Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

The general cybersecurity and data protection regime in China includes the Cybersecurity Law (CSL) and its implementation regulations and measures. There are also various sectoral regulators in China that have been issuing sectoral rules and regulating cybersecurity and data protection issues in their respective sectors.

The General Principles of the Civil Law provide for the right to personal data protection. Any organisations and individuals that collect and process personal data must ensure the security of the personal data. Unlawful collection, use, processing or transfer of personal data is prohibited.

Article 253 of the Criminal Law and the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues regarding Legal Application in Criminal Cases Infringing upon the Personal Information of Citizens specify certain activities that may constitute the crime of infringing the right to personal data protection. There are also other provisions in the Criminal Law that criminalise the intrusion of information systems and other cybercrimes.

The Decision on Strengthening the Protection of Online Information was adopted by the Standing Committee of the National People’s Congress of China in 2012 and provides certain general principles on the protection of citizens’ online information. Any network service providers and other entities that collect and process citizens’ online information must comply with the rules provided in the Decision.

The Measures on the Protection of Personal Data of Telecommunication and Internet Users,  published in 2013, provide relevant rules on the protection of users’ personal data. These measures apply to telecommunications service operators and internet information service providers in terms of their collection and processing of users’ personal data.

The Administrative Measures for the Multi-level Protection of Information Security (the MLPS Measures), published in 2007, provide relevant rules for the Multi-level Protection Scheme (MLPS). These measures are generally referred to as MLPS 1.0. The Ministry of Public Security (MPS) released the new draft Regulations on Multi-level Protection System for Cybersecurity (the Draft MLPS 2.0 Regulations) for public consultation on 27 June 2018, which aim to repeal and replace the existing MLPS Measures. MLPS 2.0 (which comprises various national standards that have been revamped) was released in June 2019.

In addition to the above-mentioned laws and regulations, there are also various national standards on cybersecurity and data protection. The Information Security Technology – Personal Data Security Specification (PDSS) provides various recommended rules on personal data protection.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

The CSL applies to the construction, operation, maintenance and use of networks in China. Any organisation or individual that uses a network will be a network operator regardless of the sector. More stringent requirements apply to critical information infrastructure (CII), in particular data localisation requirements. CII operators (CIIOs) also fall within the scope of network operator.

Article 31 of the CSL defines CII as information infrastructure in public communication and information services, energy, public transportation, water conservancy, the financial industry, public services, government information systems and other information infrastructure that may materially impact the national interest, public interest or society as a whole if it is compromised, damaged, disrupted or impacted by a data breach or otherwise. Though the CSL does not provide specific scope of CII nor the approach to identify CII, network operators in these critical industries or sectors may be more likely to be designated as CIIOs.

There are also various sectoral rules regarding cybersecurity and data protection that apply to network operators in certain industries, such as fintech, financial services, pharmaceutical and medical services, land surveying and autonomous driving.

Has your jurisdiction adopted any international standards related to cybersecurity?

China actively participates in the making of international standards and will recognise certain international standards by transposing relevant rules into the national standards according to the Standardisation Law of the PRC. Article 8 of this Law provides that the Chinese government will actively facilitate the interoperability of international standards in China. The standards in China (including national, sectoral or provincial standards or standards applicable to certain associations) may adopt some of the terminology of the international standards to ensure correlation between them and China’s national standards, and may also adopt the same rules in the international standard with or without modification when transposing them as national standards. For example, Information Technology–Security Techniques–Information Security Management Systems–Requirements (GB/T 22080-2016) was made by the National Information Security Standardisation Technical Committee with reference to ISO 27001:2013, developed by the International Organization for Standardization.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

The CSL requires network operators to designate a specific person to be responsible for its cybersecurity and data protection issues (the cybersecurity responsible person). Failure to do so would render the network operator subject to the administrative penalty imposed by the relevant supervisory authorities according to article 59 of the CSL, including a rectification order, warning or administrative fine in the case of a failure to rectify the incompliance or in the case of a significant impact to cybersecurity as a result of the violation of the law. The cybersecurity responsible person is responsible for assisting the network operator in complying with the CSL and safeguarding data and cybersecurity.

