An Overview of People’s Republic of China’s Cybersecurity Law

According to the China Briefing, cybersecurity Law defines network operators as network owners, managers, and network service providers. In fact, nowadays, the vast majority of enterprises employing networks are in line with the definition of network operators, and therefore are subject to corresponding responsibilities and obligations.

 

The Cybersecurity Law of the People’s Republic of China was adopted at the 24th Session of the Standing Committee of the 12th National People’s Congress on 7 November, with 154 affirmative votes and one abstention. The Cybersecurity Law will come into effect on 1 June 2017.

 

Scope of China’s Cybersecurity Law

It is safe to assume that any company (regardless of size and domestic or multinational extent) operating its network – including websites and internal and external networks – to conduct business, provide a service or collect data in China could very likely be in scope.

The Cybersecurity Law is applicable to network operators and businesses in critical sectors. The law requires network operators to cooperate with Chinese crime or security investigators and allow full access to data and unspecified “technical support” to the authorities upon request. The law also imposes mandatory testing and certification of computer equipment for critical sector network operators.

Penalties for Violating Cybersecurity law of China
Under the criminal law Peoples’ Republic of China, cybercrimes are mainly provided in the section: “Crimes of Disturbing Public Order”. Articles 285, 286, and 287 are the three major articles that directly relate to cybercrime. The punishment for violating articles 285, 286, and 287 include imprisonment, detention, and fines. An offender if convicted guilty may have to serve imprisonment up to seven years for illegally obtaining data from a computer.

 

According to Article 5: The State takes measures for monitoring, preventing, and handling cybersecurity risks and threats arising both within and without the mainland territory of the People’s Republic of China. The State protects critical information infrastructure against attacks, intrusions, interference, and destruction; the State punishes unlawful and criminal cyber activities in accordance with the law, preserving the security and order of cyberspace.

How does the Cybersecurity Law apply to businesses?

The “cybersecurity” in the Cybersecurity Law should be understood in the broad sense. The Chinese cybersecurity law includes a whole range of other domain including:

  • Information Security
  • Control System Security
  • Computer Security
  • Communication Security
  • Automation

 

It is to be noted precisely that the businesses affected by the Cybersecurity Law are not limited to those in the information technology (IT) industry.

 

Share with friends:

Understanding China’s New Cybersecurity Law 2020

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures have taken effect from June 1, 2020. The rules could affect purchases of server equipment, mass storage devices, cloud computing services, and large-scale databases, among others.

 Know what are the new provisions in China’s new cybersecurity law that have taken effect from June 1, 2020.

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures have taken effect from June 1, 2020. China has issued a slew of draft regulations since its Cybersecurity Law first took effect in June 2017 – all with an eye toward creating a legal framework for cybersecurity and data protection. To date, legislative priorities have focused on:

  • Personal information protection.
  • Cross-border data transfers.
  • Expanded scope, protections, and security assessments for critical information infrastructure.

The rules could affect purchases of server equipment, mass storage devices, cloud computing services, and large-scale databases, among others. There is no clear definition of which companies could be classified as critical information infrastructure operators, though they broadly include firms involved in the finance, energy, transportation, and telecommunications industries, or those that handle large amounts of personal data.

Some of the notable provisions in this draft include:

 

  • Article 2 states that legal liability would be pursued even if entities outside China “engage in data activities that harm the national security, the public interest, or the lawful interests of citizens or organizations” in China.
  • Article 19 introduces a new system for regulating data based on “different grades and classifications, according to the degree of importance to economic and social development” and to the severity of harm that might come from the abuse of the data.
  • Article 19 also charges regional government and sectoral regulators with producing catalogs of what constitutes “important data,” which would distribute responsibility widely as to determining the reach of data security responsibilities and requirements.
  • Article 24 would establish a way to retaliate for measures by foreign governments that target China with discriminatory prohibitions, limitations, etc., around data investment or technology.
  • The law also outlines but does not detail procedures for national security or law enforcement authorities seeking data from private data holders (Article 32), and for providing data in China to law enforcement authorities abroad (Article 33).

 

The Cybersecurity Review Office shall provide written notification to the relevant Operator if it thinks a cybersecurity review is required and shall complete the preliminary review within 30 working days of such written notification. The time limit may be extended by 15 working days if the case is complicated. As for the special review, it shall be completed within 45 working days normally, but the time limit may be extended if the case is complicated. The time for supplemental document submission is not included in these time limits.

Operators are required to make “anticipatory judgments” over whether the use of the equipment could pose a threat to national security. If risks are found, operators will be required to submit a cybersecurity review application to the government. A new government office will be set up to conduct evaluations to determine whether the equipment can be interfered with or illegally controlled, whether the systems could jeopardize data security, or if there are risks of service outages.

Share with friends: