Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
The Cybersecurity Law of the People’s Republic of China (PRC) (effective since 1 June 2017) is the first comprehensive legislation governing the cybersecurity sector in China. This law, which institutionalises a number of pre-existing regulatory measures, establishes an overarching framework of regulation for the construction, operation, maintenance and use of information networks in China, and for the supervision and administration thereof through cooperation among the Cyberspace Administration of China (CAC), state telecommunication authorities, the Ministry of Public Security (MPS) and other relevant authorities, including industrial regulators. Individuals and entities subject to this law include users, ‘network operators’ (broadly defined to include owners and administrators of networks, as well as network service providers), providers of network products and cyber-related industrial organisations, among others.
The Cybersecurity Law itself is an umbrella document that is intended to be supported by a host of implementing regulations, mandatory and voluntary technical standards, and other guidance, as promulgated by relevant authorities (see questions 3 and 15). The precise application of certain provisions of this law is somewhat unclear, and could vary dependent on the final form of implementing measures that are to be published separately by respective, relevant authorities (see ‘Update and trends’).
Among other key features, the Cybersecurity Law broadly conceptualises cyberspace resources and activities as being graded according to sensitivity, assessed by means of a classified protection system (see questions 6, 8 and ‘Update and trends’). In particular, the law establishes heightened requirements pertaining to the subset of cyberspace resources and activities deemed to constitute ‘critical information infrastructure’ (CII), while accommodating a range of less stringent requirements for less sensitive cyberspace resources and activities.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
A number of industrial sectors are deeply affected by China’s cybersecurity laws, particularly those that are closely linked with online operations and include a significant public services component, including telecommunications, health and medical services, and financial services (eg, banking, insurance and credit reporting). Regulatory authorities with responsibility for oversight of such sectors have made significant progress towards the promotion of cybersecurity. For example, financial services industry regulators have established an array of information technology (IT) security-related policies, requirements and guidelines. For example, the China Banking and Insurance Regulatory Commission (CBIRC) has promulgated the Opinions on the Use of Secure and Controllable Information Technology to Strengthen Network Security and Informatisation of the Banking Industry (effective since 3 September 2014) and the Notice on the 2014-2015 Guidelines for Application of Secure and Controllable Information Technology in the Banking Industry (effective since 26 December 2014), and the National Health Commission (NHC) issued the Administrative Measures on the Standards, Security and Service of National Health and Medical Big Data (Trial) on 14 September 2018, which sets out the main responsibilities of government authorities, medical institutions in the security management of health and medical-related data.
Pursuant to the Cybersecurity Law, relevant regulatory authorities, including those with cognisance over specific industrial sectors, are expected to promulgate more detailed implementing measures, including enhanced security protections that are mandated for any network that is classified as CII (see ‘Update and trends’).
Has your jurisdiction adopted any international standards related to cybersecurity?
Consistent with the requirements of the Cybersecurity Law, China participates in development and has adopted certain international standards related to cybersecurity (including the International Organization for Standardization (ISO)) and the International Electrotechnical Commission (IEC)) standards, among others), which are integrated into China’s national standards system pursuant to the Standardisation Law (effective since 1 April 1989) and its implementing regulations, comprising both mandatory standards (GB standards) and voluntary standards (GB/T standards). In addition, the National Information Security Standardisation Technical Committee (NISSTC) under the Standardisation Administration of China (SAC) has developed and promulgated non-binding information security technology guidance based on ISO and IEC standards (GB/Z guidance). Principal information security technology standards and guidance applicable in China are codified as ‘TC260’ standards, which are formulated by the NISSTC and jointly published by the SAC and the General Administration of Quality Supervision, Inspection and Quarantine of China (AQSIQ) (see question 15).
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Pursuant to the Cybersecurity Law and other relevant laws and regulations, responsible managing personnel may be liable for failure to satisfy cybersecurity requirements. In particular, the Cybersecurity Law mandates that each network operator must appoint an officer with central responsibility for the oversight of the organisation’s cybersecurity programme. Failure to comply with the requirements of the Cybersecurity Law is punishable by fines and other sanctions that may be imposed on the network operator as well as responsible individuals.