The CSL imposes liability on the ‘directly responsible person’ or the ‘other responsible person’ of the network operator for its violation of the CSL in certain circumstances. For example, article 64 of the CSL provides that the directly responsible person or the other responsible person of the network operator may be subject to a fine ranging from 10,000 yuan to 100,000 yuan for the network operator’s infringement of an individual’s right to personal data protection. However, the CSL is silent on what constitutes the directly responsible person or the other responsible person, which may be determined by prosecutors and courts on a case-by-case basis.

The CSL is silent on the obligations of directors to remain informed about the adequacy of the company’s protection of networks and data. However, according to the Company Law, directors have fiduciary duties towards the company, and it is not yet clear whether a company’s violation of the CSL will be interpreted as a director’s breach of fiduciary duties to direct the company to comply with laws and regulations.

How does your jurisdiction define cybersecurity and cybercrime?

Cybersecurity

The CSL defines cybersecurity as meaning ‘to maintain the stable and reliable operation of network and to safeguard the integrity, confidentiality and usability of network data, by taking necessary measures to prevent the network from attack, intrusion, interference, damage, unauthorised use and accidents’. Although the CSL does not define data privacy, relevant articles of the CSL provide that data privacy refers to the protection of the confidentiality, integrity and availability of personal data.

Given that cybersecurity and data privacy intertwine as data is stored on an information system that relies on IT infrastructure and requires protection, the rules on cybersecurity would also apply in the context of data protection. A cybersecurity incident may not always lead to a data beach, such as in the event of a cybersecurity incident that gives rise to the outage of the network or information system, but the data is encrypted to prevent a data breach.

Cybercrime

The Criminal Law criminalises certain offences related to computers and computer networks that are commonly regarded as cybercrimes. Criminal activities include but are not limited to:

  • illegally intruding into a computer system;
  • illegally accessing or controlling data stored on a computer system;
  • providing computer programs or tools to intrude into or illegally control a computer system;
  • damaging a computer system;
  • failing to fulfil the security management obligations for an information network; and
  • illegally using an information network.

The Opinions on Several Issues Concerning the Application of Criminal Law in Cybercrime Cases issued by the Supreme People's Court, the Supreme People’s Procuratorate and the MPS on 4 May 2014 clarified the scope of cybercrimes as:

  • endangering the security of computer information systems;
  • theft, fraud or extortion carried out through endangering the security of computer information systems;
  • posting information online or setting up websites or communication groups that are mainly used for criminal activities that target, organise, abet or assist an unspecified mass of people to commit crimes; and
  • other cases in which criminal activities take place online.

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

The CSL requires network operators to adopt security measures (ie, technical and organisational measures) for cybersecurity and data protection, such as:

  • formulate internal security management systems and operation instructions concerning cybersecurity and data protection, and specify the responsibilities of each relevant department;
  • determine a cybersecurity responsible person;
  • adopt technical measures to prevent computer viruses, network attacks, network intrusions and other activities that endanger cybersecurity;
  • monitor and record network operation and cybersecurity events and maintain the cyber-related logs for no less than six months;
  • adopt the rules of data classification and take respective measures according to the data categories; and
  • back up and encrypt important data.

In the event that there is dissemination of prohibited contents online, a massive data breach, loss of evidence for criminal investigation or other serious consequences a result of a network operator’s refusal to take appropriate technical and other necessary measures to protect information security as required by laws and regulations, and to rectify the situation as required by the relevant regulators, the failure may constitute the crime of ‘refusal to perform security management obligations for the information network’ according to article 286 of the Criminal Law.

