In July 2015, China released its new draft cybersecurity law (the ‘Law’), which will potentially have far-reaching consequences for network operators and companies doing business in China.

The Law regulates cross-border data transfers and gives individuals greater protection over their personal data, including granting them increased rights to access and amend their personal information. The Law also imposes a range of stringent new obligations, while awarding the government added powers to access and block dissemination of private information which would be deemed illegal under Chinese law.

Under the Law, the PRC government will be able to:

  • Restrict the transmission of information over the Internet to certain places where privacy incidents have occurred previously in order to protect national security
  • Introduce a new ‘localization law’ which will oblige certain entities to store any information deemed by the government as “important” or “critical” within China. If there is a legitimate business reason to store or otherwise transfer such data abroad, the transferring organisation will be required to complete a security evaluation which meets government requirements before any such data can be transferred. This obligation is intended to apply only to organisations in “key information infrastructure sectors,” but it is unclear exactly how this term will be interpreted.

The Law also introduces a raft of new obligations on network operators (which is widely defined and covers, for example, telecoms operators and ISPs). These new obligations include duties to:

  • Maintain cybersecurity protocols to safeguard against viruses and other malicious attacks
  • Ensure that their products and services meet minimum national security standards
  • Promptly notify any users affected by any data security breaches

The Law reflects an international trend of increasing legislative focus on tackling cybersecurity threats. One of the concerns expressed about the Law is that it has been drafted so broadly as to make it difficult to predict exactly how it will be enforced. The final day for feedback has now passed, so the final form of the Law remains to be seen.