China has not established a general legal requirement imposing liability on directors for lack of awareness or for inadequate cybersecurity preparedness on the part of the company. Pursuant to applicable law, any director of a Chinese company generally owes duties of fiduciary responsibility and due diligence towards the company. Depending on the company size, its industrial sector and the assessed significance of cybersecurity risks, such directorial duties may be interpreted as requiring the board to ensure that the company establishes and maintains a sound cybersecurity system. Recently, drafts of industry-specific regulations have proposed strengthening the link between the board of directors and organisational cybersecurity preparedness. For example, the CBIRC published the draft Provisions on the Administration of Informatisation of Insurance Institutions (Draft for Comments) (published 9 October 2015), pursuant to which, insurance institutions would be required to establish an informatisation committee reporting to the board of directors. The head of such committee would be the chairman of the board or the general manager, and committee membership would include the chief information officer and representatives from the IT and other main business departments.
How does your jurisdiction define cybersecurity and cybercrime?
The Cybersecurity Law defines ‘cybersecurity’ as meaning: ‘to maintain the network under a stable and reliable condition and to safeguard the integrity, confidentiality and availability of network data, by taking necessary measures to protect the network from attacks, intrusion, interference, damage or illegal use or other incidents’.
‘Cybercrime’ is not defined in PRC law; however, the PRC Criminal Law (effective 1 October 1997) addresses various offences related to computers and computer networks, which are commonly referred to as ‘cybercrime’. Such crimes include the following:
- illegally intruding into a computer system;
- illegally accessing or manipulating data resident on a computer system;
- providing computer programs or tools to intrude into or illegally control a computer system;
- inflicting damage to a computer system;
- failing to fulfil the security management obligations for an information network;
- illegally using an information network;
- aiding a crime in relation to an information network;
- traditional types of criminal offences that are committed in connection with computer systems (eg, online theft or fraud); and
- other related offences of a serious nature.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
Pursuant to the Regulations on Classified Protection of Information Security (effective 22 June 2007), every information network operating in China is classified according to one of five security grades (I-V), and is subject to graduated levels of security protection depending on the assigned security grade classification (see ‘Updates and trends’). A network’s classification is determined by the system’s owner based on an assessment including the owner’s evaluation of the system’s perceived degree of importance to national security, economic development and society, as well as an evaluation of the potential impact in the event that the network were to be destroyed.
Of the grades I-V, ‘Grade I’ constitutes the most basic level, wherein ‘damage to the network results in harm to the legal rights of citizens, legal persons, and other organisations, but will not harm national security, social order or public interest’, while ‘Grade V’ is the highest level, wherein ‘damage to the network results in very serious harm to national security’.
Minimum protective measures applicable to Grade I are identified in the non-binding (GB/T 22239-2008) standard: Information Security Technology - Baseline for classified protection of information system security (GB/T 22239-2008). General requirements for such protective measures include:
- physical protection, encompassing physical access control and protection of equipment against theft or tampering;
- network security, encompassing the overall structure and network access control;
- security protection of servers;
- security protection of applications;
- data security and backup;
- establishment and maintenance of a security management system and related procedures and policies;
- establishment and maintenance of security management positions, clearly defining responsibilities of each post as well as the examination of the identity and professional qualifications of each personnel;
- regular training to enhance security awareness; and
- purchase process with respect to relevant IT products and services, etc.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
China has not established any specific laws or regulations that specifically address cyberthreats to intellectual property.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
Among other key features, the Cybersecurity Law establishes heightened requirements pertaining to the subset of cyberspace resources and activities deemed to constitute CII, which is broadly defined to encompass information infrastructure within certain industrial sectors (including, but not limited to, public telecommunications and information services, energy, transportation, water, banking and other financial services, public services and e-government services) with respect to which system damage, malfunction or data breach would seriously harm national security or public interest (see questions 1, 8 and ‘Update and trends’). The specific scope of CII and applicable security measures are to be further described in future implementing regulations. Most recently, on 10 July 2017, the Draft Regulations for the Security Protection of Critical Information Infrastructure were released for public comment, proposing additional measures with respect to the protection of CII (see ‘Update and trends’).
