DPA Digital Digest: China

China boasts the world’s second largest digital economy, accounting for 41.5 percent of national GDP, according to the Chinese government. In 2022, The digital economy grew by 10.3 percent, to RMB 50.2 trillion (approx. USD 7 trillion). China’s 14th five-year plan aims to increase the GDP share of core digital industries to 10 percent by 2025. In parallel, China’s digital rulemaking is also mushrooming: The government advanced over 290 policy developments since 2020 and announced rules on artificial intelligence and data in the 2023 legislative plan.

But what do China’s domestic digital policies stand for? The eleventh DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and China-specific points of emphasis.

• In data governance, China implemented three major laws, established its data localisation and transfer regime, and rigorously enforced data rules, mainly through cybersecurity reviews.

• In content moderation, China imposed rules on various content types, focusing on minor protection and livestreaming, and enforced rules with dedicated moderation campaigns.

• In competition, China amended its anti-monopoly law, advanced a substantial body of secondary legislation, and pursued a domestic “tech crackdown” in enforcement.

• China’s points of emphasis include artificial intelligence, government authorisation and user identification.

Jump directly to the section that interests you most:

Discover the details of China’s regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Tommaso Giardini and Nils Deeg. Edited by Johannes Fritz.

China’s data governance regime is primarily governed by three^[1] laws: The 2021 Personal Information Protection Law (PIPL), the 2021 Data Security Law (DSL) and the 2017 Cybersecurity Law (CSL). The CSL codified the data regime and was refined by the DSL (on cybersecurity) and PIPL (on data protection). The laws apply simultaneously, with considerable overlap, and will be specified by the currently deliberated regulations on network data security.

The CSL differentiates between measures for all “network operators” and additional duties for “critical information infrastructure” operators (CIIOs). Currently, the CSL is especially relevant for CIIOs, whose data, if compromised, could seriously endanger national security and welfare e.g. energy, water, and finance. The CSL requires all operators to install security systems and cyber incident response plans and introduces the “Cybersecurity Review” enforcement mechanism (see below). Specific obligations for CIIOs, outlined in implementing regulations, include annual cybersecurity inspections. A currently deliberated CSL amendment would increase fines.

The DSL establishes China’s three-tiered data regime, specified by implementing guidelines, to differentiate: (1) core data, which can seriously harm national security and cause particular harm to lifelines of the economy and social stability, if compromised, (2) important data, which can cause general harm to national security and serious harm to social stability and the public interest, if compromised, and (3) general data, which does not fall into either category. Classification is complex and will be facilitated by sectoral guidelines. For all data, the DSL demands the implementation of appropriate security management measures, cybersecurity training, and technical measures. Processors of important data must appoint a person responsible for cybersecurity and carry out regular risk assessments. To process core data, the DSL requires a “stricter management system”. In case of non-compliance, firms risk fines of up to RMB 10 million (approx. USD 1.4 million) and shutdowns. 

The PIPL sets rules for the processing (“handling”) of personal information, excluding anonymised data, by private and public bodies. The PIPL lists legitimate bases for processing, including voluntary consent and contractual necessity, but not legitimate interest. The PIPL codifies data subject rights, e.g. to access, correct, and delete data, as well as data processing obligations, e.g. to ensure data security and notify data breaches to authorities and individuals (though without an explicit timeline). Processors of sensitive personal information – including data on biometrics, religious beliefs, location, health and minors under 14 – must provide explanations on the necessity and impact of processing when obtaining consent. Online platforms “with large numbers of users and complex business types” must further establish compliance systems and enforce rules on third parties using their platforms. The maximum penalties for grave violations comprise 5% of annual yearly revenue and individual liability.

China imposes several local data storage requirements but enables data transfers through three mechanisms: security assessments, personal information protection certifications, and standard contracts. Sectoral localisation obligations apply, e.g. for data on banking, credit, health, vehicles and state secrets, as well as for online map services and taxi or bike rentals. Cross-cutting localisation requirements are enshrined in the CSL, DSL, and PIPL, with considerable overlap. In September 2022, the Cyberspace Administration of China (CAC) provided clarity by setting thresholds for mandatory security assessment – the strictest data transfer mechanism, which enables transfers in the presence of localisation obligations. 

