The new cybersecurity law of China that came into effect on the first June last year, was an important event for the companies that have a business interest in this country. They need to have a complete understanding of the changes and provision of the law in order to make their business dealings smoother and hassle-free.
The primary objective of the law is to identify potential security vulnerabilities of any company doing business in the country. The new cybersecurity law of China requires local and overseas firms to submit security checks and store user data within the country. This law applies with respect to the construction, operation, maintenance and usage of networks, as well as network security supervision and management within the mainland territory of the People’s Republic of China.
Localization of data in China-
Amongst the stringent requirements under the CSL, the one that has attracted most attention from foreign companies is the requirement for localization of personal information and important data in China (i.e. Mainland China). According to the new law, the network operators need to store select data within Chinese territory so that the government authorities can spot-checks on a company’s network operations whenever they want. The CSL requires all the personal information and important data collected by an operator during its business operations should be kept in China. Security assessments are required prior to any disclosure or transmission of such data from China to overseas jurisdictions. The Chinese government is projecting this move as an effective step to take China in line with global best practices for cybersecurity.
Foreign companies that are likely to pay more attention-
Any foreign company that maintains a computer network in China should be aware of the new law and how to comply them. Following are the list of companies who should pay serious attention to the new cybersecurity law-
- A company that uses a network in China
- A company that primarily gathers and stores data in China
- Businesses that provide network services and products to China
The authority plans to extend these data localization regulations to cover other general network operators and online service providers. Although not yet announced, it is likely businesses will be given a grace period until the end of 2018 to comply with data localization requirements. Depending on the sensitivity of the data at issue, there may be other conditions or restrictions on transfer. In any case, network operators are to conform outbound transfers by December 31, 2018.