Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up here

Start Now

What is China's Cybersecurity Law

The world is realizing the importance of the need for data protection. More and more countries are drafting comprehensive legal frameworks that protect individuals' data online. We see this in countries such as the USA with CCPA and in the EU with GDPR . In June 2017, China followed suit and drafted its own Cybersecurity Law to safeguard the data rights of consumers in China. The law is formulated to offer the following benefits:

  • Providing guidelines on cybersecurity requirements for safeguarding Chinese cyberspace;
  • Protecting the legal interests and rights of organizations and individuals in China;
  • Promoting the secure development of technology and the digitization of the economy in China

Let's look further into this privacy regulation.


Rights under China Cybersecurity Law

The Cybersecurity Law provides data subjects/consumers (users) with the following rights :

Right to information

Prior to the collection or processing of personal information by data controllers (network operators), users shall have the right to know the purpose of collection or processing, the methods used, and the scope of their personal information.

Right to deletion

Users have the right to request deletion of their personal information if they discover that the network operators collection or processing is in violation of compliance requirements.

Right to rectification

Users have the right to request that network operators rectify incorrect personal information.

Right to be notified

Users have the right to be notified by the network operator if their information is tampered with, disclosed, destroyed, or lost.

Principles for Processing

The following are the major principles of processing personal information under the China Cybersecurity law:

Purpose limitation

Network operators must inform consumers of the purpose(s) of collecting or using their personal data. Processing of personal information by network operators shall not exceed the purposes for which it was directly or reasonably collected. If further processing is required, network operators must obtain further explicit consent from the individual.

Transparency

Network operators must publish rules for collecting and using the consumer’s personal information. Network operators must also inform consumers of the purpose(s) and scopes for which the personal information is collected or used. Consumers must also be notified of the methods in which the personal information is collected or used.

Consent

Consent must be obtained from individuals prior to the collection or use of their personal information.

Lawfulness

The collection, use or processing of personal information shall not violate the administrative regulations or the agreement made with the users.

Data minimization

Network operators shall comply with the principle of "necessity" when collecting and processing a user’s personal information. This means they shall not collect personal information irrelevant to the service they provide to the individual.

Integrity and confidentiality

Network operators must safeguard the personal information using technical measures, including protection against leaks, destruction, or damage. Personal data can not be given to other parties without the consent of the individual or in case of a statutory requirement.

Storage limitation

Personal information shall be stored only for the minimum period required for realizing the purpose(s) for which it was collected, after which it shall be properly disposed of by deletion or anonymization.

Who Needs to comply?

Under Article 2, the law applies to networks established, operated, maintained and used within the territory of the People’s Republic of China as well as to the supervision and management practices concerning network security. This includes public and private entities. Under the law, it is not stated that there is any extraterritorial scope, although, in an associated regulation, Measures for Security Assessment of Cross-border Transfer of Personal Data, overseas entities which collect personal data within China's territory must appoint a legal representative or organization that fulfills the responsibilities and obligations of network operators defined in the law.

It is still unclear on how this clause will be enforced, given the ambiguity in the new Cybersecurity law of China. But it is similar to how the GDPR applies extraterritorially.


Cybersecurity requirements

The Cybersecurity Law imposes several important cybersecurity obligations on network operators, with some of the major ones being:

  • The protection of personal information, specifically protecting it from disclosure, tampering, destruction and loss.
  • Undertaking effective administrative and rational technological measures to safeguard the personal information.
  • Carrying out continuous security maintenance and repairing any security flaws as quickly as possible.
  • Formulating emergency response plans for cybersecurity incidents, following such plans if an incident occurs, and taking immediate remedial measures.
  • Following state-sanctioned multi-level protection systems [MLPS].
  • Critical information infrastructure operators, as defined by the State Council, shall evaluate their cybersecurity measures once every year and shall endeavor to take greater protections and safeguards.

Cross-border transfer

Critical information infrastructure operators must ensure that personal information of customers is stored within Mainland China. If it must be transferred outside the mainland due to business necessity, the network operator must conduct a security assessment in accordance with the measures jointly defined by China’s cyberspace administration bodies and the relevant departments under the State Council.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Automating Compliance

Given the expanded definition of the term ‘personal information’ and the tight time frame provided to businesses to respond to privacy disclosure, access and deletion requests, and other requirements, complying with the China Cybersecurity law can be very labor intensive and costly.

SECURITI.ai’s award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.

SECURITI.ai helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data subject requests, assessments, consent management and more.

To learn how SECURITI.ai can help your business efficiently implement privacy management, request a demo today.

Penalties under China Cybersecurity Law

China Cybersecurity law imposes a number of penalties on network operators based on violation. These violators are given warnings and orders to rectification. Repeat offenses can result in the following:

1
Fines between 0.1 million RMB to 1 million RMB for the network operator (or ten times any illegal income earned through the illegal practice)
2
Personal fines for responsible officers of the network operator
3
Confiscation of business income from illegal practices
4
Restriction of business activities
5
Closure of website
6
Cancellation of business license

Violators can even be charged with criminal penalties based on the seriousness of non-compliance.