Securiti+Veeam Will Accelerate Safe Enterprise Al at Scale

View
Contact Us See a demo

What is China’s Cybersecurity Law

PIPL Infographic Compare PIPL & GDPR
Table of contents
Contributors

Anas Baig

Product Marketing Manager at Securiti

Muhammad Faisal Sattar

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/Asia

Published October 30, 2024

Listen to the content

The world is realizing the importance of the need for data protection. More and more countries are drafting comprehensive legal frameworks that protect individuals' data online. We see this in countries such as the USA with CCPA and in the EU with GDPR . In June 2017, China followed suit and drafted its own Cybersecurity Law to safeguard the data rights of consumers in China. The law is formulated to offer the following benefits:

Let's look further into this privacy regulation.

what is china cybersecurity law

Rights under China Cybersecurity Law

The Cybersecurity Law provides data subjects/consumers (users) with the following rights :

What is CCPA

Right to information

Prior to the collection or processing of personal information by data controllers (network operators), users shall have the right to know the purpose of collection or processing, the methods used, and the scope of their personal information.

Right to deletion

Users have the right to request deletion of their personal information if they discover that the network operators collection or processing is in violation of compliance requirements.
What is CCPA

Right to rectification

Users have the right to request that network operators rectify incorrect personal information.

Right to be notified

Users have the right to be notified by the network operator if their information is tampered with, disclosed, destroyed, or lost.

Principles for Processing

The following are the major principles of processing personal information under the China Cybersecurity law:

Purpose limitation

Network operators must inform consumers of the purpose(s) of collecting or using their personal data. Processing of personal information by network operators shall not exceed the purposes for which it was directly or reasonably collected. If further processing is required, network operators must obtain further explicit consent from the individual.

Transparency

Network operators must publish rules for collecting and using the consumer’s personal information. Network operators must also inform consumers of the purpose(s) and scopes for which the personal information is collected or used. Consumers must also be notified of the methods in which the personal information is collected or used.

Consent

Consent must be obtained from individuals prior to the collection or use of their personal information.

Lawfulness

The collection, use or processing of personal information shall not violate the administrative regulations or the agreement made with the users.

Data minimization

Network operators shall comply with the principle of "necessity" when collecting and processing a user’s personal information. This means they shall not collect personal information irrelevant to the service they provide to the individual.

Integrity and confidentiality

Network operators must safeguard the personal information using technical measures, including protection against leaks, destruction, or damage. Personal data can not be given to other parties without the consent of the individual or in case of a statutory requirement.

Storage limitation

Personal information shall be stored only for the minimum period required for realizing the purpose(s) for which it was collected, after which it shall be properly disposed of by deletion or anonymization.

Who Needs to comply?

Under Article 2, the law applies to networks established, operated, maintained and used within the territory of the People’s Republic of China as well as to the supervision and management practices concerning network security. This includes public and private entities. Under the law, it is not stated that there is any extraterritorial scope, although, in an associated regulation, Measures for Security Assessment of Cross-border Transfer of Personal Data, overseas entities which collect personal data within China's territory must appoint a legal representative or organization that fulfills the responsibilities and obligations of network operators defined in the law.

It is still unclear on how this clause will be enforced, given the ambiguity in the new Cybersecurity law of China. But it is similar to how the GDPR applies extraterritorially.

Cybersecurity requirements

The Cybersecurity Law imposes several important cybersecurity obligations on network operators, with some of the major ones being:

  • The protection of personal information, specifically protecting it from disclosure, tampering, destruction and loss.
  • Undertaking effective administrative and rational technological measures to safeguard the personal information.
  • Carrying out continuous security maintenance and repairing any security flaws as quickly as possible.
  • Formulating emergency response plans for cybersecurity incidents, following such plans if an incident occurs, and taking immediate remedial measures.
  • Following state-sanctioned multi-level protection systems [MLPS].
  • Critical information infrastructure operators, as defined by the State Council, shall evaluate their cybersecurity measures once every year and shall endeavor to take greater protections and safeguards.

Cross-border transfer

Critical information infrastructure operators must ensure that personal information of customers is stored within Mainland China. If it must be transferred outside the mainland due to business necessity, the network operator must conduct a security assessment in accordance with the measures jointly defined by China’s cyberspace administration bodies and the relevant departments under the State Council.

privacyops ebook by rehan jalil

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

compliance automation securiti

Automating Compliance

Given the expanded definition of the term ‘personal information’ and the tight time frame provided to businesses to respond to privacy disclosure, access and deletion requests, and other requirements, complying with the China Cybersecurity law can be very labor intensive and costly.

securiti.ai’s award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.

securiti.ai helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data subject requests, assessments, consent management and more.

To learn how securiti.ai can help your business efficiently implement privacy management, request a demo today.

Penalties under China Cybersecurity Law

China Cybersecurity law imposes a number of penalties on network operators based on violation. These violators are given warnings and orders to rectification. Repeat offenses can result in the following:

1
Fines between 0.1 million RMB to 1 million RMB for the network operator (or ten times any illegal income earned through the illegal practice)
2
Personal fines for responsible officers of the network operator
3
Confiscation of business income from illegal practices
4
Restriction of business activities
5
Closure of website
6
Cancellation of business license

Violators can even be charged with criminal penalties based on the seriousness of non-compliance.

