In July 2015, China released its new draft cybersecurity law (the 'Law'),
which will potentially have far-reaching consequences for network
operators and companies doing business in China.
The Law regulates cross-border data transfers and gives
individuals greater protection over their personal data, including
granting them increased rights to access and amend their personal
information. The Law also imposes a range of stringent new
obligations, while awarding the government added powers to access
and block dissemination of private information which would be
deemed illegal under Chinese law.
Under the Law, the PRC government will be able to:
Restrict the transmission of
information over the Internet to certain places where privacy
incidents have occurred previously in order to protect national
Introduce a new 'localization
law' which will oblige certain entities to store any
information deemed by the government as "important" or
"critical" within China. If there is a legitimate
business reason to store or otherwise transfer such data abroad,
the transferring organisation will be required to complete a
security evaluation which meets government requirements
before any such data can be transferred. This obligation
is intended to apply only to organisations in "key information
infrastructure sectors," but it is unclear exactly how this
term will be interpreted.
The Law also introduces a raft of new obligations on network
operators (which is widely defined and covers, for example,
telecoms operators and ISPs). These new obligations include duties
Maintain cybersecurity protocols to
safeguard against viruses and other malicious attacks
Ensure that their products and
services meet minimum national security standards
Promptly notify any users affected by
any data security breaches
The Law reflects an international trend of increasing
legislative focus on tackling cybersecurity threats. One of the
concerns expressed about the Law is that it has been drafted so
broadly as to make it difficult to predict exactly how it will be
enforced. The final day for feedback has now passed, so the final
form of the Law remains to be seen.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 August 2016, the Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, the Inspection and Quarantine of China (GAQSIQ), and the Standardisation Administration of China (SAC) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the "Guidelines").
On July 21, the Personal Data Protection Commission ("PDPC") imposed a $5,000 fine on Toh-Shi Printing Singapore for its failure to implement proper and adequate verification procedures...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).