On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.

The second draft reiterates that network operators should conform to the principles of legality, justice and necessity when collecting personal information, and should expressly inform the data subject of the purpose, method and scope for their collection and use of the information. The second draft also stipulates that network operators are prohibited from providing a user’s personal information to third parties without the user’s consent, except where the personal information is depersonalized in such a way that it cannot identify the individual and the depersonalization cannot be reversed.

The definition of “key information infrastructure” remains unclear in the second draft. According to the second draft, “key information infrastructure” refers to information infrastructure of which damage, malfunction or data leakage would seriously jeopardize national security and the public interest. The State Council will formulate the specific scope of key information infrastructure and the security protection measures for key information infrastructure.