China: Micron review highlights importance of national security concerns
This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
China’s cybersecurity regulatory system encompasses traditional cybersecurity and data security.
Key statutes, regulations and international standards
The Cybersecurity Law (CSL), which came into effect on 1 June 2017, applies to the construction, operation, maintenance and use of IT networks within China, as well as cybersecurity management matters. It primarily applies to ‘network operators’, which covers most business operators in China using the IT network, including network owners and managers and network service providers.
The Data Security Law (DSL), which came into effect on 1 September 2021, serves as the highest-tier legislation for data security supervision in China. It establishes the responsibilities of regulatory authorities and data processors and imposes additional obligations in respect of certain ‘important data’.
The CSL and DSL are supported by a number of accompanying laws relating to, among other things:
- Multilevel Protection Scheme (MLPS): the MLPS sets out basic obligations that Chinese network operators must comply with, including in relation to the evaluation of their operating systems and the establishment of organisational and technical protection measures based on the level of the operating systems. The general rules of the MLPS mainly comprise the ‘Guiding Opinions on the Implementation of the Multi-Level Protection Scheme and the Critical Information Infrastructure Security Protection Scheme’ from the Ministry of Public Security (MPS) and the ‘Guidelines for Grading of Classified Protection of Cybersecurity and Information Security Technology: Implementation Guide for Classified Protection of Cybersecurity’. Specific requirements have been established in some sectors, such as finance.
- Critical information infrastructure (CII) protection: CII refers to key network facilities and information systems in key sectors, which may seriously endanger national security and public welfare if subject to any destruction, loss of function, or data leakage. The key regulation for CII protection is the ‘Regulations on the Security Protection of Critical Information Infrastructure’ along with the national guideline ‘Operation Guide for National Cybersecurity Inspection’. The determination of CII is the responsibility of sectoral regulators. Operators identified as CII operators (CIIOs) receive corresponding notices, which impose additional cybersecurity and data protection obligations.
- Internet information content management: this refers to the management regime targeting information content in cyberspace with the aim of promoting a positive network ecology and disposing of illegal and harmful information. It includes regulations such as the ‘Administrative Measures for Internet Information Services’, the ‘Provisions on the Ecological Governance of Network Information Contents’, the ‘Administrative Provisions on Algorithm Recommendation for Internet Information Services’, the ‘Provisional Measures for the Administration of Generative Artificial Intelligence Services’ and the ‘Administrative Provisions on Deep Synthesis of Internet-based Information Services’. There is a regulatory trend away from solely focusing on information content towards also focusing on the governance of algorithms, which are used to generate information content. This is reflected in recent measures targeting algorithm management, deep synthesis and generative artificial intelligence (AI) technology, such as algorithm security assessments and filing-for-record requirements on algorithms.
- Cybersecurity review: when CII operators procure network products and services, or when network platform operators engage in data processing activities that may impact or potentially impact national security, they must undergo cybersecurity reviews. This is one of the main ways by which Chinese regulators ensure CII supply chain security, cybersecurity and data security and maintain national security. The key regulation in this regard is the ‘Cybersecurity Review Measures’.
- Data security obligations, including the following:
- Data classification and grading: the ‘Guidelines for Network Data Classification and Grading’ specify methods and measures for classifying and grading core, important and general data. Specific guidelines have been established in sectors such as finance.
- Identification and protection of important data: important data differs from state secrets and refers to data that, if leaked, could potentially endanger national security and economic operations, among other things. It is, therefore, subject to additional cybersecurity obligations, including the ‘Rules for Identification of Important Data (Draft for Comments)’. Specific criteria for the identification of important data have been established in certain industries such as the automotive industry.
- Cross-border data transfers: relevant regulations include the ‘Measures for Security Assessment of Cross-border Data Transfer’, the ‘Provisions for Standard Contract for Outbound Transfer of Personal Information’ and the ‘Implementation Rules for Personal Information Protection Certification’. Regarding the cross-border transfer of important data or personal information, there are three main ways to action this: security assessment, standard contracts and certification. Security assessment prevails over the other two (ie, a data processor can only choose the certification or standard contract pathway if the security assessment pathway is not applicable). If a data processor (either a CIIO or a non-CIIO) provides important data overseas, or a CIIO provides personal information overseas, a security assessment must be conducted. In particular, a security assessment must be conducted if the data to be transferred qualifies as important data, regardless of the amount of data or the nature of the data processor. This is because the security assessment is designed to safeguard national security, while important data closely relates to national security, economic operation, social stability, public health and safety, etc.
