 1 October 2021. (For information on the draft, see Legal Update, CAC circulates consultation draft of automobile data privacy and security rules.)
Security Guidelines for Processing Vehicle Collected Data (TC260-001) (汽车采集数据处理安全指南), issued by TC260 on 8 October 2021 with immediate effect.
Data Regulations of Shenzhen Special Economic Zone 2021 (深圳经济特区数据条例), issued by the Shenzhen Municipal People's Congress Standing Committee with effect from 1 January 2022 (see Legal Update, Shenzhen finalises local data rules).
Regulations on Network Data Security Management (Draft fort Comments) (网络数据安全管理条例(征求意见稿)), released by the CAC on 14 November 2021 (see Legal Update, CAC circulates draft network data security rules).
Data Regulations of Shanghai 2021 (上海市数据条例), issued by the Shanghai Municipal People's Congress Standing Committee with effect from 1 January 2022.
Measures for Data Security Management in the Industrial and Information Sector (Trial) 2022 (工业和信息化领域数据安全管理办法(试行)), released by the MIIT on 8 December 2022, with effect from 1 January 2023.
Measures on the Administration of Cybersecurity of Medical and Health Institutions 2022 (医疗卫生机构网络安全管理办法), issued by the National Health Commission (NHC) and other regulators on 8 August 2022, with immediate effect.
Notice on Promoting the Development of Intelligent and Connected Vehicles and Maintaining the Security of Surveying and Mapping Geographic Information 2022 (关于促进智能网联汽车发展维护测绘地理信息安全的通知), issued by the Ministry of Natural Resources on 30 August 2022, with immediate effect (see Legal Update, MNR Issues Notice on Surveying and Mapping Data Processing by ICVs).

We are working on a stand-alone note to cover this area.

Data Classification and Grading

Guidelines for Classification and Grading of Securities and Futures Industry Data (JR/T 0158-2018) (证券期货业数据分类分级指引), issued by the China Securities Regulatory Commission (CSRC) with effect from 27 September 2018.
Guidelines for Classification and Grading of Industrial Data (Trial) 2020 (工业数据分类分级指南(试行)), circulated by the MIIT with effect from 27 February 2020.
Financial Data Security: Guidelines for Data Security Grading (JR/T 0197—2020) (金融数据安全 - 数据安全分级指南), circulated by the PBOC with effect from 23 September 2020.
Cybersecurity Practices Guidelines: Guidelines for Classification and Grading of Network Data (v1.0-202112) (网络安全标准实践指南 - 网络数据分类分级指引), issued by TC260 with effect from 31 December 2021.
Information Security Technology: Requirements for Classification and Grading of Network Data (Draft to Solicit Comments) (信息安全技术 - 网络数据分类分级要求(征求意见稿)), released by TC260 on 14 September 2022 (see Legal update, TC260 Circulates Draft Technical Standard on Classification and Grading of Network Data).

We are working on a stand-alone note to cover this area.

Important Data

Information Security Technology – Guideline for Identification of Important Data (Draft for Comments) (信息安全技术 - 重要数据识别指南(征求意见稿)), released by TC260 on 23 September 2021, and its second draft, released by TC260 on 13 January 2022 (see Legal Update, TC260 circulates draft guidelines on identification of important data).

We are working on a stand-alone note to cover this area.

