In Brief

On March 7, 2023, China’s State Council unveiled plans to consolidate the country’s data protection functions into a single National Data Bureau to address the inconsistencies around the administration of China’s data and security laws.


The privacy and security legal landscape in China has quickly evolved in recent years. The Cybersecurity Law (CSL) was adopted in 2017, and modified in 2022. The Personal Information Protection Law (PIPL) and the Data Security Law (DSL) were both effective in late 2021. There has also been a rollout of various legal mechanisms for cross-border data transfers over the past year, including the recent announcement of Standard Contractual Clauses, which we discussed here.

One of the key challenges in the adoption of these laws and regulations is the patchwork of agencies charged with administration, including Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology, the National Development and Reform Commission (NDRC), and the Ministry of Public Security, and provincial and local authorities, and the inconsistencies that have resulted. This complex regulatory authority has created challenges for multinational organizations operating in China, particularly those that collect personal information from Chinese individuals.

The new agency will likely exercise control around cross-border data transfers and the rules on the collection of personal information. Certain functions of the CAC and the NDRC are expected to move to the new bureau. This is part of a larger reorganization of China’s Ministry of Science and Technology.

The move to streamline the rules and processes around data governance is seen as an attempt by China to make its technology sectors more competitive. The consolidation will hopefully lead to a more business-friendly regulatory environment and a more efficient data governance framework, allowing better coordination around data and China’s rapidly developing digital economy.

We will continue to monitor these developments. Should you have questions about this or other data privacy issues, reach out to any of the Baker McKenzie attorneys below.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.


Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.


Jay Ruan specializes in corporate and M&A and regulatory advisory matters in China. He has acted for clients across a broad range of industries, and has extensive experience in advising clients on strategic joint ventures and business alliances, corporate-commercial and technology transactions, TMT regulatory matters as well as financial service and insurance regulatory.