Global menu

Our global pages


Draft Personal Data Protection Law Released in PRC

  • Hong Kong
  • Privacy, data protection and cybersecurity


On 21 October 2020, China unveiled the full text of the draft Personal Data Protection Law of the People's Republic of China (“PRC” or “China”) (in Chinese: 中华人民共和国个人信息保护法(草案), hereinafter referred to as "Draft PDPL") for public comments. The public comment period ends on 19 November 2020.


After the promulgation of PRC Cybersecurity Law (in Chinese: 中华人民共和国网络安全法) back in 2017, the detailed requirements on personal data protection under PRC law are mainly specified through various national standards which include, in particular, the “Information Security Technology - Personal Data Security Specification" (GB/T 35273-2020 first released in 2017 and revised in 2020 - in Chinese: 信息安全技术-个人信息安全规范, “PDSS”).

The national standards issued by the National Standardization Administration (“NSA”) together with other competent authorities are generally divided into two categories: 1) the national standards with a document number that starts with “GB”, which are mandatory standards; and 2) the national standards with a document number that starts with “GB/T”, which are recommended standards, but not legally enforceable by nature.

Currently, all national standards in connection with personal data protection are “GB/T” standards and therefore not legally enforceable, although they have generally been used by various government authorities to assess various data protection compliance issues in practice.

On the above basis, the Draft PDPL is the first law in China that specifically and comprehensively regulates the protection of personal data. Once the Draft PDPL is officially promulgated, the regulatory authorities will have a solid legal basis to enforce the relevant requirements against the activities of all individuals/entities/organizations (including government authorities themselves) relating to the use and protection of personal data.

Read full article here.