China: Cybersecurity
This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
Key cybersecurity statutes and regulations
Three milestone laws: the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law
The Cybersecurity Law (CSL), effective on 1 June 2017, is the first comprehensive law in the People’s Republic of China[1] (PRC or China) and forms the backbone of the PRC’s cybersecurity protection regime. The CSL applies to the construction, operation, maintenance and use of the IT network as well as the supervision and administration of cybersecurity within the PRC. Its scope is quite broad and covers almost all of the business operators in China using or relying on the internet or IT network. The CSL defines a set of basic principles including:
- all business operators should comply with various network protection obligations under the CSL and comply with the multilevel protection scheme (MLPS);
- critical information infrastructure operators (CIIOs) must fulfil enhanced cybersecurity obligations;
- CIIOs are subject to data localisation and security assessment requirements for the cross-border transfer of personal information and ‘important data’;[2]
- certain operators should conduct cybersecurity reviews in some scenarios; and
- all business operators should provide technical support to authorities for crime or security investigations, etc.
The Data Security Law (DSL), effective on 1 September 2021, mainly aims to ensure the security of all kinds of data during its collection, use, storage, processing, transfer and disclosure. Data security and cybersecurity often overlap with each other because cybersecurity incidents are usually accompanied by data leakage. The DSL supplements the CSL in many key areas such as the MLPS, required technical measures and data localisation. National security is a theme throughout the DSL. The DSL sets up a hierarchical data classification management and protection system that sets enhanced requirements for protecting ‘important data’ and ‘national core data’, as defined based on the importance of specific types of data to China’s national economy, national security and public interest.
The Personal Information Protection Law (PIPL), effective on 1 November 2021, focuses on the security of personal information and the protection of the personal information rights and interests of data subjects. If cybersecurity affects the security of personal information, the PIPL will also govern that cybersecurity issue. The PIPL has extraterritorial jurisdiction and applies both to data processing activities within China, and data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyse or assess the behaviours of individuals located in China. This expands the jurisdiction of Chinese data protection laws to overseas data handlers.
The Chinese government also has been working hard to roll out a full set of regulations and national standards (some are still in draft mode) to implement the cybersecurity requirements and to strengthen cyber governance and enforcement efforts under those three laws. We set out major implementing regulations and national standards in the next section.
Implementing regulations and national standards
The Security Protection Regulation for Critical Information Infrastructure (the CII Regulation), effective on 1 September 2021, aims to implement the rules for enhancing the protection of the critical information infrastructure (CII) outlined in the CSL.
The CII Regulation defines CII as important network facilities and information systems in critical industries and fields, which, in the case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and people’s livelihoods and public interests. The CII Regulation highlights a few critical industries and fields including public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and science, technology and industry connected with national defence. The CII Regulation grants sector-specific regulators the authority to determine the specific list of CII within their respective sectors. The sector-specific regulators should mainly base their determination on the following criteria:
- the degree of importance of network facilities, information systems, etc, to the industry and its critical core businesses;
- the degree of harm that may be brought about once network facilities, information systems, etc, are damaged, lose their functions or leak data; and
- the relevant impact on other industries and fields.
The regulators inform the operators of the CII and report the list to the Ministry of Public Security (MPS).
The Cybersecurity Review Measure, effective on 15 February 2022, aims to protect the security of the CII supply chain under the CSL.
The CSL originally required that CIIOs apply for national security review of their procurement of network products and services if it may impact national security.
The Cybersecurity Review Measure extends the obligation to undertake a cybersecurity review to also cover online platform operators that conduct data processing activities, if procurement of those services by a CIIO or data processing activities of the online platform operators affect or may affect national security.
The Measure for Security Assessment for Cross-Border Data Transfers (the Security Assessment Measure) was published on 7 July 2022 and came into effect on 1 September 2022. It further expands the application scope of government security assessment requirements for cross-border data transfer.