The MLPS Measures require that the information system operator or user shall take certain prescriptive measures to ensure the security of the information system according to the grade of information system. The Information Security Technology — Baseline for Classified Protection of Cybersecurity has been released for public consultation to provide further clarity in conjunction with implementing the Draft MLPS 2.0 Regulations. It proposes the following security measures:

  • apply access control to the information systems;
  • take measures to protect the physical safety of information systems, such as anti-theft, fireproof and anti-invasion measures;
  • ensure the security of telecommunications;
  • determine the safety parameters and take relevant protection measures accordingly;
  • conduct identity authentication for the access of information systems;
  • perform data backups;
  • set up internal company policies on security management and determine the responsible person or department;
  • provide training to the employees concerning cybersecurity and data protection;
  • grade the information systems and file the grade of the information system with the local police if graded as Level II or above;
  • design a security plan for the information systems;
  • ensure the security of the products and services purchased for the information systems; and
  • prepare a security incident response plan and protocol.

Sectoral rules may provide more requirements on the protective measures for cybersecurity and data protection that apply to the network operators in certain sectors, such as banking and financial services.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

The laws and regulations on the promotion of cybersecurity apply to the protection of networks, which applies to any theft of intellectual property if it is stored on an information system or a network, such as the crimes of illegally obtaining data from information systems (article 285 of the Criminal Law) and damaging an information system (article 286 of the Criminal Law).

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

The CSL provides stricter requirements on the protection of CII. For definitions of CII, see ‘Legislation’.

At present, only the draft Regulations on Safeguarding Critical Information Infrastructure, which were released for public consultation in 2017, shed light on the scope of CII. Sectoral regulators normally closely monitor the cybersecurity issues of companies in their own sector.

The Cyberspace Administration of China (CAC) released the draft Measures for the Administration of Publishing Cyberthreat Information on 20 November 2019. These measures provide stricter requirements on the publication of the regional comprehensive analysis report on cybersecurity attacks, incidents, risks and vulnerabilities that relate to important sectors, such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology. In addition to the prior report to the CAC, reporting to the relevant sectoral regulator would also be required if the Measures are brought into force.

The CAC also released the draft Measures for the Cybersecurity Review on 21 May 2019. The Measures were made to implement article 35 of the CSL, which requires that any purchase of network products and services by the CIIO that affects or may affect state security is subject to relevant cybersecurity assessment.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

According to article 29 of the CSL, China supports cooperation between network operators in the collection, analysis and reporting of cybersecurity information and the emergency response for the purpose of improving network operators’ capabilities for cybersecurity protection. However, as stipulated in article 26 of the CSL, carrying out activities such as cybersecurity authentication, testing and risk assessment and releasing cybersecurity information, such as system bugs, computer viruses, network attacks and intrusions, are subject to relevant rules.

The draft Measures for the Administration of Publishing Cyberthreat Information provide relevant rules, including:

  • the published cyberthreat information must not contain seven types of content, including the source code and production methods of the computer viruses, Trojan horses, ransomware and other malware;
  • the publication of information relating to a cybersecurity incident, such as an attack, damage or illegal access to a network or information system, is subject to prior reporting to the public security organ above the prefecture level of the place where the incident occurred; and
  • without the approval or authorisation of a government agency, enterprises, social organisations and individuals must not add the phase ‘early warning’ to the title of the published cyberthreat information.

The right to freedom and confidentiality of private communications is a constitutional right. Article 40 of the Constitutional Law provides that no organisation or individual may, on any ground, infringe the right to freedom and privacy of citizens' private correspondences. The only limitation to this right is that the police or procurators may search and access private correspondence in accordance with the applicable rules for protecting state security or investigating criminal offences.

The law does not provide specific rules on the collection and processing of metadata. However, if metadata forms part of state secrets, important data or personal data, the collection and processing of it will be subject to the relevant rules applicable to the category of the data.

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

According to the Criminal Law, various cyber-related activities constitute criminal offences. See ‘Legislation’.

How has your jurisdiction addressed information security challenges associated with cloud computing?

The providers of cloud computing services in China must comply with the laws and regulations on cybersecurity and data protection. There are various regulations, measures and national standards that are made specifically for cloud computing, which cover aspects ranging from the procurement of the cloud services, security and management measures for cloud services providers. For example, the CAC released the Opinion on Strengthening the Administration of the Cybersecurity of the Cloud Computing Services Used by Departments of the Party and Government on 30 December 2014 and jointly released the Measures for the Security Assessment of Cloud Computing Service on 2 July 2019 together with the National Development and Reform Commission, the Ministry of Industry and Information Technology (MIIT), and the Ministry of Finance. Government agencies and the CIIO must first assess the risks and assess the providers before using any cloud computing services that have passed the security assessment by the CAC. Use of public cloud computing services is prohibited if the network operator’s information system stores any state secrets.

