Skip to main content
PTS Managed Services
Talk to us
Data Laws in China & Hong Kong: PIPL, CSL, DSL & PDPO — PTS Managed Services

Data Laws

Data Laws in China & Hong Kong: PIPL, CSL, DSL & PDPO

What PIPL, the CSL, the DSL and Hong Kong's PDPO mean for your data: what you can collect, what may leave the country, where it must live, and how to build your IT around it.

Request a proposal See our work

Practical, costed proposal · No obligation

ISO 27001 · ISO 20000 certified
Since 2001 · 25+ years in Hong Kong
Offices in Hong Kong · Singapore · Shanghai
English · 廣東話 · 普通话

Where's your data-law exposure? A 60-second self-check

Answer a few questions and get a plain-English view of which laws are likely in scope and where to focus first. This runs entirely in your browser — nothing you select is sent anywhere or stored. It's a guideline, not legal advice.

Where do you have staff, customers or operations? Select all that apply
Where is most of your business data hosted? Select all that apply
Do you process personal data about people in Mainland China?
If yes, roughly how many people? Personal data of Mainland China individuals
Any sensitive personal data? Health, biometrics, financial accounts, precise location, under-14s
Does personal data leave Mainland China? To your global tenant, HQ, Hong Kong or third-party vendors
Are you in a regulated or critical sector? Finance, telecoms, energy, transport, water, health, public services

A plain-English guide to China’s and Hong Kong’s data laws — and what they actually mean for your IT.

If your business touches Mainland China or Hong Kong, a handful of laws now shape decisions that used to be purely technical: what personal data you can collect, what you are allowed to move out of the country, where servers and tenants must sit, and which cloud you can use. The headline names — PIPL, the Cybersecurity Law and the Data Security Law in the Mainland, and the PDPO in Hong Kong — come up constantly in board, audit and investor conversations, and the rules have both tightened and, in places, relaxed significantly since 2021.

This page is written for the people who get handed the problem — heads of IT, CTOs, and infosec and operations leads — not for lawyers. It explains, in practical terms, what the main laws require across four questions: what data you can collect and process, what can leave the country, where it has to be stored, and how all of that changes the way you build and host your technology. Where it matters, we link straight to the primary sources.

Informational only — not legal advice

This guide is general information for IT and business leaders, accurate to the best of our understanding as at May 2026. China's and Hong Kong's data rules change frequently and turn on facts specific to your business. Verify anything important against the primary sources linked throughout, and take qualified legal advice in the relevant jurisdiction before you act. PTS is an IT services firm, not a law firm.

The data laws that govern you

Five Mainland Chinese instruments and one Hong Kong ordinance do most of the work. Here is the shortest useful summary of each — the rest of this page explains how they apply in practice.

PIPL — Personal Information Protection Law

China’s GDPR-style privacy law and the source of the cross-border transfer rules. It governs how anyone handles the personal information of people in China — including companies based abroad. In force since 1 November 2021. (full text)

DSL — Data Security Law

Grades all data by how sensitive it is to the state (general, important, core) and restricts handing data stored in China to foreign courts or regulators. In force since 1 September 2021. (full text)

CSL — Cybersecurity Law

The foundation: network-security duties, the “multi-level protection scheme” (MLPS), and data-localisation obligations for operators of critical information infrastructure. In force since 1 June 2017. (full text)

2024 Cross-Border Data Flow Provisions

The cyberspace regulator’s 2024 rules that relaxed the export regime — raising the volume thresholds and exempting many routine transfers. In force since 22 March 2024. (summary)

2025 Network Data Security Regulations

State Council regulations that consolidate PIPL, the CSL and the DSL into one operational rulebook, including the cross-border thresholds and “important data” duties. In force since 1 January 2025. (official release)

PDPO — Hong Kong’s privacy law

Hong Kong is a separate legal system. Its Personal Data (Privacy) Ordinance sets six data-protection principles and, unlike the Mainland, imposes no general ban on moving data offshore. (regulator: PCPD)

Data coming in: what you can collect and process

In the Mainland, PIPL is consent-first. To handle personal information you generally need a clear lawful basis, and for most foreign businesses that means consent. PIPL then demands separate, specific consent in two situations that catch people out: handling sensitive personal information (biometrics, health, financial accounts, religious beliefs, an individual’s whereabouts, and anything about children under 14), and sending personal information abroad. You are also expected to practise data minimisation — collect only what you need for a stated purpose, and tell people what you are doing with it. (PIPL)

The Data Security Law adds a second axis that has nothing to do with privacy: every dataset is also graded by how much it matters to the state, not just by whether it identifies a person. The national standard GB/T 43697-2024 (in force since 1 October 2024) sets out how to sort data into three tiers: (DLA Piper summary)

  • General data — most ordinary business data. Freely processed and, subject to the rules below, transferable.
  • Important data — data that, if leaked or misused, could harm national security, the economy, public health or public order. It triggers the strictest handling and a mandatory security assessment before any export. Catalogues are issued sector by sector.
  • Core data — data tied to national security and the economic lifelines. The most tightly controlled tier.