The CSL originally only imposed government security assessment requirements on CIIOs. The Security Assessment Measure extends that obligation to also cover important data handlers and massive personal information handlers (PI handlers) that process personal information reaching certain thresholds.
In addition, the Security Assessment Measure defines the concept of ‘important data’, which was unclear under the CSL. It also specifies the procedures for government security assessments as required by the CSL.
Despite their non-binding nature, national standards are a key part of the data protection and cybersecurity legal regime in China. National standards are generally regarded as best practice guidelines for business operators because they normally would be given weight in government inspections. Major national standards are as follows:
- GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme, effective from 1 December 2019;
- GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme, effective from 1 December 2019;
- GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme, effective from 1 December 2019;
- GB/T 22240 – 2020 Information Security Technology – Classification Guide for Classified Protection of Cybersecurity, effective from 1 November 2020;
- GB/T 35273 – 2020 Information Security Technology – Personal Information Security Specification (Specification), effective from 1 October 2020; and
- Guidelines for Internet Personal Information Security Protection, effective from 10 April 2019.
Regulatory bodies responsible for enforcement of cybersecurity rules, their powers, enforcement track record, etc
The Cyberspace Administration of China (CAC) is the major regulatory body to administer cybersecurity matters under the CSL, DSL and PIPL.
The MPS has a widespread network of local branches (public security bureaus) throughout China and also has the power to conduct cybersecurity inspections and carry out enforcement actions for non-compliance.
Additionally, sector-specific regulators such as the Ministry of Industry and Information Technology (MIIT) also regulate the cybersecurity and data security matters within their respective industries.
The CAC
The CAC is China’s cyberspace watchdog, which is in charge of cyberspace security and internet content regulation. The CAC is also the enforcement agency for the internet content provision sector, which is responsible for issuing and administering licences for business operators that provide internet news and information services.
The CAC directs and supervises the formulation of various implementing regulations related to cybersecurity and is responsible for enforcing security review and assessment requirements under the CSL, DSL and PIPL. For example, the CAC’s subordinate office, the Cybersecurity Review Office, is responsible for developing relevant rules and regulations on and organising cybersecurity reviews according to the Cybersecurity Review Measure. Where members of the cybersecurity review group believe that a network product or service or data processing activity affects or may affect national security, the Cybersecurity Review Office has the authority to initiate the cybersecurity review.
The Ministry of Public Security of the PRC
The MPS is an organisation under the State Council in charge of the country’s public security. The responsibilities and powers of the MPS are quite broad, including, but not limited to:[3]
- supervising public information networks;
- preventing, stopping and investigating criminal activities;
- combating terrorist activities;
- maintaining stability and order;
- maintaining border security;
- protecting designated persons, venues and facilities; and
- supervising security concerning state organisations, social organisations, enterprises, institutions and large construction sites.
The MPS has a widespread network of local branches called public security bureaus that have broad inspection powers. Companies doing business in China must cooperate with public security bureaus’ inspections and investigations. The public security bureaus have launched and organized various enforcement actions against illegal cyber activities and imposed punishments on many companies pursuant to the CSL.
Sector-specific regulators
Sector-specific regulators also govern the cybersecurity and data security matters within their respective industries. The DSL authorises the sector-specific regulators to formulate lists of important data and to enhance the protection of the important data within their respective industries. The CSL also requires industry organisations to intensify self-discipline pursuant to their articles of association, develop codes of conduct to guide their members to strengthen cybersecurity protection, improve cybersecurity and boost the healthy development of relevant industries.
An important sector-specific regulator is the MIIT, which is in charge of the telecommunications area and actively participates in formulating and implementing cyber-related regulations.
The MIIT was established as a department under the state council responsible for the administration of China’s industrial branches and information industry. The main responsibilities and powers of the MIIT are to determine China’s industrial planning, policies and standards, to monitor the daily operation of industrial branches, to promote the development of major technological equipment and innovation concerning the communication sector, to guide the construction of information systems and to safeguard China’s information security.[4] The local communication administrations are counterparts of the MIIT and in charge of telecommunications, internet, mobile internet and other information and communication services, including but not limited to being responsible for telecommunications and internet business market access; overseeing user rights and personal information protection; and supervising the operations of business operators relating to information and communication networks.
