In Brief

On March 7, 2023, China’s State Council unveiled plans to consolidate the country’s data protection functions into a single National Data Bureau to address the inconsistencies around the administration of China’s data and security laws.


The privacy and security legal landscape in China has quickly evolved in recent years. The Cybersecurity Law (CSL) was adopted in 2017, and modified in 2022. The Personal Information Protection Law (PIPL) and the Data Security Law (DSL) were both effective in late 2021. There has also been a rollout of various legal mechanisms for cross-border data transfers over the past year, including the recent announcement of Standard Contractual Clauses, which we discussed here.

One of the key challenges in the adoption of these laws and regulations is the patchwork of agencies charged with administration, including Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology, the National Development and Reform Commission (NDRC), and the Ministry of Public Security, and provincial and local authorities, and the inconsistencies that have resulted. This complex regulatory authority has created challenges for multinational organizations operating in China, particularly those that collect personal information from Chinese individuals.

The new agency will likely exercise control around cross-border data transfers and the rules on the collection of personal information. Certain functions of the CAC and the NDRC are expected to move to the new bureau. This is part of a larger reorganization of China’s Ministry of Science and Technology.

The move to streamline the rules and processes around data governance is seen as an attempt by China to make its technology sectors more competitive. The consolidation will hopefully lead to a more business-friendly regulatory environment and a more efficient data governance framework, allowing better coordination around data and China’s rapidly developing digital economy.