Most companies’ day-to-day data is “general,” but large HR, customer, mapping, genetic or behavioural datasets can stray into “important” — and you often will not know unless you check the relevant sector catalogue or are notified by a regulator.

Data going out: cross-border transfer rules

This is where most architecture decisions actually get made. Moving personal information out of Mainland China — including to Hong Kong — is a regulated “cross-border transfer.” Since the 2024 Provisions, the regime is risk-based and tied to volume. Counts are cumulative from 1 January each year.

What you are moving out of Mainland ChinaWhat is required
”Important data” (any volume)CAC security assessment
Any personal information, if you are a Critical Information Infrastructure OperatorCAC security assessment
Non-sensitive personal information of more than 1,000,000 peopleCAC security assessment
Sensitive personal information of more than 10,000 peopleCAC security assessment
Non-sensitive personal information of 100,000–1,000,000 peopleStandard Contract (filed with the CAC) or certification
Sensitive personal information of fewer than 10,000 peopleStandard Contract or certification
Non-sensitive personal information of fewer than 100,000 peopleNo mechanism required

Even above those lines, the 2024 Provisions exempt several routine transfers entirely. You generally do not need one of the three mechanisms where the transfer is: (summary)

  • Necessary to perform a contract with the individual — for example cross-border orders, hotel and flight bookings, visa applications or exam registrations.
  • Necessary for cross-border HR management under your employment rules or collective contract.
  • Necessary in an emergency to protect someone’s life, health or property.
  • Free of personal information and “important data” — such as data generated in international trade, shipping, academic collaboration or manufacturing.

Three things to keep in mind alongside the table:

  • Separate consent still applies. Where you rely on consent for an export, you must tell the individual who is receiving the data, where, why, and how to exercise their rights — and obtain specific consent for the transfer (PIPL Articles 38–39).
  • Free-trade-zone “negative lists.” China’s free-trade zones can publish their own lists of data that needs a mechanism; anything not on the list can be exported freely by companies in that zone. Worth checking if you operate in one — for example Shanghai, where our China entity is based.
  • Hong Kong is “abroad” for this purpose. Because of “one country, two systems,” sending personal data from the Mainland to Hong Kong is a cross-border transfer under PIPL. The Greater Bay Area Standard Contract (below) exists precisely to ease that flow. (PCPD)

Where your data must live: data localisation

China has no blanket “all data must stay in China” rule for ordinary companies — but it does have targeted localisation duties and a hard restriction on foreign disclosure:

  • Critical Information Infrastructure Operators (CIIOs) must store personal information and important data collected or generated in the Mainland inside the Mainland; any export needs a security assessment (CSL Article 37). CIIOs are organisations in sectors such as telecoms, energy, finance, transport, water and e-government whose systems, if disrupted, would threaten national interests. (CSL)
  • Large-scale handlers are pushed toward in-country storage by the volume thresholds above — at high volumes, a CAC security assessment becomes the gate to moving data out at all.
  • The Data Security Law’s “blocking” rule (Article 36): organisations in China must not hand data stored in China to a foreign court, regulator or law-enforcement body without Chinese government approval — even in response to a foreign subpoena or discovery order. This is a genuine bind for multinationals caught between a US or EU legal request and Chinese law; plan for it before it happens. (official text)

The practical takeaway: most companies are not CIIOs, so full localisation may not be mandatory — but the combination of export thresholds, the blocking statute and “important data” catalogues means the safe default for China-origin personal and operational data is increasingly “keep it in China unless you have both a reason and a mechanism to move it.”

Hong Kong: the PDPO and how it differs

Hong Kong is governed by its own Personal Data (Privacy) Ordinance (Cap. 486), enforced by the Privacy Commissioner for Personal Data (PCPD) — entirely separate from Mainland law. If you operate in both places, you are dealing with two regimes at once. The PDPO is built on six Data Protection Principles: (PCPD)

  1. DPP1 — Collection: collect only what you need, by lawful and fair means, and tell people why.
  2. DPP2 — Accuracy & retention: keep data accurate, and no longer than necessary.
  3. DPP3 — Use: use data only for the purpose it was collected for (or a directly related one), unless you get fresh consent.
  4. DPP4 — Security: protect data with appropriate safeguards.
  5. DPP5 — Openness: be transparent about your data policies and practices.
  6. DPP6 — Access & correction: let people see and correct their data.

