On 1 June 2017 China's new Cybersecurity law came into effect. Under the new law, the key obligations include notice and consent requirements as part of personal data protection, mandatory cybersecurity personnel and procedures for handling cyber breaches for Network Operators, and mandatory security maintenance from network service providers.
Penalties will inevitably vary according to the nature of the breach, and include a warning, an order to remedy the breach, closing offending organisations and/or revoking business permits and licences. Fines range up to RMB 1 million (€131,000) and personal fines for individuals responsible range up to RMB 100,000 (€13,100).
Prior to this, on 19 May 2017 the Cyberspace Administration of China issued a revised draft on Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the "Measures"). This provides guidance on security assessments and enshrines China’s data sovereignty by requiring all Network Operators to store personal data within China where it was collected in the course of operating in China, and to undertake a security assessment where data needs to be transferred outside the jurisdiction.