Global menu

Our global pages


China publishes second draft on PRC Cybersecurity and Data Protection Laws 中国发布有关中国网络安全及数据保护法的草案二次审议稿

  • Hong Kong
  • Other


On 29 April 2021, the Standing Committee of the National People’s Congress of China published the second draft of the Personal Information Protection Law (“PIPL Draft 2”) and the Data Security Law (“DSL Draft 2”) for public comment.

It is worth noting that the new draft (if passed as currently drafted) will impose additional obligations on “network operators”, as summarised below:

  • Model Clauses for Overseas Data Transfers
    • The Cyberspace Administration of China, the lead cybersecurity regulator in the PRC (“CAC”), intends to publish model clauses to facilitate overseas data transfers (“Model Clauses”).
    • Accordingly, organisations will be required to adopt the Model Clauses for both intra-group and third party data sharing arrangements.
  • Additional Governance Obligations on Certain Online Businesses
    • The PIPL Draft 2 imposes new obligations on: (i) organisations processing a “significant amount” (not defined) of personal data of online users; (ii) organisations that have a “complex business type” (also not defined); and (iii) organisations that provide “basic Internet platform services”.
    • These new obligations include: 
      • establishing a new independent supervisory body (made up of external members) that is responsible for data privacy supervision;
      • suspending the offering of online products or services if the organisation fails to process personal data in accordance with relevant data privacy laws; and
      • regularly publishing reports on the organisation’s compliance with data protection obligations.
  • Data Subject Rights of Deceased Individuals
    • Data subject rights (e.g. right to access or correction) have been extended to deceased individuals under the PIPL Draft 2. Such rights may be exercised by “close relatives” (again not defined).
  • Data Classification and Data Security
    • PRC authorities will introduce a “tiered data classification system”, meaning that organisations will need to assess and classify their data sets, and adopt different security measures assigned to each data category. However, there is no indicative timetable on when such classification system will be introduced.
    • This is consistent with the general trend in the PRC, specifically a movement towards a “classification-based” system in relation to data security. For example, organisations involved in the e-commerce and financial institutions sectors in the PRC are now required to comply with these “classification” obligations and adopt different security measures for different data types (e.g. data which is more “sensitive” must remain in the PRC).
The public consultation period will end on 28 May 2021.

It is our expectation that the two laws will be enacted within this calendar year and come into effect in early 2022. Organisations are therefore highly recommended to constantly monitor the latest developments and, in the interim, assess the changes which will be necessary to ensure their existing policies are compliant with the new requirements. For details on the first draft Data Security Law, please find our previous analysis here.

The PIPL Draft 2 can be found here (in Chinese).

The DSL Draft 2 can be found here (in Chinese).

For more detailed advice about what the PIPL Draft 2 and/or DSL Draft 2 could possibly mean for you, please contact us.



  • 跨境信息传输的标准合同
    • 国家互联网信息办公室,即中国网络安全的首席监管机构,计划发布标准合同以促进跨境信息传输(“标准合同”)。
    • 因此,组织将需要于集团内以及于第三方数据信息共享的安排中均采用标准合同。
  • 对于某些网络业务的额外治理义务
    • 个人信息保护法二次草案对(一)用户数量“巨大”(未定义)的个人信息处理组织;(二)“业务类型复杂”(也未定义)的个人信息处理组织,以及(三)提供“基础性互联网平台服务”的组织,均施加了新的义务。
    • 这些新的义务包括:
      • 成立主要由外部成员组成的独立机构,对个人信息处理活动进行监督;
      • 对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;及
      • 定期发布个人信息保护社会责任报告,接受社会监督。
  • 已故自然人的个人信息主体权利
    • 已故自然人的个人信息主体权利
  • 数据分类和数据安全
    • 中国当局将引入“数据分类分级保护制度”,这意味着组织将需要就其数据作出评估和分类,并采用分配给每个数据类别不同的安全措施。然而,现时当局还没有制定引入此分类分级保护制度的指示性时间表。
    • 这符合中国于数据安全方面的总体趋势,特别是迈向以“分类为基准”的系统的动态。举例来说,中国现时要求于中国涉足电子商务和金融机构行业的组织遵守这些“分类”的义务,并对不同类型的数据采取不同的安全措施(例如必须把比较“敏感”的数据保留在中国当地)。






o   The Cyberspace Administration of China, the lead cybersecurity regulator in the PRC (“CAC”), intends to publish model clauses to facilitate overseas data transfers (“Model Clauses”).