The CSL, the DSL and the PIPL will represent three pillars of the Chinese data protection legislation system and together form an overarching framework governing the data processing and cybersecurity issues.
- The CSL is the first comprehensive legislation forming the backbone of data protection from a perspective of cyber security. It stipulates cyber security obligations for "network operators" and "critical information infrastructure operators" ("CIIOs") in China.
- While the CSL touches upon data security, it remains general and lacks a focus on a framework for data security governance. As a response, the DSL is adopted to further enhance data security by establishing a fundamental and categorised data security system applying to potentially all data processing activities, regardless whether they are online or offline.
- Unlike the security-centric requirements under the CSL and the DSL, the PIPL focuses on the personal information protection and safeguarding rights of personal information subjects. The DSL will likely also apply to personal information, given that Article 53 of the finalised DSL states that processing of personal information will "also" need to comply with other laws and regulations. This suggests that, for one thing, processing of personal information is also covered under the DSL, and for the other, more specific rules and regulations governing personal information will be set out separately under the yet-to-be-finalised PIPL.