Relevant obligations for companies to protect IT systems and data from cyberthreats
Taking technical and management measures to ensure cybersecurity and data security
General obligations for all business operators
The CSL, DSL and PIPL specify various technical and management measures that all business operators should take to ensure that the IT network is free from interference, disruption or unauthorised access, and to prevent data from being disclosed, stolen or tampered with, including:
- formulating internal security management systems and operational instructions;
- determining the persons in charge of cybersecurity and defining their accountabilities for cybersecurity;
- technical measures to prevent computer viruses, network attacks, network intrusions and other activities that endanger cybersecurity;
- taking technical measures to monitor and record network operation and cybersecurity events, and maintaining related logs for no less than six months;
- taking other measures such as data classification, and backup and encryption of important data;
- establishing a sound data security management system, organising data security education and training for employees;
- formulating and organising the implementation of emergency plans for personal information security incidents; and
- performing other obligations required under relevant laws and administrative regulations.
Enhanced obligations for CIIOs
The CSL also requires CIIOs take enhanced technical and management measures, including:
- setting up a dedicated security management body and designating a person in charge, and reviewing the security backgrounds of the responsible person and those in key positions;
- providing practitioners with regular cybersecurity education and technical training, and conducting skill assessments;
- making disaster recovery backup of important systems and databases;
- working out an emergency plan for cybersecurity events and carrying out drills regularly; and
- performing other obligations required under relevant laws and administrative regulations.
Enhanced obligations for important data handlers
Under the DSL, if business operators process important data, the following requirements apply:
- designating persons responsible for data security and establishing data security management bodies to ensure compliance with the data security obligations;
- carrying out risk assessments periodically for the data processing activities and submitting risk assessment reports to the relevant government authority; and
- keeping important data in China as required by law.
MLPS certification
Network operators that have information systems localised in China should go through an MLPS certification, under which business operators are required to assess and classify their infrastructure and application systems into five separate protection levels (from the lowest level 1 to the highest level 5). The assessment result will determine the set of security protection obligations that network operators must comply with.
The National Information Security Standardisation Technical Committee (TC260) provides various national guidelines (commonly referred to as the MLPS 2.0 standards) describing technical and organisational controls that companies must follow for complying with MLPS-related obligations.
Applying for cybersecurity reviews (CIIOs and online platform operators)
The Cybersecurity Review Measure requires that CIIOs that purchase network products and services, and online platform operators that conduct data processing activities, should go through cybersecurity reviews if such procurement by the CIIO or data processing activities by the online platform operators affects or may affect national security. Notably, the Cybersecurity Review Measure also requires that online platform operators that possess the personal information of more than one million users apply to the Cybersecurity Review Office for cybersecurity review before they are listed abroad.
Data localisation and conditions for cross-border data transfer
Data localisation refers to storing data locally within the country of collection, which is driven by the intention of protecting national security and data security. China first introduced data localisation requirements in the CSL, which requires CIIOs to store personal information and important data in China. If there is a business need to transfer such data outside China, the CIIO must undergo a security assessment and obtain approval by the CAC before cross-border data transfers take place.
This localisation requirement targeting CIIO was further extended by the DSL, PIPL and their implementing rules and regulations to important data handlers and massive PI handlers (Massive PI Handlers) that process personal information reaching certain thresholds. The thresholds for Massive PI Handlers are set as:
- a PI handler[5] that processes personal information of over one million individuals;
- a PI handler that transfers personal information out of China since January 1 of the previous year that consists of:
- the personal information of more than 100,000 individuals; or
- the sensitive personal information of more than 10,000 individuals.