Where a network operator uses cloud computing services to store data, the network operator also needs to ensure that its cloud services providers comply with the technical and management measures under the MLPS regime so that the network operator can pass the annual testing of MLPS.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

The CSL applies to network operators regardless of whether the companies are domestic companies or foreign invested companies.

The CSL is silent on extraterritorial application and does not have a provision similar to article 3(2) of the General Data Protection Regulation (GDPR). However, the CAC’s view seems to be that the CSL would have extraterritorial application. The CAC released the draft Measures on Security Assessment on Cross-border Transfer of Personal Data on 13 June 2019, which proposed a new requirement for appointing representatives in China for the remote collection of personal data outside China, similar to article 27 of the GDPR. The representative will assume the obligations of the network operator under these measures, which includes conducting security assessments on cross-border transfers of personal data.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes, China has published and formulated comprehensive national standards concerning cybersecurity and data protection. See below for more details.

How does the government incentivise organisations to improve their cybersecurity?

There is currently no specific monetary reward from the government to incentivise organisations to improve their cybersecurity. Protecting cybersecurity and data is an obligation for each network operator.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

China has published various national standards and technical guidelines on cybersecurity and data protection, which mainly include GB standards (mandatory national standards that are compulsory for companies to adopt), GB/T standards (recommended national standards that are not compulsory for companies to adopt) and technical guidelines. These national standards and technical guidelines cover various issues related to cybersecurity and data protection. For example, the PDSS provides various recommended rules on the protection of cybersecurity and personal data.  

In general, the national standards and technical guidelines are made by the National Information Security Standardisation Technical Committee and are often published jointly by the Administration of Quality Supervision, Inspection and Quarantine and the State Administration of Standardisation. Various national standards can be found at www.tc260.org.cn. However, these national standards are published in Chinese and there is no official translation of them.

Are there generally recommended best practices and procedures for responding to breaches?

China has released various rules on responding to data breaches and security incidents. In addition to relevant laws and regulations (eg, the CSL and the National Emergency Response Plan for Security Incidents), there are also recommended rules for responding to data breaches and security incidents. For example, the PDSS provides relevant recommended rules on responding to and managing personal data breaches, in particular on notifying competent supervisory authorities and the affected data subjects.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

China supports cooperation between network operators in the collection, analysis and reporting of cybersecurity information and the response to emergencies for the purpose of improving their capabilities for cybersecurity protection. If the draft Measures for the Administration of Publishing Cyberthreat Information are brought into force in their current form, the publication of cyberthreat information would be subject to prior reporting to relevant regulators, and the publication of cyberthreat information must not contain certain prohibited contents. The National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT), established in 2001, is a national cybersecurity emergency response agency established under the CAC. The CNCERT initiated the establishment of the National Vulnerability Database, with information provided by various telecoms operators, cybersecurity companies and internet services providers. The database aims to proactively monitor cyberthreats and incidents, and provide information for network operators to take preventive measures against cybersecurity incidents.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

Other than the private sector giving comments on draft measures that are released for public consultation, the most common avenue of cooperation between government and the private sector is during the drafting of national standards on cybersecurity and data protection. Several members of the National Standardisation Committee (such as TC260) will select a national standard and join a working group to initiate research and the drafting of the national standard. As a member of TC260, our experience has been that the private sector’s comments and opinions are very much welcome and accepted, and the process of making various national standards is generally very collaborative.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance for cybersecurity breaches in China is available, and it is common practice for companies in China to have it.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

Various regulatory authorities enforce cybersecurity rules in China, such as the primary regulators: the CAC, the MIIT and the MPS. Other sectoral regulators can also make rules to regulate data protection and cybersecurity issues in their respective sectors, such as the People’s Bank of China, the China Securities Regulatory Commission, the China Banking and Insurance Regulatory Commission and the National Health Commission

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

The Chinese authorities in general have broad powers to monitor compliance, conduct government investigations, request cooperation and information and impose penalties for violating laws according to various administrative laws, such as the Administrative Penalty Law.