Data Export

Information Security Technology: Guidelines for Data Cross-Border Transfer Security Assessment (Draft) (信息安全技术 - 数据出境安全评估指南(草案)) released by TC260 on 27 May 2017 (see Legal Update, TC260 circulates draft guidelines on security assessment of data exports), and its revised draft released on 30 August 2017 (see Legal Update, TC260 circulates revised draft guidelines on data export security assessments).
Administrative Measures on National Health and Medical Care Big Data Standards, Security and Services (Trial) 2018 (国家健康医疗大数据标准、安全和服务管理办法 (试行)), issued by the National Health Commission (NHC) on 12 July 2018 with immediate effect (see Legal Update, NHC issues guidelines on health and medical care big data standards, security and services and also Practice Note, Cybersecurity and Data protection in Chinese Healthcare industry).
Archives Law of the PRC 2020 (档案法), issued by the NPC Standing Comitee with effect from 1 January 2021 (see Legal Update, NPC Standing Committee amends Archives Law).
Measures on Security Assessments of Cross-border Transfers of Data 2022 (数据出境安全评估办法), issued by the CAC on 7 July 2022, with effect from 1 September 2022 (see Legal Update, CAC Issues Measures on Data Export Security Assessments).
Implementation Rules on Personal Information Protection Certification 2022 (个人信息保护认证实施规则), issued by the SAMR and CAC on 18 November 2022, with immediate effect (see Legal Update, SAMR and CAC Issue Implementing Rules on Personal Information Protection Certification).
Guidance on Cybersecurity Standardised Practice: Technical Specification for Certification of Personal Information Cross-Border Processing Activities V2.0 (TC260-PG-20222A) (网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0), issued by TC260 on 16 December 2022 with immediate effect (see Legal Update, TC260 Issues Revised Cross-Border PI Protection Certification Specification).
Provisions on Strengthening the Secrecy and Archives Management of Domestic Enterprises Overseas Issuing Securities and Listing 2023 (关于加强境内企业境外发行证券和上市相关保密和档案管理工作的规定), issued by the CSRC, with effect from 31 March 2023 (see Legal Update, CSRC Issues Revised Rules on Overseas Listings by Domestic Companies).
Measures on the Standard Contract for Exports of Personal Information 2023 (个人信息出境标准合同办法), issued by the CAC on 22 February 2023, with effect from 1 June 2023 (see Legal Update, CAC Releases Rules on Standard Contract for Data Exports).
Implementation Guidelines on the Standard Contract for Cross-Boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) 2023 (粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引), issued by the CAC and the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region (ITIB) on 10 December 2023, with immediate effect (see Legal Update, CAC and ITIB Issue Guidelines on Standard Contracts for Cross-Boundary Data Flow Within the GBA).
Regulations for the Implementation of the Archives Law of the PRC 2024 (中华人民共和国档案法实施条例), issued by the State Council, with effect from 1 March 2023 (see Legal Update, State Council Issues New Implementing Regulations on Archives Law).
Guidelines for the Application of Data Export Security Assessment (Second Edition) 2024 (数据出境安全评估申报指南(第二版)), issued by the CAC on 22 March 2024, with immediate effect. (For information on the first edition, see Legal Update, CAC Issues Guidelines on Data Export Security Assessments).)
Guidelines for the Filing of Standard Contracts for Exports of Personal Information (Second Edition) 2024 (个人信息出境标准合同备案指南(第二版)), issued by the CAC on 22 March 2024 with immediate effect. (For information on the first edition, see Legal Update, CAC Issues Guidelines on Filing Data Export Standard Contracts).)
Provisions on Promoting and Standardising Cross-border Data Flows 2024 (促进和规范数据跨境流动规定), issued by the CAC on 22 March 2024, with immediate effect (see Legal Update, CAC Issues Provisions to Clarify and Relax Data Export Rules).
Law of the PRC on Guarding State Secrets 2024 (2024 State Secrets Law) (中华人民共和国保守国家秘密法), issued by the NPC Standing Committee, with effect from 1 May 2024 (see Legal Update, NPC Standing Committee Amends State Secrets Law).

For detailed coverage, see:

Data Breach Notification

Emergency Response Plan for Cybersecurity Incidents 2017 (国家网络安全事件应急预案), issued by the Office of the Central Cyberspace Affairs Commission (中央网络安全和信息化委员会办公室) on 10 January 2017 with immediate effect.
Emergency Response Plan for Unexpected Cybersecurity Incidents of the Public Internet 2017 (公共互联网网络安全突发事件应急预案), issued by the MIIT on 14 November 2017 with immediate effect.
Provisions on Internet Security Supervision and Inspection by Public Security Organs 2018 (公安机关互联网安全监督检查规定), issued by the MPS with effect from 1 November 2018.
Measures for the Management of Cybersecurity Incident Reporting (Draft for Comments) (网络安全事件报告管理办法(征求意见稿)), released by the CAC on 8 December 2023.

For detailed coverage, see:

