The Chinese Cybersecurity Law (CSL) introduced in 2017 is the nation’s first comprehensive privacy and security regulation for cyberspace, setting out strict controls on companies operating in China over their online activities, data storage and handling of personal information. The National Standard (GB/T 35273–2017) provided detailed guidance on the collection, use and storage of personal data. Proposed revisions are now underway, and companies should start thinking about whether their current policies are sufficient.


The CSL requires all ‘network operators’ to take steps to protect personal data. ‘Network operator’ is not easily defined but will likely catch all employers that operate any system that collects, stores, transmits or processes personal information. Employers handling such data will need to ensure that there is a legitimate reason for doing so.

Personal information and employment

The CSL provides that network operators are:

  • required to obtain consent from individuals whose personal data is being collected
  • maintain the confidentiality of such personal data.

While the National Standard provides useful guidance on how the CSL should be implemented, the proposed revisions will require employers to think further about:

  • ensuring the consent is genuine and freely given
  • how long the personal data should be retained
  • how the personal data is used.