The formulation of some national standards or guidelines has taken into account or incorporated relevant international standard requirements. For instance, the ‘Information Security Technology – Terminology’ standard aligns with ISO 27001 and ISO 27002, while the ‘Information Security Technology – Network Data Processing Security Requirements’ have drawn from ISO 20000-1.
Additionally, although international standards are not directly adopted as regulations within China’s network and data regulatory system, holding certifications related to such standards can serve as practical evidence of a company’s considerable level of cybersecurity and data protection.
China does not have a separate and unified enforcement agency specifically dedicated to supervising cybersecurity and data security; instead, enforcement is carried out by different regulatory authorities, as set out below.
- Cyberspace Administration (CAC): the national CAC and its local departments focus on data protection, internet information content management, cybersecurity reviews and cross-border data transfers. For example, they perform enforcement inspections on mobile app data protection compliance and internet information content management, handle applications for cybersecurity reviews and perform security assessments for cross-border data transfers.
- Public Security Department: the Public Security Department, including the MPS, oversees traditional information security, such as the MLPS, CII protection and emergency management of cybersecurity incidents. It also focuses on data security law enforcement work related to preventing and combating telecoms fraud.
- Sector-specific regulators: these include the Ministry of Industry and Information Technology (MIIT), which oversees the telecoms sector, and the People’s Bank of China, which oversees the finance sector. They carry out sector-specific network and data regulation, including enforcement actions related to mobile app regulation and consumer information protection, and identification and protection of important data. Their national and local industry and information technology departments, as well as telecoms departments, are relatively active in enforcement actions, focusing on carrying out cybersecurity and data security supervision work relating to the internet, automotive and telecoms, among other fields.
There are no management relationships between those different authorities except the national and local institutions within the same authority. Relevant enforcement actions may be carried out by single or multiple authorities jointly, depending on factors such as the industries involved, the scale of the enforcement challenge and nature of the issue.
Relevant obligations for companies
The general compliance obligations in the CSL and the DSL apply to ‘network operators’ and ‘data processors’, which are broadly defined. Most enterprises that use information systems or process data in China are likely to be within the scope of those definitions and must meet the corresponding compliance requirements.
All network operators and data processors as defined in the CSL or the DSL must comply with certain cybersecurity obligations; however, heightened requirements apply if the entity is an important data processor or a CIIO. Under the DSL, ‘important data processors’ are data processors involved in processing important data. Under the CLS, CIIOs are the network operators responsible for operating CII.
A company’s obligations to ensure IT system and data security is determined by their role, as shown in the table below:
Network operators and data processors
Processors of important data*
|Organisations and personnel||Designation of the cybersecurity officer of the organisation||Designation of the data security officer and establishment of the data security management organisation|
Establish a dedicated network security management organisation (responsible for cybersecurity planning and drills, training, reporting of cybersecurity incidents, etc) and conduct background review on key personnel involved in the cybersecurity operations
Specify the primary responsibilities (leading on the security protection and essential security events handling, researching key cybersecurity issues, etc) of protecting CII security to the executives of the company
|Policies and measures|
Implementation of data classification and grading, full life cycle data management and security incident emergency management
Implementation of the MLPS assessment and filing
Implementation of necessary technical measures for data security
For network platform operators that possess the personal information of over 1 million people, requirement to undergo cybersecurity review when seeking overseas listing (eg, filing IPO applications in front of the securities exchange agencies in the United States or Europe)
|Safeguard the security of important data by: (1) identifying important data and updating it in a timely manner; (2) implementing measures for secure storage and transmission (eg, storage medium management, disaster recovery backup, encrypted transmission and identity verification); (3) conducing a security assessment before transferring important data to the overseas parties; and (4) regularly performing risk assessments on activities involving important data, the key aspects of such assessments shall be reported to regulatory authorities|
Safeguard the security of CII by ensuring: (1) personal information and important data generated within China is stored within China and security assessments are performed for cross-border transfers; (2) disaster recovery backups for important systems and databases are conducted; and (3) performance of mandatory annual assessments, the key aspects of which shall be reported to regulatory authorities
If the procurement of network products and services might impact or potentially impact national security, a cybersecurity review must be conducted
|* Implement the following obligations on the basis of the obligations of network operators and data processors|
Effect of local laws on foreign businesses
The CSL and DSL apply to all entities operating within China, regardless of whether they have elements of foreign investment or ownership.