Cybersecurity Review and Network Product Security

Catalogue of Critical Network Equipment and Cybersecurity Products (First Batch) 2017 (网络关键设备和网络安全专用产品目录(第一批)), issued by the CAC, jointly with the MIIT, MPS and the China Certification and Accreditation Administration (CNCA) (中国国家认证认可监督管理委员会) on 1 June 2017 with immediate effect.
Catalogue of Institutions Undertaking Security Certification and Security Inspection for Critical Network Equipment and Specialised Network Products (First Batch) 2018 (承担网络关键设备和网络安全专用产品安全认证和安全检测任务机构名录(第一批)), issued by the CAC, jointly with the MIIT, MPS and CNCA on 15 March 2018 with immediate effect.
Announcement on Implementation Requirements for Security Certification of Critical Network Equipment and Specialised Network Products 2018 (关于网络关键设备和网络安全专用产品安全认证实施要求的公告), issued by the CAC and Certification and Accreditation Administration of China on 30 March 2018 with immediate effect.
Implementation Measures on Security Certification for Critical Network Equipment and Specialised Network Products (CNCA-CCIS-2018) (网络关键设备和网络安全专用产品安全认证实施规则), issued by the CNCA with effect from 27 June 2018.
Implementation Measures on Security Inspection for Critical Network Equipment (Draft for Comments) (网络关键设备安全检测实施办法(征求意见稿)), released by the MIIT on 5 June 2019.
TC260 guidelines: Relevant National Standard Requirements on Security Certification for Critical Network Equipment and Specialised Network Products (Draft for Comments) (网络关键设备和网络安全专用产品相关国家标准要求(征求意见稿)) and its revised draft, released by on 16 May 2019 and 14 August 2019 respectively.
General Requirements for the Security of Critical Network Equipment (GB 40050-2021) (网络关键设备安全通用要求), issued by the SAMR and CAC with effect from 1 August 2021.
Provisions on Administration of Security Vulnerability of Network Products 2021 (网络产品安全漏洞管理规定) issued by the MIIT, CAC and MPS with effect from 1 September 2021.
Measures for Cybersecurity Review 2021 (网络安全审查办法), issued by the CAC and 12 other government authorities, replacing the 2020 version from 15 February 2022 (see Legal Update, CAC and other departments issue revised cybersecurity review measures).
Announcement on Adjusting Matters Concerning Security Management of Specialised Cybersecurity Products 2023 (关于调整网络安全专用产品安全管理有关事项的公告), issued by the CAC and other four government authorities, with effect from 12 April 2023.

For detailed coverage, see:

Encryption Technologies, Products and Services

Encryption Law of the PRC 2019 (密码法), issued by the NPC Standing Committee with effect from 1 January 2020 (see Legal Update, China Enacts Encryption Law).
Regulations on Administration of Commercial Cipher Codes 2023 (商用密码管理条例), issued by the State Council with effect from 1 July 2023 (see Legal Update, State Council Revises Rules on Commercial Encryption).

For detailed coverage, see Practice Note, Regulation of Encryption Technologies, Products and Services in China.

Mobile Apps

Announcement on Conducting Special Rectification Campaign against Illegal Collection and Use of Personal Information by Apps 2019 (关于开展App违法违规收集使用个人信息专项治理的公告), jointly issued by the CAC, MIIT, MPS and the SAMR on 23 January 2019 with immediate effect.
Announcement on Launching Apps Security Certification 2019 (关于开展App安全认证工作的公告), issued by the SAMR and CAC on 13 March 2019 with immediate effect.
Notice on Conducting Special Rectification Campaign against the Infringement of User rights by Apps 2019 (关于开展APP侵害用户权益专项整治工作的通知), issued by the MIIT on 31 October 2019 with immediate effect.
Measures for Determining Illegal and Non-compliant Collection and Use of Personal Information by Apps 2019 (App违法违规收集使用个人信息行为认定方法), issued by the CAC, MIIT, MPS and the SAMR on 28 November 2019 with immediate effect (see Legal Update, CAC and other ministries provide guidance on illegal collection and use of personal information by Apps).
Provisions on the Ecological Governance of Network Information Content 2019 (网络信息内容生态治理规定), issued by the CAC with effect from 1 March 2020.
Notice on Launching Further Special Rectification Campaign on the Infringement of User Rights and Interests by Apps 2020 (关于开展纵深推进APP侵害用户权益专项整治行动的通知), issued by the MIIT on 22 July 2020 with immediate effect.
Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications 2021 (常见类型移动互联网应用程序必要个人信息范围规定), released by the CAC, MIIT, MPS and SAMR with effect from 1 May 2021 (see Legal Update, CAC and other ministries identify scope of necessary personal information for mobile apps).
Interim Administrative Provisions on the Personal Information Protection in Internet Mobile Applications (Draft for Comments) (移动互联网应用程序个人信息保护管理暂行规定(征求意见稿)), released by the MIIT on 26 April 2021.
Notice on Launching Actions for Improvements to the Perception of Information and Communications Services 2021 (关于开展信息通信服务感知提升行动的通知), issued by the MIIT with effect from 1 November 2021.
Administrative Provisions on Information Services of Mobile Internet Application Programs 2022 (移动互联网应用程序信息服务管理规定), issued by the CAC with effect from 1 August 2022.
Provisions on the Management of Internet User Account Information 2022 (互联网用户账号信息管理规定), issued by the CAC with effect from 1 August 2022.
Provisions on the Administration of Internet Pop-up Information Push Services 2022 (互联网弹窗信息推送服务管理规定), issued by the CAC with effect from 30 September 2022.
Notice of the Ministry of Industry and Information Technology on Carrying out Record-Filing for Mobile Internet Applications 2023 (工业和信息化部关于开展移动互联网应用程序备案工作的通知), issued by the MIIT on 21 July 2023 with immediate effect.
TC260 guidelines:
- Cybersecurity Practices Guidelines: Specification of the Essential Information for the Basic Business Functions of Mobile Internet Apps (TC260-PG-20191A) (网络安全实践指南 - 移动互联网应用基本业务功能必要信息规范), issued on 1 June 2019 with immediate effect;
- Cybersecurity Practices Guidelines: Guidelines for the Personal Information Safety Precautions of Mobile Internet Apps (Draft for Comments) (网络安全标准实践指南 - 移动互联网应用程序(App)个人信息安全防范指引(征求意见稿)), released on 30 March 2020;
- Cybersecurity Practices Guidelines: Self-assessment Guide for Collecting Personal Information by Mobile Internet Applications (TC260-PG-20202A) (网络安全标准实践指南 - 移动互联网应用程序(App)收集使用个人信息自评估指南), released on 22 July 2020 with immediate effect, based on the self-assessment guide issued by the Personal Information Protection Task Force on 1 March 2019 (namely, the Self-assessment Guide for the Illegal Collection of Personal Information by Mobile Applications 2019 (App违法违规收集使用个人信息自评估指南));
- Cybersecurity Practices Guidelines: Guidelines for the Use of System Permissions by Mobile Internet Applications (TC260-PG-20204A) (网络安全标准实践指南-移动互联网应用程序(App)系统权限申请使用指南), with effect from 18 September 2020;
- Cybersecurity Practices Guidelines: Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications (App) (TC260-PG-20205A) (网络安全标准实践指南—移动互联网应用程序(App)使用软件开发工具包(SDK)安全指引), with immediate effect from 27 November 2020;
- Information Security Technology: Basic Requirements for Collecting Personal Information in Mobile Applications (GB/T 41391-2022) (信息安全技术移动互联网应用程序(App)收集个人信息基本要求), with effect from 1 November 2022.