The thresholds concern either the processor or the data to be transferred. Regarding the processor, assessment is mandatory for all transfers by CIIOs and by processors of over 1 million individuals’ personal information. Regarding the data, assessment is mandatory for the transfer of important information, personal information of over 100’000 individuals per year, and sensitive personal information of over 10’000 individuals per year. For transfers exceeding these thresholds, security assessment is required since September 2022 (with a rectification period until March 2023 for ongoing transfers). The CAC has published guidance on the submission of security assessment declarations and recently started approving firms’ compliance, including Beijing Friendship Hospital, Air China, Mazda, Sephora and Focus. 

The other two mechanisms apply (alternatively) to transfers below the thresholds. The certification mechanism, explained in the CAC rules of implementation, demands compliance with two “security specifications” on personal information security technology and cross-border processing. The National Information Security Standardisation Technical Committee (TC260) is currently deliberating a proposal to turn the aforementioned specifications into a standard (“requirement”). Finally, standard contracts with cross-border recipients are formally accepted since June 2023, as the measures for standard contracts entered into force, accompanied by CAC guidelines on filing standard contracts.

At the international level, data transfers caused tensions between China and the United States (US), regarding US authorities’ access to the audit data of Chinese companies listed on US exchanges. US authorities threatened to delist Chinese companies from US exchanges if they refused access based on Chinese law. In August 2022, a cooperation agreement granted inspection access to US authorities, resolving the dispute in December 2022. Since then, in March 2023, China established a new mechanism to facilitate regulatory cooperation on listing rules. Also in March 2023, China implemented trial rules for overseas listing, which explicitly require compliance with domestic data and cybersecurity rules to safeguard national security.

Several Chinese government bodies^[2] enact secondary legislation, though two agencies are particularly active. The CAC, the main data regulator, regularly publishes regulations, recently on mobile internet applications and special network security products. The TC260 is responsible for the development of technical cybersecurity standards, such as the May 2023 standard on critical information infrastructure and the proposed standard on artificial intelligence computing platform security. Currently, several agencies are focusing on smart vehicles, developing technical requirements and standards for autopilot data recording and mapping systems. 

The CAC is China’s main enforcement agency in data governance. It is supported by several bodies, as detailed in the June 2023 procedures on agencies’ jurisdiction in data matters. For example, in February 2023, the Ministry of Industry and Information Technology publicly listed 46 apps that infringed the PIPL and set deadlines for compliance. In March 2023, China announced the establishment of a National Data Bureau to advance a “Digital China” and the digital economy, including by coordinating the use and sharing of data resources.

The CAC cybersecurity review is the sharpest enforcement mechanism in China’s data regime, threatening halts to products and services as well as fines of 1-10 times their purchase price. Introduced by the CSL, the review’s original scope comprised CIIOs who purchased network products or services that can affect national security, e.g. through infrastructure disruptions or large leaks. In 2022, the CAC expanded the scope to cover network platform operators whose processing can affect national security and operators with over 1 million users that want to list on a foreign exchange. While all in-scope entities must apply for cybersecurity reviews, the CAC can independently initiate reviews of other network products, services, or processing activities that could affect national security.

In May 2023, the cybersecurity review of Micron, a US semiconductor manufacturing company, found that the sub-standard network security could negatively impact national security and CIIOs should cease purchasing Micron products. In January 2023, the CAC concluded its review of Didi, a local ride-hailing company, and lifted the previous restriction on new user registration. In July 2022, the CAC imposed the restriction and a fine of RMB 8 billion (approx. USD 1.1 billion) due to excessive customer data collection and improper user notification, among others. The review began in June 2021, shortly after Didi listed in the US (where it delisted in June 2022), and included a ban of Didi’s services from Chinese app stores. The CAC also launched reviews into academic database China National Knowledge Infrastructure, online recruitment platform Boss Zhipin, and trucking platforms Yunmanman and Huochebang, halting new user registrations.