The extraterritorial jurisdiction of the CSL and the DSL is limited. Generally, they only apply to foreign entities operating outside China if their network or data processing activities within Chinese territory pose harm to national security, public interests or the legitimate rights and interests of Chinese citizens and organisations.
Responsibilities of directors
Failure to comply with the DSL or the CSL may result in regulated entities facing civil, administrative or criminal liabilities, depending on the scenario.
Civil liabilities often arise in cases involving the provision of products or services to enterprises and individuals, such as damages payable to relevant individuals for illegally processing their personal information and for being responsible for losses to users owing to the network products provided not meeting the relevant security protection level.
Criminal liabilities – such as for illegally hacking computer systems, disrupting the functionality of computer information systems and aiding criminal activities on information networks – have the most severe punishments, which are regulated by criminal law, including imprisonment, detention and fines.
Directors will not be liable for cybersecurity or data protection violations of the company unless they are deemed to act as the directly liable person (eg, the officers directly participate in the planning, organisation and implementation of the illegal activities) or the person in charge (eg, the officers accountable for the relevant illegal activities owing to their managerial function). For civil violations, a directly liable person or the person in charge may be penalised with fines or detention in addition to the punishment of the responsible entity. Generally, individuals may face fines ranging from 5,000 yuan to 1 million yuan under the CSL and the DSL. For criminal violations, the punishment of the directly liable person or the person in charge may include imprisonment, detention and fines.
In September 2022, the regulatory authorities released draft legislation for comments that proposed revising the CSL to allow for, in cases of severe violations, directly liable persons or the person in charge to also be prohibited from serving as a company director, supervisor or senior manager or from working in a key role in cybersecurity management or network operations for a specified period.
Best practices for responding to breaches
Under the CSL and the DSL, companies must have in place an emergency response plan for cybersecurity or data security incidents. When emergency occurs, companies must immediately initiate their emergency response plan, implement remedial measures and report the incident to regulatory authorities while informing affected users.
In practice, companies should assess how to fulfil their reporting obligations to regulatory authorities and user notification obligations based on the actual consequences of the incident and the remedial actions taken. If the incident results in significant losses, the company should promptly report the incident to the local public security department and relevant regulatory authorities, adhering to the reporting deadlines and methods specified by the relevant local authorities.
Additionally, where an incident leads to the leakage of user data or similar issues that cannot be prevented, the companies should inform the impacted individuals of the incident, as well as the remedial measures that have been taken by the company or that can be taken by the impacted individuals.
Private redress options for unauthorised cyber activity
Both the CSL and the DSL stipulate that those who cause harm to other individuals through illegal means are subject to civil liability. The Civil Code also explicitly states that individuals or entities who negligently infringe the civil rights and interests of others are responsible for the consequences of their actions, which provides a legal basis for individuals to protect their rights through litigation.
A recent case heard by the Shanghai Court involved a homeowner suing a property management company for alleged illegal collection of their facial information. This case is an example of how the available mechanisms may apply in practice. It confirmed:
- as the subject of the personal information, the homeowner was entitled to protect their legitimate interests by exercising their right to litigation when there was reasonable suspicion of infringement; and
- the property management company could, in turn, provide objective evidence demonstrating the absence of storage and use, as well as subjective evidence proving the lack of intentional collection, and thereby demonstrate that there was no infringement or harm.