The PIPL also sets requirements for all business operators to transfer personal information outside China:
- CIIOs and massive PI handlers must undergo a mandatory security assessment approved by the CAC, as described above; and
- for other business operators, companies must
- obtain certification from ‘qualified institutions’;
- enter into a data transfer agreement with the overseas data recipients based on the standard contract published by the competent government authority; or
- use other mechanisms provided in laws and regulations.
For more detailed guidance, see the ‘China: Data Localisation’ chapter.
Effect of local laws on foreign businesses
All foreign-invested enterprises in China should comply with the CSL, DSL, PIPL and their implementing rules and regulations. In terms of overseas companies, the CSL and DSL have limited extraterritorial reach and apply to overseas businesses only if their network or data processing activities outside China harm the CII, national security, public interests or lawful rights and interests of citizens and organisations in China. Additionally, foreign companies may also be affected by the restrictions on cross-border data transfer and the associated compliance procedures.
The PIPL has a more general extraterritorial effect. Article 2 of the PIPL stipulates that the PIPL applies both to data processing activities within China and data processing activities that happen outside China, if the purpose is to provide products or services to individuals located in China, or to analyse or assess the behaviours of individuals located in China. Overseas companies caught by the extraterritorial jurisdiction of the PIPL must establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and file information about the entity or the representative with competent government authorities.
Foreign organisations or individuals may be put on a ‘blacklist’ that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of individuals in China, or harm the national security or public interest of China.
Responsibilities of directors
Under the CSL, a director may be subject to monetary fines, administrative penalties (such as being restricted from working in cyber-related industries) or even criminal liabilities if they are regarded as the executive in charge or the person directly responsible for the violations of the company.
For instance, under the CSL, the executive in charge and the directly responsible person may be fined up to 50,000 yuan (or 100,000 yuan if the company is a CIIO) if the company fails to fulfil its cybersecurity protection obligations.
Company executives may face higher personal fines under the PIPL. If the company violates the PIPL seriously, the company executives may be subject to a fine of up to 1 million yuan, and be prohibited from serving as executives of relevant companies during a certain period of time.
Best practices for responding to breaches
Cybersecurity incidents
The CSL provides that network operators shall develop an emergency plan for cybersecurity incidents to promptly respond to security risks such as system bugs, computer viruses, network attacks and intrusions. For an incident that threatens cybersecurity, the operator concerned must immediately initiate the emergency plan, take corresponding remedial actions and report to the competent authority.
Data breach
The PIPL provides that, where personal information is or might have been leaked, distorted or lost, the PI handler must immediately take remedial measures and notify the personal information protection authority and data subjects. This notification should include the following details:
- the types of personal information involved and the reason for the incident, and possible harm from the personal information leakage, tampering or loss that occurred or may occur;
- remedial measures taken by the PI handler and measures that data subjects can take to reduce harm; and
- contact information of the PI handler.
However, notification to data subjects is not mandatory if the PI handler is able to take measures to effectively avoid damage caused by the data leakage, tampering or loss. If the authority believes that it may cause harm, it still can request the PI handler to notify the data subjects.
The CSL and the PIPL provide that the report to the authorities should be made immediately, but are silent on the specific time frame within which the report should be made. The Administrative Measures on Security Protection for International Connections to Computer Information Networks, released by the MPS in 2011 (the MPS Measure), requires that internet operators report illegal cybersecurity activities to the public security bureaus within 24 hours. However, that time frame under the MPS Measure only governs situations concerning various illegal or unauthorised cybersecurity activities, and fails to mention time frames applicable to accidental internal cyber failures.