China’s content moderation policy is rooted in various laws and regulations. Illegal content includes content that harms national security and interests, disrupts social stability, includes obscenity, gambling or violence, or infringes on third parties’ rights, among others. For guidance, regulations provide examples of desirable, bad and illegal information. Many policies build on this broad category of illegal content to impose moderation obligations, e.g. on internet information service providers and network operators. 

Certain policies focus on a specific type of content to be moderated. Since May 2023, the measures on internet advertising require internet platform operators to correct and delete prohibited advertisements, as prescribed by the Advertising Law. In June 2023, a consultation on combating cyberviolence followed a November 2022 notice obliging website operators to establish taskforces on and detect cyberviolence, including through user complaints. Finally, other rules specify obligations relating to cultural and religious content. 

Other policies focus on the interface on which content appears. Since December 2022, the CAC’s revised provisions on internet thread commenting services require operators of “public accounts” to remove illegal or inappropriate comments. The 2022 provisions on internet pop-up information push services oblige providers of pop-up notifications to make advertising identifiable and only allow news content in pop-up windows from licensed providers. 

A group of policies scrutinises technologies used to disseminate content. The March 2022 regulations on algorithm recommendation prohibit the use of addictive algorithms and the recommendation of illegal content. Companies using algorithmic recommendation must enable users to amend and delete user tags for recommendation, as well as turn recommendation off entirely. Currently, the CAC is deliberating regulations on proximity-based ad hoc network information services, such as Bluetooth and Wi-Fi. Providers must prevent the sharing of illegal information, obtain consent before sharing content and identify users.

A focus of Chinese regulators is livestreaming. The June 2022 code of conduct for internet anchors lists 31 prohibited acts for streamers, including the production of content on healthcare, finance, law, or education without a relevant practice certificate. The May 2022 opinions on online live rewards aim to reduce the role of rewards in streaming, especially to protect minors. Platforms cannot rank streamers by rewards received and must implement "youth mode" functions. Furthermore, minors under 16 cannot host streams and use reward functions. Previously, the May 2021 measures on online live marketing established safeguards in account registration, including streamer identification, and required platforms to blacklist prohibited goods and services from sales and promotions. The 2023 regulation on online performances requires the moderation of live performances, obliging platforms to delay live broadcasts to review content, including comments. 

Minor protection is a continuous policy priority. The recently revised Law on the Protection of Minors requires network service providers, including user-generated content platforms, to remove content that could harm the health of minors. The proposed regulations on the online protection of minors additionally prohibit content that is addictive, encourages crime, contains minor obscenity or violates minor privacy, and require online gaming and streaming services to implement a “minor mode”. Regarding gaming, the August 2021 notice on preventing minors from indulging in online games sets limits for users under 18 to three hours per week, between 8 and 9 pm on Fridays, weekends and holidays.

The enforcement of content moderation policy occurs mainly through coordinated campaigns (“Qinglang” special actions). In 2023, the CAC announced and conducted several campaigns. The campaign on the business network environment focuses on the spreading of rumours against companies and the use of false names to open websites, register accounts and publish false information. The campaign on key network traffic links focuses on the removal of fake news outlets on short-video platforms and search engines. The campaign on self-media focuses on independently operated accounts that produce their own content, aiming to prevent the spread of misleading information and fraud. The campaign on the Spring Festival (Lunar New Year) focuses on online fraud and “rumours” regarding COVID-19 infections and policies. In 2022, a campaign on online "rumours and false information" removed content classified as such by authorities and developed responsibilities for platforms to identify fake news. Less often, the CAC investigates firms directly, e.g. Douyu for displaying indecent content since May 2023. 

Other agencies also conduct coordinated enforcement campaigns. In 2022, nine government bodies launched a campaign to combat online crimes, especially new crimes including illegal money lending and “naked chat” extortion. Also in 2022, several government bodies launched a campaign to improve the internet environment for minors. The campaign focused on online video, streaming, social media, learning, game, and e-commerce platforms used by minors and investigated concerns on privacy, cyberbullying and the circumvention of access restrictions. 