Recent trends and updates
Regulatory authorities have remained vigilant on cybersecurity and data security. There have been several recent developments including the following:
- Strengthened management of cross-border data transfers: measures have been implemented regarding the security assessment of cross-border data transfers, the execution and filing of standard contracts for cross-border data transfers of personal information, and the certification of outbound transfers of personal information. Such regulations provide compliance mechanisms for different scenarios involving the cross-border transfer of important data and personal information. Among other things, organisations that transfer important data abroad in the course of their business must undergo a security assessment. The grace period for security assessments ended on 1 March 2023, although there is still an ongoing surge in applications. The grace period for the filing of standard contracts will end on 1 December 2023.
- Strengthened algorithm governance: for activities involving the use of algorithms such as recommendation systems, deep synthesis techniques and generative AI technologies in data processing, entities are required to fulfil obligations such as algorithm filing, security assessment and content review in accordance with the CSL, the DSL and sector-specific rules regarding algorithm governance.
- Accelerating the identification and protection of important data: local regulatory departments in regions such as Shanghai have organised local companies to work on the identification and protection of important data, resulting in several relevant reference cases. In the near future, the identification and protection of important data will be a key focus of regulatory efforts.
Relevant case studies
The recent cybersecurity review case involving Micron Technology has attracted significant attention. In May 2023, Micron was informed of a review decision that stated its products had significant network security vulnerabilities, posing a major security risk to China’s CII supply chain and impacting national security. Consequently, domestic CIIOs were required to stop procuring Micron products.
This case shows the importance of CIIOs conducting an assessment of potential national security risks when procuring network products and services and deciding whether to apply for a cybersecurity review based on this assessment. Additionally, it is necessary for companies to regularly evaluate whether the network products and services already procured are included in the list of prohibited procurements by the state.
Network product and service suppliers should also pay attention to the possibility of their products and services sold in China posing dangers to China’s national security. This includes conducting all cybersecurity reviews required by the Cybersecurity Review Measures in accordance with applicable requirements and making appropriate and timely adjustments according to the outcome of that assessment.
Actions regarding infringements of user rights and interests by mobile apps is one of the main ongoing enforcement actions carried out by the CAC, as well as other bodies. Taking the enforcement actions of the MIIT as an example, since 2020, the MIIT has released 29 lists of apps and software development kits (SDKs) that violate user rights and interests. The lists include examples of apps and SDKs that collect personal information in violation of the DSL and CSL regimes. Relevant operators of the listed apps and SDKs were required to rectify the issues identified within a limited time. If an operator does not rectify the issue properly, it may be forced to remove the infringing app from app stores.
There have also been enforcement actions regarding the implementation of data protection obligations. Recently, two companies in Hangzhou and Nanchang, respectively, faced warnings, corrective orders and fines from the local cyberspace administrations because of their failures to take appropriate measures to ensure data security. These examples illustrate that regulatory focus has penetrated into the daily operational and technical details of security, emphasising the need for companies to effectively manage cybersecurity and data security in their day-to-day operations.
 For the purpose of this chapter, China excludes the Hong Kong Special Administrative Region, the Macau Special Administrative Region and the Taiwan region.
 The Personal Information Protection Law (PIPL), which came into effect on 1 November 2021, also imposes cyber-related obligations on personal information handlers for the purpose of personal information protection. This chapter focuses more on cybersecurity and data security than on privacy and personal information protection. For further details about the PIPL, please refer to the ‘China: Privacy’ chapter.
 ‘Operating systems’ refer to systems comprising computing or other information terminals and related devices that collect, store, transmit, exchange and process information in accordance with certain rules and procedures, such as office systems, cloud computing platforms and systems, the internet of things, industrial control systems and systems using mobile internet technology.
 To clarify, the Multilevel Protection Scheme evaluation of the operating systems must be conducted by professional third-party institutions entrusted by the network operators and must focus on the physical environment, technical safeguards and personnel organisation, among other things, in relation to the operating systems. The level of the operating systems is determined based on the result of the evaluation. For filing purposes, network operators submit the outcome of the evaluation (ie, the level of the operating systems) and with the evaluation report to the public security department.
 For details about the cross-border transfer of personal information, see the ‘China Privacy’ chapter.
 For details about the extraterritorial effects of the PIPL, see the ‘China: Privacy’ chapter.
 Cybersecurity Law, Chapter IV; Data Security Law, Chapter IV.
 Decision on Revisions of the Cybersecurity Law (Draft for Comments), 12 September 2022.