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
Pursuant to the Cybersecurity Law, China supports cooperation among network operators in such areas as collection, analysis and reporting of cybersecurity information and emergency disposal, assigning responsibility to relevant industrial organisations for establishment of coordinating mechanisms and implementing regulations. However, carrying out such activities as cybersecurity authentication, detection and risk evaluation, and releasing cybersecurity information such as system bugs, computer viruses, network attacks and intrusions must comply with relevant regulations (see question 17).
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Pursuant to the PRC Criminal Law, various cyber-related activities constitute criminal offences that are punishable by law. See question 5.
How has your jurisdiction addressed information security challenges associated with cloud computing?
The information security challenges associated with cloud computing is an emerging topic that has recently received significant attention in China. For example, on 30 December 2014, CAC promulgated the Opinion on the Strengthening of Cybersecurity Management of Cloud Computing Services by the Party and Government Department of China (the 2014 Cloud Computing Opinion), which specifies, among other things, that no public cloud computing services may be employed for any governmental data or services that involve state security. For example, any cloud computing platform or data centre that provides services to the Communist Party of China or Chinese government agencies must be established within China, and any sensitive data is prohibited from transmission, processing or storage overseas without permission.
China has also promulgated two voluntary national standards aiming to provide guidance to government and third-party service providers with respect to cybersecurity management for cloud computing (ie, ‘Information Security Technology - Security guide of cloud computing services’ (GB/T 31167-2014) and Information Security Technology - Security guide of cloud computing services (GB/T 31167-2014)) (2014 Cloud Computing Security Guide), which establish a framework of cloud-related security requirements. In particular, the 2014 Cloud Computing Security Guide identifies five fundamental principles that govern the conduct of cloud computing service customers and providers, as listed below.
‘Information Security Technology - Security guide of cloud computing services’ (GB/T 31167-2014) identifies five fundamental principles that govern the conduct of cloud computing service customers and providers, listed below.
- No shift of security management responsibilities: the customer shall be the party that is ultimately responsible for information security; the responsibility for information security will not be shifted to any other party, whether the data and business are located internally or on a cloud computing platform.
- No change of the ownership of the resources: all data, equipment and other resources, and any data or documents that are collected or generated and stored on the cloud computing platform shall be owned by the customer. The customer’s right to have access to, utilise and control such resources shall not be restricted.
- No change of the jurisdiction: the jurisdiction over the customer’s data and business shall not be changed due to cloud computing. Unless expressly provided by PRC law, cloud computing service providers are not permitted to provide customer data and related information to any government agency or other organisation in other countries.
- No change of the level of security management: the cloud computing platform and the cloud computing service providers shall comply with relevant security requirements applicable to the customer.
- Evaluation of security capability: all cloud computing service providers shall have the capability to safeguard the security of customer data and business systems and shall pass the requisite security evaluation. The customer may only utilise service providers that pass such security evaluation.
With respect to cloud computing services to be provided in connection with government data or services, the 2014 Cloud Computing Opinion specifies that no public cloud computing services may be employed for any governmental data or services that involve state security or official security. Any cloud computing platform or data centre that provides services to the Communist Party of China or Chinese government agencies must be established within China, and any sensitive data is prohibited from transmission, processing or storage overseas without permission.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Broadly, foreign organisations doing business in China are subject to the same cybersecurity obligations and responsibilities as domestic entities, but the relative impact of such obligations may differ considerably. For example, the Cybersecurity Law and proposed implementing regulations establish enhanced requirements with respect to data localisation as well as complementary requirements for mandatory security assessments in connection with any cross-border transfers of the personally identifiable information (PII) of Chinese citizens or important data. Specifically, CII operators are required to store in China any PII or important data collected or generated in China. In the event that a legitimate necessity requires that such data must be transferred outside China then, prior to any such transfer, a security assessment must be satisfactorily completed. In many circumstances, an organisation may complete a self-assessment; however, in the case of a large-scale PII transfer operation, the assessment is to be completed by a competent governmental authority.