For example, according to the Measures for Internet Security Supervision and Inspection issued by the MPS under the authorisation of the CSL, the MPS may conduct on-site inspection and remote testing against certain types of network operators. During the onsite inspection, the MPS may take certain measures to investigate cybersecurity incidents, such as (i) entering the premises to inspect computer rooms and the workplace; (ii) interviewing the cybersecurity responsible person of the network operator; (iii) consulting and copying information required for the investigation; and (iv) checking the operation of technical measures for network and information security protection.

When the MPS conducts remote testing to determine whether certain system vulnerabilities may exist on the network operator’s network, prior notice will be given to the network operator concerned that will include the time of remote testing and the scope of testing. The MPS generally should not interfere with the normal operation of the network of the network operator.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

The provisions under the Criminal Law against the infringement of the right to personal data protection and against cybercrimes have been actively enforced in China. There have been many cases where organisations and individuals that unlawfully collected and processed personal data have been investigated, prosecuted and convicted.

Aside from the active criminal law enforcement, there have been law enforcement actions against the violation of the CSL, such as failure to: (i) monitor and record network operation and cybersecurity incidents and maintain the network logs for no less than six months; (ii) take technical measures to prevent computer viruses, network attacks and network intrusion; and (iii) adopt online content moderation measures against the prohibited information released by app or website users. The unlawful use of VPNs has also been the subject of law enforcement in China.

As a coordinated law enforcement effort, the CAC, the MIIT, the MPS and the State Administration of Market Regulation (collectively, the Four Ministries) released a joint announcement of their law enforcement agenda on 25 January 2019, which aimed to curb certain privacy practices throughout 2019 and promote a certification scheme for personal data protection. The Four Ministries highlighted in this announcement that app operators must display a privacy notice for the collection and use of personal data in an easy-to-understand, clear and concise manner and allow data subjects to give consent freely instead of coercing consent by way of pre-ticked consent boxes or bundled consent. Many app operators have been inspected and required by the Four Ministries to rectify non-compliance. The Four Ministries have constantly published a list of names of app operators that have not yet complied with the CSL and have even ordered certain apps to be suspended or temporarily removed from apps stores.

What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?

The law requires notification of security incidents to the relevant regulators as well as to the affected data subjects, for example:

  • articles 25 and 42 of the CSL require network operators to report security incidents to the competent supervisory authorities as well as to the affected data subjects whose personal data has been breached;
  • article 14 of the Provisions on the Protection of Personal Information of Telecommunication and Internet Users provides that telecommunications business operators and internet information service providers must report security incidents that will or may have severe consequences to the competent telecommunications administration authorities; and
  • the National Emergency Plan for Cybersecurity incidents (the Security Incidents Emergency Plan) defines and categorises security incidents and provides the threshold for reporting to the regulatory authorities as well as the relevant procedural requirements.
Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

To prevent cybersecurity breaches, network operators are required to adopt the necessary technical and management measures to safeguard data and for cybersecurity.

Failure to take technical and other measures to ensure cybersecurity and protect the personal data collected, which can lead to a cybersecurity breach, would render the network operator concerned subject to the administrative penalty imposed by the relevant regulators according to the CSL, including a rectification order, a warning, confiscation of illegal gains, a fine, suspension of business or operation of apps or websites, or revocation of the permit or business licence if it is a serious violation.

