China AI Governance — PIPL, CAC Regulations, and What Companies Need to Know

China's layered AI regulatory framework: PIPL, Cybersecurity Law, Data Security Law, CAC algorithm filing, deep synthesis rules, and generative AI measures. What foreign and domestic companies must comply with.

Key Takeaways

China regulates AI through three foundational laws (PIPL, Cybersecurity Law, Data Security Law) plus sector-specific AI regulations — there is no single AI Act equivalent.
The Interim Measures for Generative AI Services (effective 15 August 2023) require CAC filing, security assessments, and content aligned with core socialist values for generative AI providers in China.
As of March 2025, approximately 350 large language models have been filed with the CAC. Unfiled AI services face enforcement including administrative penalties and app removal.
PIPL applies to all AI processing personal information, with extraterritorial reach. Cross-border data transfer requires security assessment, standard contractual clauses, or certification.
AI-generated content must be clearly labelled under both the Deep Synthesis Provisions (January 2023) and the AIGC Labelling Measures (March 2025).

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

China's AI governance framework — layered, enforcement-active, and distinct

China's approach to AI governance is fundamentally different from the EU or US models. Rather than a single comprehensive AI Act, China has built a layered regulatory framework: three foundational data and cybersecurity laws provide the base, with sector-specific AI regulations layered on top. The system is administered primarily by the Cyberspace Administration of China (CAC), with enforcement that is active and increasingly aggressive.

For companies operating in or selling to China, compliance is not optional — and the framework has extraterritorial reach under PIPL.

The three foundational laws

Personal Information Protection Law (PIPL). Effective 1 November 2021. China's equivalent to GDPR. Applies to all processing of personal information within China and extraterritorially where processing relates to providing products or services to individuals in China. Requires: consent or specified legal basis; purpose limitation; data minimisation; PIPIA (Personal Information Protection Impact Assessment) for sensitive data, automated decision-making, and cross-border transfers; data localisation requirements for Critical Information Infrastructure Operators; maximum penalties of up to RMB 50 million or 5% of prior year annual revenue.

Data Security Law (DSL). Effective 1 September 2021. Classifies data by importance to national security. AI systems processing important data or core data face heightened obligations including security assessments and data localisation requirements.

Cybersecurity Law (CSL). Effective 1 June 2017, amended 2026. The 2026 amendments expanded extraterritorial enforcement to overseas activities endangering China's cybersecurity generally, codified security assessment requirements for AI products and services, and aligned the CSL with CAC deep synthesis and generative AI regulations.

AI-specific regulations

Algorithm Recommendation Measures. Effective 1 March 2022. Require providers of recommendation algorithms with public opinion or social mobilisation capabilities to file with the CAC and undergo security assessments. Cover social media feeds, e-commerce recommendations, news aggregation.

Deep Synthesis Provisions. Effective 10 January 2023. Regulate deepfakes and synthetic media. Require: labelling of AI-generated content; consent for biometric editing (facial, voice); prohibition on creating fake news; service provider registration.

Interim Measures for Generative AI Services (AIGC Measures). Effective 15 August 2023. Apply to generative AI services provided to the public within China. Require: CAC filing and security assessment before launch; content aligned with core socialist values; training data legality (copyright, personal data, accuracy); labelling of AI-generated content; user complaint mechanisms. As of March 2025, approximately 350 LLMs have been filed with the CAC.

AIGC Labelling Measures. Issued 7 March 2025 by CAC and MIIT. Require clear, visible labelling of all AI-generated or AI-composed content. Extend labelling requirements beyond deepfakes to generative text and images.

Enforcement reality

Chinese regulators enforce actively. Shanghai CAC summoned and penalised three AI applications that provided services without completing filing procedures. Zhejiang CAC ordered removal of an AI face-swapping app that lacked required security assessment. Throughout 2025, the CAC conducted coordinated enforcement targeting mobile apps, SDKs, smart terminals, facial recognition in public spaces, offline consumer data, and data-related crimes. In September 2025, the CAC published 10 typical enforcement cases. This is not a voluntary framework — non-compliance leads to real consequences.

Cross-border implications

Foreign companies offering AI services to Chinese users or processing personal information of individuals in China are subject to PIPL, including: appointing a representative in China; conducting PIPIAs; cross-border data transfer mechanisms (security assessment for volume above 100,000 individuals, standard contractual clauses, or certification); data localisation for CIIOs. The CSL 2026 amendments expand extraterritorial enforcement further.

What companies must do

For companies operating in China: file generative AI services with CAC; conduct PIPIAs for AI processing personal information; label all AI-generated content; ensure training data compliance (copyright, personal data, content); maintain security assessment records. For companies outside China with Chinese users: assess PIPL applicability; implement cross-border data transfer mechanisms; appoint a China representative; prepare for extraterritorial enforcement under the 2026 CSL amendments.

Primary sources: White & Case — China AI Tracker · IAPP — China AI Governance