In addition to the Cybersecurity Law, industry-specific examples of relevant regulation include the People’s Bank of China (PBOC)’s Circular on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information (effective since 27 March 2012) and the Trial Measures for the Administration of Population Health Information (effective since 5 May 2014), respectively prohibiting cross-border transfers of personal financial information or personal health information.
Chinese cybersecurity laws affect foreign organisations by imposing heightened obligations, including with respect to ‘data localisation’, ‘pre-transfer security assessments,’ restrictions on cross-border transfers and employment of virtual private network communications. Such measures may result in a range of impacts on the operations of foreign organisations in China promoting, for example, the use of domestic infrastructure for data hosting and the engagement of local data processing service providers, and strictly regulating overseas data transfers, any of which may substantially increase the cost of doing business in China for a foreign organisation.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
In addition to laws and regulations, China publishes and maintains comprehensive national standards addressing cybersecurity as well as information security requirements. See question 15.
How does the government incentivise organisations to improve their cybersecurity?
China has not established any formal government programmes expressly intended to incentivise organisations to improve cybersecurity preparedness. However, the Cybersecurity Law contains general principles that provide that the government is to prepare plans and increase investment to support key industries and network security technology projects, support network security technology research and development, and encourage relevant enterprises or organisations to provide certification, testing and risk assessment services. The Chinese government is also obliged to organise network security training to promote the awareness of the general public.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
National standards and technical guidance documents have been published under the umbrella of ‘Information Security Technology’, including GB Standards, GB/T Standards and technical guidance (GB/Z guidance). These standards and technical guidance cover a wide range of cybersecurity-related subjects, including, for example, encryption specifications, security standards for cloud computing, online banking, industrial control systems and e-government. An example is the recently released draft Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment, which propose substantially more detailed guidance with respect to the implementation of a security assessment programme (see ‘Update and trends’). A complete library of PRC national standards is accessible via the following URL www.sac.gov.cn/was5/web//outlinetemplet/gjbzcx.jsp.
Principal information security technology standards and guidance applicable in China are codified as ‘TC260’ standards, which are formulated by the NISSTC and jointly published by the SAC and the AQSIQ. Key TC260 standards may be accessed at the website of the NISSTC at: www.tc260.org.cn. However, no English language versions of the TC260 standards are available on this site.
Are there generally recommended best practices and procedures for responding to breaches?
Guidance with respect to best practices and procedures for responding to cybersecurity breaches may be found at the Information Technology - Security Techniques - Information Security Incident Management Guide (GB/Z 20985-2007), which is largely based on the international standard ISO/IEC TR 18044:2004 (Information technology - Security techniques - Information security incident management), with relevant revisions. This guidance provides an overview of information security incident management and the processes and recommendations on response activities, which generally encompass the steps listed below:
- initial detection and reporting the occurrence of the information security incident;
- collection of information to assess and determine whether the circumstances constitute an information security incident;
- responding to the incident by taking immediate action and, if the incident is not under control, to seek crisis assistance;
- communication of incident details to internal and external persons and organisations;
- conducting forensic analysis;
- recording completed steps and decisions for further analysis; and
- once an information security incident has been resolved:
- conducting further forensic analysis and identify lessons to be learned from the handling of such incident; and
- making improvements to existing policy and processes.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Pursuant to the Cybersecurity Law, China supports cooperation among network operators in such areas as collection, analysis and reporting of cybersecurity information and emergency disposal, assigning responsibility to relevant industrial organisations for establishment of coordinating mechanisms and implementing regulations (see question 9). However, China has not as of yet established any specific programmes for promoting the voluntary sharing of information about cyberthreats. Affected entities and individuals are required to report cyberthreat information to competent regulatory authorities, which may release a public report and provide recommendations for addressing such threats.
