On November 7, 2016, after three readings at the Standing Committee of the National People’s Congress, the Cybersecurity Law of China was finally approved. 

This new law, which will take effect from June 1, 2017, includes the following key elements compared to the second draft, published in July 2016: 

  • The term “key information infrastructures” refers to those used for public communication and information services, energy, transport, water conservancy, finance, public services, e-government affairs and other major industries and fields that, if they malfunctioned, were destroyed or were subject to data leakage, would seriously jeopardize national security, the national economy, and people's livelihoods and public interest. The State Council will formulate the specific security protection scope and measures for key information infrastructures.
  • Key information infrastructure operators will only store personal information and important data collected and generated during operations within the territory of the People’s Republic of China. Operators required to transmit this information and data overseas will be subject to a network security assessment.
  • Information obtained by cyberspace administration authorities and relevant departments in the course of fulfilling their responsibilities to protect cybersecurity will be used exclusively for protection purposes.
  • Personal information protection is no longer limited to Chinese citizens, but is extended to all users, including foreigners.
  • For cases of potential or actual personal information leakage, damage or loss, it includes the obligation to promptly inform all users—rather than only those possibly affected by it—and report to the relevant departments.
  • It adds a provision making individuals and entities responsible for their use of the network and states that they must not create websites or set up communication groups for the purpose of illegal and criminal activities, including fraud, passing on criminal methods, producing and selling banned and controlled goods, or disclosing this type of information through the network.
  • It adds a provision on overseas organizations, institutions and individuals that attack, invade, interfere with or destroy key information infrastructures in China, resulting in serious consequences, stating that they will be subject to legal liability, and that the State Council’s public security agencies may take punitive measures against them, including freezing their assets

The State Council and other competent authorities must still resolve some uncertainties, including: 

  • setting national and industrial standards for cybersecurity administration and the security of network products, services and operations;
  • formulating the specific security protection scope and measures for key information infrastructures;
  • issuing security assessment measures;
  • drafting and releasing the catalog of key network equipment and specialized cybersecurity products, and promoting mutual recognition of security certification and security detection results; and
  • issuing provisions for network operators to store login information for at least six months. 

Date of issue: November 7, 2016. Effective date: June 1, 2017