Compliance Checklist for China’s CSL

China’s Cybersecurity Law (the “CSL”), which went into effect on June 1st, 2017, applies to the construction, operation, maintenance, and use of information networks, and the supervision and administration of cybersecurity in China. The CSL provides guidelines on cybersecurity requirements for safeguarding Chinese cyberspace. The law protects the legal interests and rights of organizations as well as individuals in China. It also promotes the secure development of technology and the digitization of the economy in China. Following entities come under the application scope of the CSL:

• Network Operators: It refers to the owners and administrators of networks and network service providers, and could be interpreted to include any companies providing services, or running their business through a computer network in China.
• Critical Information Infrastructure Operators (CIIOs): It refers to operators of critical information infrastructure in important industries and sectors (such as information service, public service, and e-government) and other information infrastructure that, if leaked, may severely threaten the national security, national economy, people’s livelihood, and public interests.
• Network Products and Services Providers: Organizations that provide information through networks or provide services to obtain information, including users, network services providers which provide network tools, devices, media, etc.

Compliance with the CSL is not straightforward since CSL has several ambiguities and complicated obligations for network operators and CIIOs. Additional laws and guidelines will also be considered concerning the CSL compliance, including guidelines concerning the security assessment of cross-border transfers of personal information and important data, Data Security Law (DSL), and recently promulgated Personal Information Protection Law (PIPL).

We have prepared the following compliance checklist for the covered entities to ensure compliance with the CSL. Please note that this is not an exhaustive compliance list. For a detailed overview of the CSL, please refer to our article on What is China’s Cybersecurity Law?

1. Fulfill Network Operations Security Requirements:

A. Requirements for network operators:

Network operators must adopt the following security measures to prevent network interference, damage, or unauthorized access, and prevent network data from leakage, theft, or alteration:

• Establish internal security management systems according to tiered network security protection system guidelines;
• Adopt appropriate technologies to investigate, prevent and combat cyberattacks;
• Monitor and record network operation and cybersecurity incidents, keeping records for at least six months;
• Conduct data classification, backing up, and encrypting important data;
• Establish complaint-reporting procedure and disclose how a security complaint can be reported, establish and implement the reporting procedure;
• Provide technical support and assistance to law enforcement and national security agencies on national security and crime investigation.

B. Requirement for CIIOs:

Under the CSL, CIIOs must also adopt the following security measures (in addition to security requirements for network operators stated above):

• Designate responsible personnel for security management and conduct background checks for them;
• Regularly conduct cybersecurity education, technical training, and skills assessments for employees;
• Implement disaster recovery backup plans for important systems and databases;
• Formulate cybersecurity emergency response plans and conduct regular drills on those plans;
• Conduct internal and external network security risk assessments at least once a year and report outcomes and improvement measures to the relevant competent department;
• Comply with measures coordinated by the Cyberspace Administration of China (CAC) such as conducting random testing of security risks of critical information infrastructure etc.

2. Fulfill Data Protection Obligations:

The CSL provides several data protection obligations which are similar to the PIPL. The CSL defines “personal data” as “data recorded electronically or by other means, which alone or in combination with other data enables a natural person to be identified, including but not limited to his name, date of birth, identification document number, biometric data, address and the telephone number”. Network products and services providers must follow the following data protection obligations:

• Lawful Collection: Network operators must follow principles of lawfulness, legitimacy, and necessity in collecting and using personal data. Network operators must not disclose, tamper with or destroy collected personal information.
• Purpose Limitation: Network operators must only collect personal data relevant to their services provided to individuals. Network operators must not steal or use other illegal means to obtain personal information. They must also gather and store personal information in accordance with the CSL, administrative regulations, and their agreements with users.
• Storage Limitation: Personal information shall be stored only for the minimum period required for realizing the purpose(s) for which it was collected, after which it shall be properly disposed of by deletion or anonymization.
• Consent: Network product and service providers that collect users’ information are required to inform and obtain consent from the users. Also, network operators should not disclose individuals’ personal data to third parties without consent, unless the data has been processed in such a way that it can no longer identify specific persons.
• Privacy Notice: Network operators shall publish rules for collection and use, explicitly stating the purposes, means, and scope for collecting or using information.
• Security: Network operators must maintain a private information protection mechanism to keep user information strictly confidential.
• Data Subject Requests: Under the CSL, individuals are given the right to make data deletion/rectification requests with obligatory effect on businesses.

3. Have an Effective Security Breach Mechanism in place:

Network operators and CIIOs must formulate cybersecurity emergency response plans and handle security breaches and impact assessments on a timely basis. In the event of a data breach, notify the affected individuals, report the breach to the relevant government departments and take remedial actions.

4. Oblige with Data Localization Requirements:

Under the CSL, CIIOs collecting and generating personal data and important data during their operations in China must store such data within China. CIIOs can only transfer data out of China when:

• There is a genuine business necessity;
• The operator conducts a security assessment in accordance with the measures jointly defined by China’s Cyberspace Administration bodies and the relevant departments under the State Council; and
• The CIIO obtains the consent of the concerned individual to transfer personal information outside of China (unless such consent is implied because the individual is the one sending such information).

Measures for Personal Data Cross-Border Transfer Security Assessments issued by the Cybersecurity Administration of China in 2019 have introduced a broad jurisdictional scope for regulating cross-border transfers of personal information: all network operators are obliged to undergo the security assessment process before they may transfer personal information collected in the course of their operation in China to recipients outside the country.

Organizations should review measures issued by the Chinese government on how critical information infrastructure and important data are classified to determine whether they need to comply with data localization requirements of the CSL.

5. Oblige with Product Safety and Certifications Requirements:

A. Requirements for Network Products and Services Providers:

Cybersecurity product manufacturers, security service suppliers, and other organizations that provide services through networks should oblige with the following requirements:

• Network products and services providers must not set up malicious programs.
• Upon discovering a security flaw, vulnerability, or another risk in their product or service, they must take remedial action immediately, inform users and report the issue to the relevant departments.
• Network product and service providers are required to conduct security maintenance for their products and services.

B. Requirements for CIIOs:

CIIOs must, when procuring network products and services that may impact national security, submit the products and services to CAC and the State Council departments for a review for national security purposes.
Critical network equipment and special cybersecurity products can only be sold or provided after being certified by a qualified establishment, and are in compliance with national standards.

6. Fulfill Content Monitoring Requirements:

According to Article 47 of the CSL, network operators are required to monitor the information released by their users for information that is “prohibited from being published or transmitted by laws or administrative regulations. If such information is discovered, network operators must cease the transmission of information, remove the information, keep records, and report any unlawful content to relevant authorities.
Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your CSL compliance process today.