Private redress options for unauthorised cyberactivity; recent examples of private litigation
The CSL and DSL provide a general provision that violation of these laws that causes damages to the individuals may result in civil liabilities. The personal rights, property rights and other legitimate rights and interests of data subjects are also protected by the PRC Civil Code: where unauthorised cyberactivity occurs, the individual can claim civil compensation for infringement of their rights. According to article 1165 of PRC Civil Code, whoever is at fault in infringing upon another party’s civil rights and interests and causing damage thereto shall bear liability. Additionally, article 50 of the PIPL allows individuals to file a lawsuit if their requests to exercise their personal information rights are rejected by the PI handlers. The PIPL further allows public interests litigation: when a large number of individuals’ rights and interests are involved, the People’s Procuratorate, legitimate consumer protection organisations and organisations designated by the CAC have the right to file a public interest lawsuit.
Therefore, if an individual’s personal information rights and interests are damaged due to unauthorised cyberactivity, the affected individual can bring a lawsuit on the basis of tort pursuant to the Civil Code. However, if there is no actual damage and an individual intends to bring a lawsuit based on article 50 of the PIPL, a recent case decided by the court in Hangzhou Zhejiang province shows that the precondition for an individual to bring a lawsuit to exercise his or her personal information rights is that the individual should first make a request to PI handlers and the PI handlers refuse such request. This gives the PI handlers the opportunity to solve disputes in advance rather than directly facing onerous lawsuits.
Recent trends and updates
China has been increasingly paying closer attention to cybersecurity and data security issues in recent years. In addition to the laws and regulations mentioned above, China also rolled out upcoming implementing rules for cybersecurity and data security.
For example, China released the draft version of the Network Data Security Management Regulations (the Draft Regulation) on 14 November 2021, for public consultation. The Draft Regulation expands the obligations of cybersecurity and data security based on the existing laws and regulations. The Draft Regulation provides additional requirements for important data handlers including:
- filing with the local branches of the CAC at the city level within 15 business days after they determine that the data processed constitutes important data;
- providing training on data security for all personnel annually (technical or management personnel working on data security must receive training for at least 20 hours per year);
- conducting an annual security assessment, either through a self-assessment or by a qualified third party; and
- submitting the annual assessment report to the local branches of the CAC by 31 January of the following year.
The Draft Regulation also expands the application scope of the cybersecurity review requirement under the Cybersecurity Review Measure to any merger, restructuring or division of an online platform operator that holds significant data resources concerning national security, China’s economic development or the public interest where this affects or may affect national security. The government has discretion to determine whether any of the relevant activities could affect national security.
Relevant case studies
Many companies that failed to comply with the cybersecurity obligations under the CSL have been punished by government authorities. For example, in February 2021, a company encountered a cyberattack resulting in system files being encrypted and extorted. That company was punished for failure to comply with the network security protection obligations under the CSL. The alleged non-compliance included a failure to formulate internal security management systems and operating procedures, and a failure to take technical measures to prevent computer viruses. The company was fined 10,000 yuan and a company executive was fined 5,000 yuan.
More recently, the local counterpart of CAC in Shanghai announced the launch of a special inspection action regarding network security on 13 July 2022. The targets of the inspection are important websites, platforms and production systems in Shanghai. The action aims to promote cybersecurity work and prevent cybersecurity incidents, so as to ensure better network security in time for the 20th National Congress of the Communist Party of China. Sector regulators in Shanghai have also been required to carry out inspections within their respective industries and report to the Shanghai CAC.
Notes
[1] For the purpose of this chapter, the ‘PRC’ or ‘China’ herein referred to excludes Hong Kong, Macao and Taiwan as they are in different jurisdictions.
[2] Important data refers to data that may endanger national security, economic operation, social stability, public health and safety, etc, once it is tampered with, destroyed, leaked or obtained or used illegally, according to the Measure for Security Assessment for Cross-Border Data Transfers, published on 7 July 2022, and will come into effect on 1 September 2022.
[3] Ministry of Public Security, http://english.www.gov.cn/state_council/2014/09/09/content_281474986284154.htm.
[4] Ministry of Industry and Information Technology, http://english.www.gov.cn/state_council/2014/08/23/content_281474983035940.htm.
[5] ‘Personal information handler’ is a concept under the PIPL, similar to ‘data controller’ under the EU GDPR.