Regarding algorithm governance, the CAC conducted a dedicated campaign in 2022. The campaign focused on self-evaluating and self-correcting algorithm application problems and included on-site inspections (e.g. of ByteDance and Tencent). In addition, the CAC publishes lists of companies’ algorithms, as submitted to the Internet Information Service Algorithm Filing System. The CAC most recently updated the list in April 2023.

Since August 2022, the first amendment to the 2008 Anti-Monopoly Act is in force. Regarding unilateral conduct, the amendment prohibits practices limiting competition by abuse of platform rules, data, algorithms and technology. Regarding mergers, the amendment enables longer review periods, increases turnover thresholds for merger notification, and introduces a “market concentration” threshold, to capture killer acquisitions. In addition, the amendment raises fines for anti-competitive practices to a maximum of 10% of yearly revenue. For serious violations, the State Administration for Market Regulation (SAMR) can multiply fines by factors of 2 to 5. 

Other legislative developments include the currently deliberated amendment to the Anti-Unfair Competition Law. The amendment aims to prevent unfair business practices in the digital economy, such as data acquisition and algorithm-based price discrimination. The amendment expands the definition of misleading practices and false advertising and increases fines for certain provisions to a maximum of 5% of annual revenue for companies and RMB 1 million (approx. USD 140’000) for executives. Since 2019, China's E-Commerce Law prohibits false advertising and tie-in sales in e-commerce and requires platforms to label paid higher-ranked search results as well as their own goods and services.

Beyond legislation, the SAMR’s secondary legislation is central to China’s competition policy. In April 2023, the SAMR adopted regulations to implement the amendment of the Anti-Monopoly Act, covering abuse of dominance, monopoly agreements and the review of concentration. In May 2023, the SAMR adopted measures that regulate internet advertising and prohibit dark patterns. Previously, the SAMR adopted the platform antimonopoly guidelines, which explain the definition of the relevant market and what constitutes anti-competitive behaviour. Currently, the SAMR is deliberating rules on the classification of internet platforms, the anti-competitive behaviour of platforms and fake goods in e-commerce and livestreaming. 

In 2021, China launched a “tech crackdown” to rein in domestic companies, which has slowed since 2022. The SAMR is the main enforcer of the crackdown, covering both unilateral conduct and merger regulation.

Regarding unilateral conduct, the bulk of the SAMR’s enforcement stems from 2021, when it fined companies of various digital sectors for abusing market dominance. The SAMR fined e-commerce provider Alibaba RMB 18.2 billion (approx. USD 2.5 billion) for forcing merchants to use its platform through exclusive cooperation contracts ("choosing one from two" practice). Online food delivery platform Meituan was fined RMB 3.4 billion (approx. USD 475.8 million) for algorithmic price charging and exclusive cooperation agreements. The investigation into Tencent’s music licensing resulted in behavioural remedies: Tencent was obliged to waive its exclusive music copyrights (within 30 days) and restore competition in the music streaming market, for the first time in SAMR enforcement. Minor fines were issued to educational technology companies Zuoyebang and Yuanfudao for false advertising and misleading pricing, and to e-commerce provider Vipshop, for pressuring sellers into exclusivity. In the past year, the SAMR fined academic database China National Knowledge Infrastructure RMB 87.6 million (approx. USD 12.3 million) for unfair increases in pricing and exclusive cooperation agreements. 

Regarding merger regulation, the SAMR approved the Microsoft/Activision Blizzard acquisition in May 2023, finding no negative impact on competition in the online game distribution market. Previously, the SAMR repeatedly fined batches of domestic companies for failing to declare acquisitions, including Alibaba, Baidu, JD.com and Tencent. Beyond reporting obligations, the SAMR also blocked mergers, for instance between streaming companies Huya and Douyu, held by Tencent. The SAMR blocked the merger because it would have granted Tencent a dominant market position, enabling restrictions to competition.