The biggest practical difference from the Mainland is that Hong Kong has no general cross-border transfer ban. The PDPO’s transfer-restriction provision — Section 33 — was written in 1995 but has never been brought into force. So today Hong Kong imposes no blanket statutory restriction on moving personal data offshore; instead the PCPD publishes recommended model contractual clauses and expects you to meet the DPPs, notably DPP1 transparency and DPP4 security. (Hong Kong transfer position, DLA Piper)

Two more things matter for IT teams. Since 2021 the PDPO has carried criminal anti-doxxing offences, giving the PCPD investigation and prosecution powers and penalties up to HK$1,000,000 and five years’ imprisonment. (PCPD) And to ease Mainland–Hong Kong friction, a Greater Bay Area Standard Contract lets businesses move personal information between Mainland GBA cities and Hong Kong without the full PIPL mechanisms; it has applied across all sectors since November 2024. (PCPD)

What this means for how you build your technology

Translate the law into architecture and a pattern emerges. Here are six places where these rules change technical decisions.

Identity and tenancy

Decide early whether China sits inside your global identity or stands on its own. The China cloud (below) runs a separate tenant and directory, so most multinationals end up with either a dedicated China identity or a federated bridge — not one global sign-in for everyone.

Where your SaaS data lives

Every global SaaS tool your China staff use — CRM, ticketing, HR, analytics — is potentially a cross-border transfer. Map which systems hold China personal data, and where that data physically lands, before you assume it is fine.

Email and collaboration

Microsoft 365 and Teams are the usual flashpoint. The choice between the global service and the China-only “21Vianet” instance (covered below) decides where mailboxes, files and chat actually sit.

Endpoints, backup and logging

The CSL’s protection scheme expects network logs to be retained (commonly six months) and systems to be secured and graded. Backup targets and log destinations are themselves data flows — check where they resolve to.

Data segmentation and minimisation

The cheapest compliance is the data you never move. Segmenting China personal and operational data, and minimising what crosses the border, keeps you under the exemption thresholds and out of the assessment regime.

Vendor and contract due diligence

“Important data,” the blocking rule and the transfer mechanisms all need to live in your vendor contracts and data-processing agreements. Diligence the data practices of every provider you push China data through.

Microsoft 365: global tenant vs China (21Vianet)

For most companies the single biggest hosting decision is which Microsoft cloud to use in China. Microsoft runs two physically separate clouds: the global Microsoft 365 and Azure you already know, and Microsoft 365 (and Azure) operated by 21Vianet — a China-located instance run not by Microsoft but by a licensed local partner (Shanghai Blue Cloud Technology / 21Vianet), kept physically and logically separate from the rest of the world and subject to Chinese law. (Microsoft 365 operated by 21Vianet · Azure in China)

Microsoft 365 — globalMicrosoft 365 operated by 21Vianet
OperatorMicrosoft21Vianet (Shanghai Blue Cloud), a licensed Chinese operator
Where data sitsMicrosoft regions worldwide; data-residency options, but outside the MainlandData centres inside Mainland China (Beijing / Shanghai)
Tenant & identityYour global Entra / Azure AD tenantA separate tenant and directory, isolated from the global cloud
Subject toMicrosoft’s global termsChinese law; local commercial terms
Feature parityFull, latest featuresA subset — some services and features are unavailable or delayed
Cross-border effectChina staff using it = data leaving China (a transfer)Keeps China data in China; no automatic bridge to your global tenant
Typically chosen whenConvenience, global consistency, lower volumes, no localisation triggerYou need data in-country, are a CIIO, or want to avoid treating in-country use as an export

The trap to avoid: “data residency” on the global cloud is not the same as the 21Vianet cloud. Storing data in a Microsoft global region keeps it outside the Mainland legal and operational boundary — it does not put data “in China” for localisation purposes, and your China users are still reaching across the border to get to it. The 21Vianet instance keeps data in-country and aligns with localisation expectations, but you give up feature parity and a seamless link to your global tenant, which means real work on identity, mail routing and cross-cloud collaboration. There is no universal right answer — it depends on whether you are a CIIO, your data volumes and sensitivity, and how much your China office needs to interoperate with the rest of the business. (We go deeper in our blog: Microsoft 365 in China — global vs 21Vianet.)

Not sure where your China and Hong Kong data should live?