China maintains a centralised reporting programme, pursuant to which all telecommunication authorities, telecommunication business operators, domain name registrars and administrators, and the Internet Society of China are all required to report cybersecurity incidents (eg, malware, defacement, backdoor intrusion, phishing, vulnerability, information destruction, denial of service attack, abnormal domain, router hijacking, unauthorised access, spam, mixed cybersecurity incidents and other cybersecurity incidents) to the telecommunications regulatory authority or to the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT). Following verification of the incident reporting, CNCERT will issue a public notice to the relevant organisations and coordinates the involvement of relevant government agencies, industry associations, network operators, research institutes and security organisations, as required (see question 28).
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The Cybersecurity Law prescribes a general principle whereby the government shall support enterprises, research institutions, universities and other organisations to participate in the formulation of national standards and industrial standards for network security. Private enterprises, research institutions, universities and other organisations are often involved in the process of developing security standards. Experts from the relevant industry may be invited to participate in the technical committee to draft and review such security standards and, in some cases, draft standards are released to the public to solicit comments.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Cybersecurity insurance is available in China; however, it is a relatively new product and only a limited number of insurers offer insurance with coverage for losses from cyberattack, data loss and other cybersecurity-related events.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
Pursuant to the Cybersecurity Law, regulatory bodies with overarching responsibilities with respect to cybersecurity oversight in China include:
- the CAC;
- the Ministry of Industry and Information Technology (MIIT);
- the China Internet Network Information Centre;
- the Ministry of Public Security; and
- the SAC.
With respect to particular industrial sectors, individual regulatory authorities have substantial authority with respect to oversight business related activities, encompassing cybersecurity preparedness, including:
- the CBIRC;
- the China Securities Regulatory Commission;
- the PBOC; and
- the NHC.
Other relevant authorities include the NISSTC, which was formed in 2002 under the Standardisation Administration of China and is responsible for the development of technical standards for information security (see question 3 and question 15).
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
Chinese governmental authorities have broad powers to monitor the compliance by network operators, to initiate investigations, and if applicable, to issue warnings and impose penalties on responsible entities and individuals. Regulatory authority applicable during investigations includes the power to request documents, to enter the premises for inspection, and to interview relevant persons to collect evidence.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
For several years, enforcement actions relating to criminal laws against theft of PII have been and continue to be frequently recorded in public media, often entailing large-scale campaigns against theft and trafficking in misappropriated PII. Although most of these enforcement actions have involved domestic perpetrators, non-Chinese actors have at times also been affected, resulting in fines and imprisonment.
With respect to enforcement of administrative regulations, oversight of certain industrial sectors (eg, the financial and telecommunications sectors) reflect a history of strict enforcement of technical and procedural requirements. Applicable regulations provide for close scrutiny of licensed entities, including initial certifications and periodic and ad hoc inspections, as well as requiring periodic and event-based reports. Failure to abide by regulatory requirements may trigger warnings, censures and fines for the entity or responsible individuals. If the circumstances are found to be serious, a regulatory authority may revoke approval of relevant entity and personal qualifications, and even refer matters for criminal investigation.
Recently, new standards and obligations have been established or proposed to regulate a broader swathe of commercial cybersecurity-related activity. Such efforts are typically led by the government and supported by the Chinese technical community, with opportunities for input from business and foreign governmental agencies. This remains a highly dynamic area, and ongoing developments are being closely monitored by potentially affected businesses, the legal community and other interested parties.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
Failure to comply with obligations to implement relevant cybersecurity measures may result in regulatory sanctions, including demands for rectification and warnings. In the event of a refusal to implement rectification measures and if such failure causes security consequences, the relevant party may be subject to fines, forfeiture of illegal gains, suspension of operations, and revocation of licences. With respect to a company or other organisation, the officers responsible for such failure may also be fined. In the event of a serious breach, the relevant parties may be subject to criminal investigation pursuant to the Criminal Law.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Generally, PRC laws and regulations mandate timely reporting of threats and breaches to relevant regulatory authorities. Failure to abide by such requirements may result in administrative sanctions. The new Cybersecurity Law also mandates notification be provided to the data subjects and the competent regulatory authority in accordance with regulations, without providing further detail.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
Pursuant to Chinese law, the liability of companies and individuals and opportunities for private redress are essentially limited to the extent of contractual liability. In some cases, in the absence of a contractual relationship (eg, as between a network operator and an organisation or individual whose data has been lost or leaked), such organisation or individual may be entitled to assert tort liability. In such case, a network operator could be required to indemnify the aggrieved party for actual losses. In theory, the law also recognises the principle of compensation for serious mental suffering arising from infringement. However, in practice, the court has adopted a conservative approach in such determination and compensation for mental damage has rarely, if ever, been granted. Liability arising from such incidents has not received meaningful attention with respect to legislation, litigation or judicial interpretation in China. Accordingly, in the absence of specific contractual provisions, the relevant threshold for a determination of legal liability owing to unauthorised cyberactivity or failure to adequately protect systems and data would be uncertain.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
Pursuant to the Regulations on Classified Protection of Information Security (effective since 22 June 2007), every information network operating in China is classified into one of five security grades (I-V), and is subject to graduated levels of security protection according to the security grade classification (see question 6 and ‘Updates and trends’).
