China | Regulatory Framework
Status: in force
Effective: 2026-01-09
moderate CAC Q&A (Jan 2026) on personal information protection policy and compliance (incl. AI-related processing)
Personal Information Protection Policy and Regulations Q&A (January 2026)
I. Regulatory Summary
Relevant to legal/advisory practitioners supporting AI deployments that involve personal data (particularly biometrics): the CAC’s interpretive Q&A signals supervisory expectations around impact assessments, record retention, and governance obligations.
II. Full Description
The CAC published a January 2026 policy-and-regulations Q&A to support personal information processors. The Q&A includes AI-adjacent compliance clarifications such as conducting and documenting personal information protection impact assessments for facial recognition processing and governance/reporting expectations for responsible persons under the personal information protection framework.
III. Scope & Application
Official CAC Q&A providing compliance clarifications on personal information protection topics, including requirements relevant to AI-enabled processing (e.g., facial recognition impact assessments, record-keeping, and responsible person reporting).
IV. Policy Impact Assessment
Relevant to legal/advisory practitioners supporting AI deployments that involve personal data (particularly biometrics): the CAC’s interpretive Q&A signals supervisory expectations around impact assessments, record retention, and governance obligations.
Primary Focus: data protection guidance (AI-adjacent)