Data Compliance in China: Legal challenges and risks for foreign enterprises

As the world becomes increasingly digital, data has evolved into a key asset for businesses. With its growing role in decision-making and operations, safeguarding data and ensuring compliance with data protection regulations have become top priorities. Non-compliance with these regulations can lead to significant fines, loss of customer trust, and other business risks.

China has aggressively pursued enforcement of its data protection laws in recent years. For example, there were 442 cases related to failure to fulfil personal information security obligations, 68 cases of failing to protect personal information, and 12 cases where companies collected personal data without informing or obtaining consent from individuals. Additionally, cases of illegal acquisition, sale, or provision of personal data to third parties have been reported. These numbers continue to rise each year, reflecting the increasing importance of data protection in China.

For instance, DiDi Global was fined an eye-watering 80.26 billion RMB for violations of the Cybersecurity Law, Data Security Law, and PIPL in 2022. In addition to the financial penalties, DiDi faced severe regulatory scrutiny, affecting its operations in China. Other companies, such as CNKI (China National Knowledge Infrastructure), have also faced hefty fines for violating data collection practices. These cases underline the significant financial and reputational risks that businesses face in China due to non-compliance.

In addition to financial penalties, non-compliance can result in severe reputational damage. For foreign enterprises, a loss of trust from customers, partners, and investors can be devastating. A tarnished reputation can significantly impact a company's ability to operate not only in China but also on the global stage.

China has taken major steps to strengthen its data protection laws, notably with the implementation of the Personal Information Protection Law (PIPL) in 2021, the Data Security Law (DSL) in 2021, and the Cybersecurity Law. These laws provide one of the most comprehensive frameworks for data security and privacy in the world, presenting both challenges and opportunities for foreign companies in China.

The PIPL, which came into effect in November 2021, is China’s most stringent data privacy law to date. It establishes clear guidelines for how personal information should be collected, used, and shared. Businesses must obtain explicit consent from individuals before collecting their personal data and inform them of how their data will be used. The law also regulates how companies handle cross-border data transfers, requiring strict measures to ensure that data is protected when it is transferred outside China.

The Data Security Law focuses on the broader issue of data security, encompassing not only personal data but also corporate and governmental data. It mandates that organizations implement robust security measures to protect data throughout its lifecycle—from collection to storage and processing. The law also requires businesses to categorize data based on its importance and adopt different levels of protection accordingly.

The Cybersecurity Law builds on these regulations, establishing requirements for securing network infrastructure and ensuring that companies take steps to prevent illegal activities on their networks.

Furthermore, the Personal Information Protection Compliance Audit Management Measures has just been released and will come into effect starting from May 1, 2025, emphasizing China’s commitment to data protection. According to Article 4 of the Measures, data processors handling the personal information of over 1 million individuals must conduct a compliance audit every two years for personal information protection. Article 12 stipulates that data processors handling personal information of over 1 million individuals must appoint a person responsible for personal information protection compliance and establish an independent body composed mainly of external members to oversee the compliance audit of personal information protection.

For foreign businesses, these regulations present both significant risks and opportunities. Non-compliance with Chinese data protection laws can lead to substantial fines, as seen in the case of DiDi Global. Therefore, it is essential for businesses to understand and adhere to these laws to mitigate penalties and risks.

Given the increasing frequency of enforcement actions and the evolving legal landscape, it is crucial for foreign businesses to take proactive steps to ensure compliance with China’s data protection laws. This includes implementing strong data security measures, regularly conducting data compliance audits, and ensuring that employees are properly trained on the country’s regulations. Businesses must also establish clear procedures for handling personal data, including obtaining consent, managing data transfers, and protecting sensitive information.

Foreign businesses must also stay updated on changes in the regulatory environment. China’s data protection laws are still evolving, and new regulations may emerge that further tighten data security and privacy requirements. By staying informed and adjusting operations accordingly, businesses can mitigate the risk of penalties and continue to operate smoothly in China’s increasingly regulated market.

Ultimately, data compliance in China is not just about avoiding fines—it is about building trust with customers, safeguarding sensitive information, and ensuring the long-term success of the business. For foreign enterprises, data compliance in China is an essential part of doing business and will only become more critical as the regulatory landscape continues to evolve. Companies that prioritize data security and compliance will not only minimize their risks but will also position themselves as responsible and trustworthy businesses in China’s highly competitive market.

Jian Huang is a licensed attorney specializing in dispute resolution, mergers and acquisitions (M&A), and corporate governance. His expertise encompasses employment law, equity issues, and data compliance. With extensive experience handling both contentious and non-contentious matters, Mr. Huang has successfully managed cases with a total value exceeding $200 million. He is committed to delivering comprehensive legal solutions that align with his clients' business objectives.

About IPO Pang Shenjun Law Firm:

IPO Pang Shenjun is Alliott Global Alliance’s representative law firm in Shanghai Province, China and has a strong reputation for its outstanding service delivery of helping many companies across a wide spectrum of industries to establish and grow their operations. Established in the early 1990s, the firm now has associates throughout China and affiliate partners in almost 100 countries. Read more.