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
The Cybersecurity Law requires all network operators to implement technical measures to monitor and record network operation status and cybersecurity incidents, and to preserve relevant web logs for at least six months.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
China maintains a centralised reporting programme (see question 17).
Cybersecurity incidents reporting includes the reporting of security incidents and security threats:
- a ‘security incident’ refers to any incident that has already occurred, which is further classified into four grades (ie, ‘extremely serious’, ‘serious’, ‘relatively serious’ and ‘general’); and
- a ‘security threat’ refers any information that relates to potential security threats but has not given rise to actual harm and effect, or certain information about prevention based on incident analysis (classified into Grades I to IV, with Grade I representing the most serious category).
An entity that has a reporting obligation is required to classify the relevant cybersecurity incidents or threats into the proper classifications and report to the MIIT or CNCERT within the time limit specified by law, namely:
- ‘extremely serious’ or ‘serious’ incidents or the existence of Grade I or II security threats must be reported to MIIT and the relevant provincial branch within two hours, with a copy to CNCERT;
- ‘relatively serious’ incidents or the existence of Grade III security threats must be reported to MIIT and the relevant provincial branch within four hours, with a copy to CNCERT;
- the existence of Grade IV security threats must be reported within five business days of the discovery to CNCERT, with a copy to the relevant provincial MIIT branch; and
- ‘general’ security incidents must be reported monthly to CNCERT, with a copy to the relevant MIIT provincial branch.
Incident reporting is required to include the following information:
- basic information about the entity;
- the time when the incident took place;
- a summary of the incident;
- preliminary estimate of harm and effect;
- measures that have been taken; and
- other related information.
Threat reporting is required to include the following information:
- description of the threat information;
- estimation of the potential harm;
- identification of the users and scope of possible effect;
- identification of the entity or person who is aware of such information as of the reporting; and
- recommended responses and measures.
Following the verification of the incident reporting, MIIT or CNCERT is to issue a public notice to the relevant organisations and coordinate various government agencies, industry associations, network operators, research institutes and security organisations, as required.
What is the timeline for reporting to the authorities?
See question 28.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
The new Cybersecurity Law mandates that notification be provided to the data subjects and the competent regulatory authority in accordance with regulations, without providing further detail. Except for the Cybersecurity Law, China has not established any measure requiring the reporting of cybersecurity threats or breaches to others in the industry, to customers or to the general public. See questions 24 and 28.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Recent key developments in cybersecurity include the publication of the following draft and final laws and regulations for public review and comment:
- April 2017 - draft Cryptography Law of the People’s Republic of China (Cryptography Law);
- April/May 2017 - draft Measures for the Security Assessment of Outbound Transfer of Personal Information and Important Data (Data Transfer Measures);
- May/August 2017 - draft Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment (Data Transfer Guidelines);
- July 2017 - draft Regulations on the Security Protection of Critical Information Infrastructure (CII Regulations);
- January/May 2018 - Personal Information Security Specification (GB/T 352730-2017) (PI Specification); and
- June 2018 - draft Regulations on the Classified Network Security Protection (Graded Network Classification Regulations).
