China's New Cybersecurity Law

Last Updated: June 2017

China's Cybersecurity Law went into effect June 1, 2017. Here's an overview of the IAPP's coverage on the new law and what it means for organizations doing business in the country.

The New Chinese Cybersecurity Law: A Legal Update
Web conference originally recorded on January 25, 2017

In November 2016, final legislation was passed imposing new cybersecurity data governance requirements on companies doing business in and with China. The law encompasses both "network operators" defined essentially as anyone owning or operating a computer system network, as well as "suppliers of network products and services." The law will become effective June 1, 2017. Learn about:

  • The intent of the new law.
  • Who it applies to.
  • What the obligations entail.
  • How it will be enforced and what the potential fines will be.
  • How it will likely affect organizations doing business in and with China.

China set to expand data localization and security review requirements
 The Cyberspace Administration of China on April 11 released Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country, intended to assist in the implementation of China’s new Cybersecurity Law. Scott Livingston of Simone IP Services writes for Privacy Tracker that the draft appears to "expand the scope of China’s data localization and security review requirements to a wider range of companies than originally thought covered by the Cybersecurity Law." If issued as is, the measures could "dramatically increase compliance costs for China-based companies that transfer or store data overseas" and "stoke further fears of IP theft in a country already well-known for IP abuses." Livingston offers an analysis of the draft measures' main provisions and how they would apply to foreign businesses.

China publishes draft Network Products and Services Security Review Measures
On Nov. 7, China’s National People's Congress Standing Committee enacted its Cybersecurity Law, which will come into force June 1, 2017. With the official promulgation, China’s data protection legislation is entering into a new stage. In this Privacy Tracker post, Wei Fan, CIPM, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, and Jason Meng write about the reasons behind the nation's focus on data protection and offer an overview of the new Cybersecurity Law and the draft General Principles of Civil Law, which defines a right to personal information as a basic civil right. The Cybersecurity Law puts forward new requirements for how network operators collect and handle personal information. Meng and Fan write that by introducing these two laws, "China has realized the integration with the existing international standard as well as U.S. and European personal information protection legislation." 

Costs and unanswered questions of China’s new cybersecurity regime
The newly passed Cybersecurity Law of the People’s Republic of China will take effect in June 2017, and it is expected to have a significant impact on multinationals doing business in mainland China. The law affects both domestic and foreign companies operating on the Chinese mainland and covers a wide range of activities including the use of the internet, information and communications technologies, personal data, national security, and more. In this exclusive for The Privacy Advisor, Hannah Ji, CIPM, CIPP/E, CIPP/US, and Jerry Fang describe the difficulties in complying with the law and what to expect in the near future.

How the Cyber Security Law of China is about to change things
In this article for The Privacy Advisor Galaad Delval, CIPP/E, and Lin Zhong write about "Key Information Infrastructure Operators" under China's proposed Cybersecurity Law, expected to be passed this year."First of all it is necessary to understand that KIIO are a special category of network operators defined by the Article 65 of the CSL," they write, adding that "As such KIIO must comply with the relevant obligations of network operators while complying with their own specific obligations.

Data Protection Legal Update: Hong Kong and China
Web conference originally recorded on June 16, 2016

If your organization is doing business in Hong Kong or China that involves the use and transfer of personal information, you should be aware that varying regulations and laws govern this data use. Hong Kong has a well established law and active regulatory body in place, and failure to comply with an enforcement notice is considered a criminal offense which can result in fines and even imprisonment. While China has no comprehensive data protection regulation currently in force, a draft cyber-security law is making its way through the legislative process, and in the meantime, provisions of a number of other existing regulations are applicable to data use and transfer.