On November 7, 2016, after a long process, the Standing Committee of the National People’s Congress of China promulgated the Cyber Security Law of the People’s Republic of China (the “CSL”), which would come into force in June1, 2017.

The new CSL aims to “safeguard sovereignty and security of cyber space in the state”, according to President Xi Jinping. To achieve that aim, the regulation implemented affects and highlights the rights and obligations of both companies and citizens within the People’s Republic of China by strengthening the protection and security of key information infrastructure and important information as well as regulating more precisely the treatment of personal data. The main public institution in charge of supervising these activities will be the Central Leading Group Office for Cyberspace Affairs.

However, one of the points that concern foreign entities and international organizations is that it might also affect the interests of multi-national businesses in the information technology field in China due to the potential application of this law to foreign technologies and equipment.

How the CSL will affect companies?

Obligations under the CSL attach to two main classes of business: "network operators" and operators of "critical information infrastructure". Neither of these terms is defined in any detail under the new law, which therefore will be subject for speculation and interpretation.

At the same time, another question remains in the air after the promulgation of the law and it basically involves small companies who wonder to know whether the CSL may affect their businesses. At a first sight, the theoretical answer should be yes, although it is unclear whether the regulators will want information or demand compliance from every small business in China, much less be able to handle that workload.

  1. Critical information for infrastructure operators:
  • Definition.  It is stated to be public communication companies and information services, energy, finance or public service corporations. Nonetheless, as previously mentioned, the definition of who might be considered operator of critical information infrastructure remains vague and could potentially be interpreted to cover a broader range of company and industry sectors.
  • Main obligations in accordance with the CSL: Chinese citizen’s personal information and “important data” gathered and produced by “key information infrastructure operators” during operations in China must be kept within the borders of the PRC.
  1. Network operators:
  • Definition: They are defined as “owner or manager of any cyber network as well as network service providers”.
  • Obligations: The CSL implements a “tiered system for network protection”. The system will require network operators to:
  • create internal security management systems and assignment of responsibility for network security;
  • adopt various measures to protect network security and monitor security status;
  • create emergency plans for network security incidents and report such incidents to regulators;
  • retain network logs for at least six months;
  • provide assistance to state security bodies safeguarding national security and investigation crimes;
  • handle “network access and domain registration services” for users. They are required to comply with “real identity” rules. In other word, to identify any user when signing up or providing service confirmation to users.

How will the CSL affect the companies dealing with personal information? 

The new CSL, assuming a definition already implemented in Western data protection regulations, defines all kinds of information stored in electronic or other forms as “personal data”, which individually or in combination with other information allows the identification of a natural person’s individual identity.

In this regard, network operator’s activities involving personal data handling should be limited by principles of legality, propriety and necessity. They may only collect, use and store personal information which is necessary for business purposes with the consent of the user. This consent should be obtained before transmitting that information to any third party. They also should make data privacy notices publicly available (explicitly stating purposes, means and scope of personal information to be collected and used).

Among data subject rights, any person has the right to demand deletion upon discovery of improper collection or use of its personal data, and can also demand correction of data if the collected information contains errors.


The new CSL tries to provide specific regulations to a sector mainly characterized by its dynamism and evolution continues to occur. Nonetheless, the scopes of many of the provisions under the CSL lack precision and suffer vagueness in many aspects, which at the end of the day may provoke uncertainty and legal insecurity, because many terms are too broad and subject to interpretations by public authorities or implementation of further detailed measures that may or may not occur.

These facts lead to the conclusion that we are moving towards a much more heavily regulated Chinese internet and technology sector, but at the same time the main features of this regulation appear to leave many topics to discretionary decisions by the public authorities in many significant and relevant questions.

Altogether, this invites to think the question that a truly open Chinese cyber space does not seem to be nearer. Quite the contrary, the state controls over media and communication infrastructure appear to grow with the implementation of the new CSL and restrictions to foreign participation seem to remain even harder.