Frequently Asked Questions (FAQs)

What is the new law for cybersecurity in China?

China has implemented several cybersecurity laws, including the Cybersecurity Law of the People's Republic of China. It outlines regulations regarding data protection, cybersecurity practices, and the responsibilities of organizations operating in China.

What are the cybersecurity laws in China?

China's cybersecurity laws include the Cybersecurity Law, which governs various aspects of cybersecurity, data protection, and the obligations of organizations to ensure the security of networks and data within China's territory.

What is Article 37 of China's cybersecurity law?

Article 37 of China's Cybersecurity Law pertains to the obligation of critical information infrastructure operators to conduct a security assessment when purchasing network products and services that could impact national security.

What is the data protection law in China?

China passed a comprehensive data protection law that is considered to be at par with other major global data privacy laws, such as the GDPR and CCPA. The Personal Information Protection Law (PIPL) was adopted on 20 August 2021 and enacted on 1 November 2021.

What is the cyber security policy of China?

In June 2017, China drafted the Cybersecurity Law that aimed to protect the consumers' data rights in China. The law provides guidelines on cybersecurity requirements for protecting the Chinese cyberspace, securing the legal interests & rights of businesses as well as individuals in the country, and promote the safe and secure development of technologies in China.

Analyze this article with AI

ChatGPT Claude Perplexity Grok
Prompts open in third-party AI tools.
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

More Stories that May Interest You
View More
October 13, 2025
Navigating China’s AI Regulatory Landscape in 2025: What Businesses Need to Know
A 2025 guide to China’s AI rules - generative-AI measures, algorithm & deep-synthesis filings, PIPL data exports, CAC security reviews with a practical compliance...
Decoding Saudi Arabia’s Cybersecurity Risk Management Framework View More
September 1, 2025
Decoding Saudi Arabia’s Cybersecurity Risk Management Framework
Discover the Kingdom of Saudi Arabia’s National Framework for Cybersecurity Risk Management by the NCA. Learn how TLP, risk assessment and proactive strategies protect...
New Draft Amendments to China Cybersecurity Law View More
April 24, 2025
New Draft Amendments to China Cybersecurity Law
Gain insights into the new draft amendments to the China Cybersecurity Law (CSL). Learn more about legal responsibilities, noncompliance penalties, the significance of the...
Please enter a minimum of 3 characters to begin your search.

Type

Videos
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
October 17, 2023
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 50:52
From Data to Deployment: Safeguarding Enterprise AI with Security and Governance
Watch Now View
Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Latest
View More
October 21, 2025
Securiti+Veeam Will Accelerate Safe Enterprise Al at Scale
We started Securiti Al with the strong conviction that in the Information Age, the Information aka Data, is the life blood of businesses and a unified platform was needed to provide all essential controls and deep intelligence around...
View More
October 16, 2025
DataAI Security for Financial Services: Turn Risk Into competitive Advantage
Financial services run on sensitive data. AI is now in fraud detection, underwriting, risk modelling, and customer service, raising both upside and risk. Institutions...
View More
October 13, 2025
Navigating China’s AI Regulatory Landscape in 2025: What Businesses Need to Know
A 2025 guide to China’s AI rules - generative-AI measures, algorithm & deep-synthesis filings, PIPL data exports, CAC security reviews with a practical compliance...
View More
October 7, 2025
All You Need to Know About Ontario’s Personal Health Information Protection Act 2004
Here’s what you need to know about Ontario’s Personal Health Information Protection Act of 2004 to ensure effective compliance with it.
The 5 Tenets of Modern DSPM for Financial Services View More
October 19, 2025
The 5 Tenets of Modern DSPM for Financial Services
Learn the 5 tenets of modern DSPM for financial services: continuous discovery, access governance, real-time risk visibility, automated remediation, and continuous compliance.
Maryland Online Data Privacy Act (MODPA) View More
October 6, 2025
Maryland Online Data Privacy Act (MODPA): Compliance Requirements Beginning October 1, 2025
Access the whitepaper to discover the compliance requirements under the Maryland Online Data Privacy Act (MODPA). Learn how Securiti helps ensure swift compliance.
DSPM vs Legacy Security Tools: Filling the Data Security Gap View More
September 30, 2025
DSPM vs Legacy Security Tools: Filling the Data Security Gap
The infographic discusses why and where legacy security tools fall short, and how a DSPM tool can make organizations’ investments smarter and more secure.
Operationalizing DSPM: 12 Must-Dos for Data & AI Security View More
September 22, 2025
Operationalizing DSPM: 12 Must-Dos for Data & AI Security
A practical checklist to operationalize DSPM—12 must-dos covering discovery, classification, lineage, least-privilege, DLP, encryption/keys, policy-as-code, monitoring, and automated remediation.
The DSPM Architect’s Handbook View More
June 16, 2025
The DSPM Architect’s Handbook: Building an Enterprise-Ready Data+AI Security Program
Get certified in DSPM. Learn to architect a DSPM solution, operationalize data and AI security, apply enterprise best practices, and enable secure AI adoption...
Gencore AI and Amazon Bedrock View More
January 7, 2025
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
What's
New