In the event that the cybersecurity breach and serious consequences occur as result of the network operator’s refusal to adopt appropriate technical and other necessary measures to protect personal data as required by the relevant regulators in a rectification order, the refusal may further constitute the crime of ‘refusal to perform security management obligations for the information network’ as provided in article 286 of the Criminal Law.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

There are legal ramifications for network operators that fail to report cybersecurity breaches to the relevant regulators and the data subjects whose personal data has been breached. Legal ramifications include rectification orders, warnings, fines, confiscation of illegal gains, suspension of business or operation of apps or websites, and revocation of the permit or business licence if it is a serious violation. These administrative penalties are imposed by the relevant supervisory authorities according to article 64 of the CSL.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

Data subjects may bring claims against organisations and individuals that unlawfully collect or process their personal data either on the ground of tort or breach of contract (ie, a user agreement). Suing in tort is more common as the data subjects can either choose the General Principles of the Civil Law or the Law on the Protection of Rights and Interests of Consumers as the legal basis to bring a claim. There is a provision in the latter that provides private redress for consumers similar to article 111 of the General Principles of the Civil Law.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The CSL requires organisations to adopt security measures for cybersecurity and data protection. See ‘Legislation’.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

The CSL requires network operators to adopt technical measures to monitor and record network operation status, cybersecurity threat information and security incidents and to keep relevant logs for at least six months. There are other sectoral rules and circulars that require certain network operators in certain sectors to keep the logs for a minimum of one year.

The PDSS provides that records of data breach incidents must contain, at a minimum, who discovered the incident as well as when and where the incident was discovered, the categories of personal data affected, the number of affected data subjects, the names of the information systems involved and whether notification was made to the relevant regulators. The PDSS is silent on the retention period of the records of data breach incidents.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

There are various laws and measures that require network operators affected by cybersecurity incidents to report the incidents to the relevant regulators, such as the CSL, the E-commerce Law, the Provisions on the Protection of Personal Information of Telecommunication and Internet Users, and the Security Incidents Emergency Plan. The threshold for reporting to different regulators is not the same; however, the reporting obligation under different rules is generally triggered by the occurrence or potential occurrence of a cybersecurity incident. The report must be in Chinese, and it must contain at least the following information: the time of occurrence of incident; the scope of the impact and damage; remedial measures that have been taken; the details of the personal data and data subjects involved in the breach; and the contact details of the relevant responsible department or person of the network operator.

Time frames

What is the timeline for reporting to the authorities?

Upon the discovery of a cybersecurity incident, the network operator must immediately report the incident to the relevant regulators. Article 20 of the draft Regulations on the Graded Protection of Cybersecurity provides that a report of any online incidents must be made to the local public security organ within 24 hours. While there is no specific obligation to continue reporting after the initial report to the relevant regulators, in practice, once the regulators step in to investigate the incident, they will request cooperation and information from time to time until the closure of the investigation.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Network operators have specific obligations to notify the data subjects whose personal data has been breached. There is no specific data breach reporting obligation on a network operator to notify others in the same industry or sector as the reporting obligation is limited to the relevant Chinese authorities, should the cybersecurity incident meet the reporting threshold, and to the affected data subjects. The network operator can communicate with the affected data subjects using any of the following means: email, letter, telephone, in-app push notification and other proper means or announcement on the company website (if it is impractical to notify each of the affected data subjects).

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

Although the CSL is the primary law that provides rules on cybersecurity and data protection, its provisions are mostly high-level principles, and it is still very much dependent on the implementation measures and regulations for consistent law enforcement. As the CSL authorises several ministries (as opposed to one specific ministry) to make rules under the CSL and enforce the laws, the CAC, the MIIT and the MPS have been actively creating ministry-level measures since the passage of the CSL.

The principal challenge to compliance with data protection laws in China in 2020 is that companies have to meet various regulators’ expectations. Not only do the regulations and measures promulgated by different regulators require careful reconciliation by companies, companies also need to consider certain recommended national standards that provide guidance. Companies may start taking a holistic approach to harmonise these rules and build a comprehensive data protection programme to ensure continuous compliance with the CSL and implementation regulations and measures. Based on many law enforcement actions, it is easier to convince regulators that a company has taken sufficient measures for cybersecurity and data protection if they are shown evidence of compliance and a comprehensive data protection programme.

Many important draft measures that are the key pillars of the CSL were released for public consultation in 2019. It is expected that the important draft measures will be finalised in 2020, and there is no doubt that active law enforcement agencies will follow the new measures. Law enforcement will continue to be strong and active, and there may be more coordinated efforts in addressing data protection practices in more sectors in 2020.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

19 December 2019