The Cyberspace Administration of China released Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country, intended to assist in the implementation of China’s new Cybersecurity Law. On November 2016, National People’s Congress initially passed the Cybersecurity Law. The law is the latest step in China’s long-term campaign for jurisdictional control over content on the internet.
Some of the key aspects of China’s cybersecurity law–
- The law brought enormous reforms in data management
- Monitors internet usage regulations in China
- Imposes new requirements for network and system security
According to the China Briefing, cybersecurity Law defines network operators as network owners, managers, and network service providers. In fact, nowadays, the vast majority of enterprises employing networks are in line with the definition of network operators, and therefore is subject to corresponding responsibilities and obligations. It is safe to assume that any company (regardless of size and domestic or multinational extent) operating its network – including websites and internal and external networks – to conduct business, provide a service or collect data in China could very likely be in scope.
The rules could affect purchases of server equipment, mass storage devices, cloud computing services, and large-scale databases, among others. There is no clear definition of which companies could be classified as critical information infrastructure operators, though they broadly include firms involved in the finance, energy, transportation, and telecommunications industries, or those that handle large amounts of personal data.
Penalties of breaking China’s cybersecurity law-
- Penalties for violating the Law are clearly stated, and include the suspension of business activities.
- Serious illegal action may lead to the closing of businesses or the revocation of licenses.
- The maximum fine may reach RMB1,000,000
Zhang Dejiang, chairman of the standing committee of the NPC declared that China had “a solid legal foundation for accelerating the establishment of a national security system and taking a distinctly Chinese approach to national security.” This was seen by many in the West as a strong rebuttal of the criticism of China’s counter-terrorism law and the draft laws on cybersecurity and management of NGOs.
Local governments are made responsible for data security in their respective regions. According to Article 5 of the law, the State takes measures for monitoring, preventing, and handling cybersecurity risks and threats arising both within and without the mainland territory of the People’s Republic of China. The State protects critical information infrastructure against attacks, intrusions, interference, and destruction; the State punishes unlawful and criminal cyber activities in accordance with the law, preserving the security and order of cyberspace.