Artificial intelligence (AI) is central to China’s digital economy ambitions, as reflected by the national five-year plan (2021-2025) and AI strategy, as well as regional frameworks to develop the AI industry, e.g. in Beijing and Shenzhen. Beyond promoting domestic AI development, in 2023, China published several rules on AI and is planning dedicated legislation. 

In April 2023, the Cyberspace Administration of China (CAC) consulted on measures on generative AI. The measures would require AI products developed in China to undergo a security assessment. AI service providers must obtain consent when personal information is used in training data, cannot share user input information with third parties and must establish a complaint mechanism to promptly address requests for the correction and deletion of personal information. AI-generated content must be accurate and cannot contain terrorist or extremist propaganda, violence or obscenity, or subversion of state power, among others. If inappropriate content is generated, AI service providers must update their technology within three months.

Since January 2023, the provisions on deep synthesis of internet information services are in force. To reduce the risk of “deep fakes”, the provisions require providers of deep synthesis technology services to label content created with such technology through logos and descriptions. Regarding data, providers must follow personal information protection rules in training datasets and obtain consent from individuals whose images or voices are manipulated. Finally, deep synthesis technology services cannot produce or disseminate content that includes false news or information endangering national security and public interest. Providers must adopt protocols to identify the use of illegal content and establish complaint mechanisms. 

China’s regulations on technology import and export subject a catalogue of technologies to import and export restrictions. Currently, China is deliberating an expansion of the catalogue to provide detailed examples of technologies subject to restrictions, including AI and speech synthesis applications. 

In previous years, the Chinese government advanced an AI ethics code, a White Paper on trustworthy AI and an assessment method for machine learning algorithms.

China imposes government authorisation on domestic providers of most digital services, differentiating requirements by sector.

For transportation services, the 2023 notice on regulating online car-hailing aggregation platforms specifies that online aggregation platforms may only serve licensed car-hailing companies. In December 2022, several penalties for ride-hailing violations were reduced, though penalties for operating non-licensed ride-hailing platforms remain unchanged. Local transportation authorities must transmit licensing information of ride-hailing services to a central database in real-time or twice a week. Currently, the government is deliberating a licensing requirement and safety standard for operators of autonomous cars.

In the 2021 “tech crackdown”, the government leveraged its authorisation powers in several sectors. Regarding the gaming industry, the National Press and Publication Administration halted mandatory approvals for new games in July 2021. Only since April 2022 have new games been approved through monthly lists of domestic game titles and annual lists of imported game titles. A second targeted sector was education technology. The government imposed a registration and licensing requirement for online core education platforms, suspending new enrollments and payments until platforms obtained a licence. Furthermore, the government banned for-profit online tutoring services providing core education and foreign online instructors, among other measures. 

Digital payment methods such as cryptocurrencies are also subject to government authorisation. The 2022 work plan on online information content in illegal securities activities requires online platforms to enforce licensing requirements for websites that are involved in the securities business and provide financial advice. In 2021, the People’s Bank of China declared transactions involving virtual currencies as illegal financial activities, with the stated objective of protecting private property. 

Further licensing requirements are imposed on online performance platforms and providers of commercial encryption, among others, while e-commerce providers are obliged to register.

The Chinese government’s control over the digital economy further builds on various user identification obligations. On the one hand, identification is required to enforce access restrictions policies, especially minors’ access to specific content (e.g. livestreaming and gaming, see above). 

On the other hand, user identification is imposed as a prerequisite to provide services. The December 2022 Law Against Telecom and Internet Fraud allows several services to be provided only to identified customers, including online messaging, advertising and payment. Since August 2022, the provisions on internet user account information demand “internet information services” to collect official documents and phone numbers to identify users and suspend the accounts of users providing false information. Also in August 2022, the provisions on mobile internet application information services were revised. The provisions require providers of information-sharing apps, e.g. instant messaging, to identify users and app distribution platforms to verify app providers. Finally, the Cybersecurity Law requires operators providing access to networks and domain name registration to identify users before accessing services.