On 30 November 2018 the Ministry of Public Security released the Guideline for Internet Personal Information Security Protection (Draft for Comment) to solicit public opinions.

In reference to the existing national standards on cybersecurity and personal information protection, the Information Security Technology – Basic Requirements for Grading Protection of Information System Security (GB/T 22239-2008) and the Information Security Technology – Personal Information Security Specification (GB/T 35273-2017), the guideline requires that personal information holders implement a series of security protection measures from three perspectives – namely:

  • a management mechanism – personal information holders must build firewalls in order to protect enterprises from criminal risks;
  • technical measures – personal information holders must implement measures to ensure that the network operations are secure for internet security inspection purposes; and
  • business procedures – personal information holders must ensure that all applicable procedures protect personal information.

Notably, the guideline's application extends beyond the Cybersecurity Law, which applies only to network operators (ie, network owners, administrators and service providers).

According to the guideline it applies to 'personal information holders' which, according to the definition therein, appears to include both personal data controllers and personal data processors.

For further information on this topic please contact Samuel Yang or Yang Chen at AnJie Law Firm by telephone (+86 10 8567 5988) or email ([email protected] or [email protected]). The AnJie Law Firm website can be accessed at www.anjielaw.com.‚Äč