On 13 April 2017, the Office of the State Commercial Cryptography Administration (OSCCA) published the draft Cryptography Law for review and comment. Significant highlights of the draft law include:
- The Cryptography Law categorises cryptography into ‘core cryptography’, ‘ordinary cryptography’ and ‘commercial cryptography’. Core cryptography or ordinary cryptography may be used to protect state secrets, and commercial cryptography may only be used to protect information that does not fall within state secrets. Export of core cryptography or ordinary cryptography outside of China is prohibited, and the import or export of ‘commercial cryptography’ is subject to the government approval. The Cryptography Law empowers the Ministry of Commerce, OSCCA and the PRC General Administration of Customs to jointly formulate and publish the Import/Export Catalogue of Commercial Cryptography for Administration.
- CII should employ cryptography to protect systems in accordance with applicable laws and regulations and national mandatory standards relating to cryptography, and cryptography protection systems must be planned, built and operated simultaneously with other systems of CII.
- If required for national security or for criminal investigations, the MPS, the Ministry of State Security and the relevant People’s Procuratorates may require telecommunications operators and internet service providers to provide technical support for decryption.
Data Transfer Measures
On 11 April 2017, the CAC released the draft Transfer Measures for review and comment, which were revised and republished on 19 May 2017. The draft measures are principally concerned with ordering a system for assessing the security of cross-border data transfers and establishing a two-tier assessment framework comprised of network operator self-assessments and, where required, governmental assessments. A network operator self-assessment would include pre-transmission assessments and periodic assessments to be conducted annually. In particular, the Data Transfer Measures are especially significant because, for the first time, a specific framework has been put forward to guide the conduct of mandated security assessments, which would be expanded to encompass every ‘network operator’ and, by reference, any other person or entity involved with the provision of regulated data to an overseas destination.
Data Transfer Guidelines
Following the publication of the draft Transfer Measures, on 27 May 2017, the NISSTC released the Draft Transfer Guidelines for review and comment, which were revised and republished on 30 August 2017. As compared with the Data Transfer Measures, these draft guidelines propose more detailed guidance with respect to the implementation of a security assessment programme. The network operator initiates the self-assessment by formulating a data export plan, which is required to set out the purpose, scope, type and scale of the data export, the IT system involved, the transit country and the destination, and the security control measures to be taken. The security assessment is intended to demonstrate that the proposed outbound transfer is lawful and justified, and that the risks are controllable. The degree of risk is to be assessed by taking into account both the characteristics of the data (eg, the volume, scope, type, sensitivity and technical measures) and the possibility of security breach incidents, which requires an evaluation of the technical safeguards and management capabilities of both the data exporter and the recipient, as well as the legal and political environment of the destination country.
On 10 July 2017, the CAC published the draft CII Regulations for review and comment. Significant highlights of the draft regulations include expanding the conceptual scope of CII to encompass the additional industrial sectors and establishment of specified responsibilities of a CII operator’s ‘responsible person’ and establishment of prerequisite qualification requirements with respect to key technical personnel.
On 25 January 2018, the SAC published the PI Specification with effectiveness from 1 May 2018. Significant highlights of the specification include expanded definition of PI (including the establishment of the sub subcategory of ‘sensitive PI’) and ‘PI controller’; establishment heightened requirements with respect to the collection, preservation, usage, disposition and other related PI-processing activities; enumeration of PI subject rights; and identification of expanded obligations for PI controllers.
Graded Network Classification Regulation
On 27 June 2018, the MPS published the draft Graded Network Classification Regulations for public comment. Significant highlights of the draft regulations include:
- establishment of a revised graded network classification system;
- requirement for all networks to establish a comprehensive network cybersecurity protection systems;
- networks Grade II or above must satisfy a network expert review, with results to be provided to the industry regulator for approval. In addition, any Grade II and above network must be satisfactorily tested prior to use; and
- networks Grade III and above must satisfy additional specified measures, including provision of an annual report to the MPS and limitation of its maintenance work in the PRC.