For detailed coverage, see:

Health and Genetic Data

Regulations on Human Genetic Resources 2019 (人类遗传资源管理条例), issued by the State Council with effect from 1 July 2019 (see Legal Update, State Council revises rules on human genetic resources).
Biosecurity Law of the PRC 2020 (生物安全法), issued by the NPC Standing Committee with effect from 15 April 2021.
Rules for the Implementation of the Regulations on the Administration of Human Genetic Resources 2023 (人类遗传资源管理条例实施细则), issued by the Ministry of Science and Technology (MOST) on 1 June 2023, with effect from 1 July 2023 (see Legal Update, MOST Issues Detailed Implementing Rules on HGR Regulation).

For detailed coverage, see:

Artificial Intelligence (AI)

Provisions on the Administration of Internet Information Services Algorithmic Recommendations 2021 (互联网信息服务算法推荐管理规定), issued by the CAC, MIIT, MPS and the SAMR with effect from 1 March 2022 (see Legal Update, CAC and Other Departments Issue Rules on Recommendation Algorithms).
Administrative Provisions on Deep Synthesis in Internet-based Information Services 2022 (互联网信息服务深度合成管理规定), issued by the CAC, MIIT and MPS, with effect from 10 January 2023.
Interim Measures for the Management of Generative Artificial Intelligence Services 2023 (生成式人工智能服务管理暂行办法), issued by the CAC and other agencies with effect from 15 August 2023 (see Legal Update, CAC and Other Agencies Issue Interim Measures on Generative AI Services).
Basic Security Requirements for Generative Artificial Intelligence Services (TC260-003) (生成式人工智能服务安全基本要求), issued by TC260 on 29 February 2024, with immediate effect (see Legal Update, TC260 Issues Security Standard for Generative AI).

For detailed coverage, see:

Other Laws, Regulations and Rules

Electronic Commerce Law of the PRC 2018 (电子商务法), issued by the NPC Standing Committee with effect from 1 January 2019 (see Legal Update, NPC Standing Committee promulgates E-commerce Law and Article, China's First E-Commerce Law Enters Into Force: Cybersecurity and Data Protection).
Interpretations on Several Issues concerning the Application of Law in Handling Criminal Cases such as Making Illegal Use of Information Networks and Assisting Information Network Criminal Activities 2019 (关于办理非法利用信息网络、帮助信息网络犯罪活动等刑事案件适用法律若干问题的解释), issued by the SPC and SPP with effect from 1 November 2019.
Law of the People's Republic of China on Countering Telecommunications and Online Fraud 2022 (中华人民共和国反电信网络诈骗法), issued by the NPC Standing Committee with effect from 1 December 2022 (see Legal Update, NPC Standing Committee Enacts Law to Counter Telecoms and Online Fraud).

Quick Guide: Cybersecurity and Data Protection: China | Practical Law