On the 6 July 2015, the Chinese Parliament circulated two pieces of draft legislation in relation to data protection and cyber security in China.

The draft cyber security law are intended to protect cyber sovereignty, and cyber security in China in general.

The legislation sets out definitions of personal data which reflect similar definitions in international laws.

Rather like the data retention law in Russia, the Chinese law proposes that personal data of Chinese citizens must be stored on a server inside China and before any data is transferred outside China an assessment is carried out of the relevant information security standards of the receiving entity.

The cyber security laws apply in particular to critical infrastructure organisations and are similar in concept to the concepts of critical infrastructure in the US and EU.

The protection of personal data is based on similar principles to the 8 Data Protection principles of the EU Data Protection Framework.

Enforcement of the new laws is something on which further detail is required although the implementation of compliance seems to be subject to oversight by the Cyber Administration of China.

In addition to the proposed laws on data protection and cyber security there is also a proposal to amend the criminal law in China to provide for an offence of computer misuse.

Where unauthorised access to a computer is carried out the proposed changes to the Chinese Criminal Law propose up to 3 years imprisonment with the potential for longer if the computer misuse is more serious.

We are not aware at this stage of how long it will take for the proposed legislation to come to fruition.