On June 27, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China held a second reading of the draft Cybersecurity Law (the “second draft”). The law is aimed at strengthening the protection and security of key information infrastructure and important data in China. As we previously reported, the first draft of the Cybersecurity Law was published for comment almost a year ago, but the National People’s Congress has not published the full second draft of the Cybersecurity Law to date.

According to the website of the National People’s Congress, the second draft of the Cybersecurity Law stipulates that the State will adopt priority protection over key information infrastructure that would seriously jeopardize national security and the public interest if data was damaged or leaked.

The second draft also reiterates the requirement that key information infrastructure operators should store, within the territory of China, personal information and other important business data collected and produced during operations. If it is necessary to transfer such information and data to overseas individuals or organizations for business requirements, a security assessment should be conducted.

The second draft has a new provision requiring that information collected by competent government authorities during their protection of key information infrastructure be used only for the protection of network security. The second draft additionally states that big data applications must anonymize personal information, and that the State will support research on protecting data and promoting security.

Network operators will be required to comply with social morals and business ethics, and will be subject to governmental and public supervision. In addition, network operators will be required to preserve web logs for at least six months, and cooperate with the supervision and inspection of competent government authorities.