Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes. Under the Cybersecurity Law, network operators must adopt technological measures and other necessary measures to ensure the security of personal information they gather, and prevent personal information from being leaked, destroyed or lost.

Article 13 of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users imposes the following security requirements on telecommunications operators and internet service providers:

  • Specify the responsibilities of each department, post and branch in terms of managing the security of personal information;
  • Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information;
  • Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures;
  • Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures;
  • Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved;
  • Undertake communications network security protection work as required by the relevant telecommunications authority; and
  • Take other necessary measures as prescribed by the relevant telecommunications authority.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users also require that telecommunications operators and internet service providers provide staff members with training in the relevant skills and responsibilities relating to the protection of personal information. They must also conduct at least one self-audit of their data protection measures, record the results and promptly eliminate any security risks discovered during the audit.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. The Cybersecurity Law provides that in the event of a breach, network operators must inform affected users immediately. Under certain local consumer protection regulations, such as those in Shanghai, security breaches must be reported to the data subjects.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes. The Cybersecurity Law requires network operators to report any cybersecurity breach to the relevant departments immediately. 

In the telecommunications and internet sector, if personal information is disclosed or may potentially be disclosed, service providers must take remedial measures immediately. If the incident has or may have serious consequences, the service provider must report it immediately to the relevant telecommunications administrations and cooperate in the investigation carried out by the telecommunications administrations pursuant to the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.

Click here to view the full article.