We help IT leaders map data flows, choose a tenant strategy and build the controls · No obligation

Talk to PTS →

A starting checklist for IT and security leaders

You will not answer all of this from a web page, but this is the order we work through it with clients:

  1. Map your data flows. What China and Hong Kong personal and operational data you hold, where it is created, and every system it flows to.
  2. Classify it. Is any of it likely “important data” under a sector catalogue? How much personal — and how much sensitive personal — data, by volume?
  3. Check whether you are a CIIO. Most companies are not, but financial, telecoms, energy, transport and similar operators should confirm.
  4. Pick a transfer mechanism by volume — exempt, Standard Contract, or full CAC security assessment — using the table above.
  5. Appoint a PRC representative if PIPL reaches you from outside China (offering goods or services to, or analysing the behaviour of, people in China).
  6. Decide your tenant strategy — global with data residency, 21Vianet, or a hybrid — and design identity and collaboration around it.
  7. Get consent and privacy notices right, especially separate consent for sensitive data and for transfers.
  8. Handle Hong Kong on its own terms — meet the six DPPs, and remember there is no general transfer ban, but the doxxing rules bite.
  9. Watch for change. Free-trade-zone negative lists, new “important data” catalogues and fresh CAC guidance shift the picture — revisit periodically.
  10. Take local legal advice before acting on anything material.

How PTS helps

PTS is an IT services firm — not a law firm — but compliance is where IT decisions actually get made, and that is our ground. We have been in Hong Kong since 2001, run a locally registered Mainland China entity with engineers on the ground, and are ISO/IEC 27001 certified and deliberately vendor-neutral — the on-the-ground partner that foreign companies operating in China and Hong Kong rely on for compliant IT.

We help IT and security leaders:

We work alongside your legal advisers — turning their requirements into working, audited systems.

Related reading: China’s PIPL explained · Hong Kong’s PDPO explained · Microsoft 365 in China: global vs 21Vianet · Cybersecurity challenges in China · Data governance with Microsoft Purview

Sources and further reading

Where possible we link the primary text or the official regulator. English translations of Chinese laws here are by Stanford University’s DigiChina project; the official Chinese-language originals always prevail.

China

Hong Kong

Microsoft cloud in China

This page is general information, not legal advice, and reflects our understanding as at May 2026. Verify against the primary sources above and take qualified legal advice in the relevant jurisdiction before acting.

China and Hong Kong data law FAQs

Does PIPL apply to my company if we have no office in China?

It can. PIPL reaches organisations outside China that offer products or services to people in the Mainland, or that monitor or analyse their behaviour. If it applies to you, you are also expected to appoint a representative or dedicated entity inside China to handle personal-information matters (PIPL Articles 3 and 53).

Can I store our China employees’ or customers’ data in our global Microsoft 365?

Often yes for smaller volumes, but it is a cross-border transfer and the rules depend on volume and sensitivity. Below 100,000 people (non-sensitive) it is generally exempt; above that you will need a Standard Contract or, at higher volumes, a CAC security assessment. Critical-infrastructure operators and “important data” are stricter. Map your volumes before you assume it is fine.

What is the difference between Microsoft 365 global and “21Vianet”?

They are two physically separate clouds. The global service is run by Microsoft with data outside the Mainland; the 21Vianet service is run by a licensed Chinese operator with data inside China, on a separate tenant, subject to Chinese law, with a subset of features. “Data residency” on the global cloud is not the same as using 21Vianet.

Do I need a data centre or servers physically in China?

Usually not. Full localisation is mandatory mainly for Critical Information Infrastructure Operators and for “important data.” Most companies can use cloud — but the export thresholds and the blocking statute often make “keep China data in China” the pragmatic default.

Is sending data from the Mainland to Hong Kong a cross-border transfer?

Yes. Under “one country, two systems,” Hong Kong is treated as outside the Mainland for PIPL, so Mainland-to-Hong-Kong transfers are cross-border. The Greater Bay Area Standard Contract exists to make that easier and now covers all sectors.

Does Hong Kong restrict moving personal data offshore?

There is no general statutory ban. The PDPO’s cross-border restriction (Section 33) has never come into force. You still have to meet the six Data Protection Principles, and the PCPD recommends model contractual clauses, but there is no blanket transfer prohibition like the Mainland’s.

What counts as “important data”?

Data that, if leaked or misused, could harm national security, the economy, public health or public order — graded above ordinary “general” data under the national standard GB/T 43697-2024. Catalogues are issued by sector and region, so you may not know until you check or are notified. Exporting important data always needs a CAC security assessment.

What happens if we get it wrong?

PIPL penalties for serious breaches reach RMB 50 million or 5% of the prior year’s turnover, plus possible suspension of operations. The DSL and Hong Kong’s doxxing offences carry their own fines and, in Hong Kong, imprisonment. Beyond fines, the bigger operational risks are blocked data flows and reputational damage.

Can PTS make us compliant?

We make the IT side work — mapping data flows, choosing and running the right cloud and tenant, and building the security controls these laws assume — alongside your legal advisers, who own the legal opinion. We are an IT firm, not a law firm, so we deliver the systems and let your counsel sign off the position.

Talk to PTS

Tell us what you need. We will come back with a practical, costed proposal.

Request a proposal

Practical, costed proposal · No obligation

Call Request a proposal