Point of View: Interpretations of the updates of China’s Cyber Security Law

Point of View: Interpretations of the updates of China’s Cyber Security Law


Cyber Security Law (CSL) of People's Republic of China was approved by Standing Committee of the National People’s Congress in November 7th, 2016 and have already taken effect officially on June 1st, 2017. All legal entities incorporated in China Mainland are required to abide by the Law. Considering the extensive business relationship of international market, the Law have and will continue to exert impact on both domestic and multinational corporation (MNC) politically, economically and technically.

Technically speaking, Cyber Security Law (CSL) is the “Umbrella of Law” and is the top of the pyramid-structured suite of security and privacy laws. The enforcement of Cyber Security Law (CSL) will depend on other official sources of Law such as Administrative Regulations, Local Regulations, Administrative Rules, and Judicial Interpretation. To comprehensively comply with Cyber Security Law (CSL), legal entities must understand both Cyber Security Law (CSL) and supportive regulations, rules as well as interpretations. With many regulations, rules and interpretations issued since 2017, this POV is the update for the CSL POV that was published in July 2017.

Overview of Cyber Security Law (CSL)

Cyber Security Law (CSL) is an evolution of the previously existent cybersecurity regulations and rules from official sources of Law in People's Republic of China. They now integrated different regulations and rules together to create a structured and statutory law that address the following legislation objectives:

  • Define the principle of cyberspace sovereignty
  • Define the cybersecurity obligations of internet products and services providers
  • Formulate the rules of personal information protection
  • Establish a security baseline for critical information infrastructure
  • Institute rules for the cross-border transmission of data

Cyber Security Law (CSL) also provides elaborate articles and provisions on legal liability. For different types of illegal conduct, Cyber Security Law (CSL) prescribe a variety of punishments, such as fines, certificate suspension, revocation of permits and business licenses. When criminal acts involved, Criminal Law is referenced for punishment. The Law accordingly grant Cyber Security Administrative Authorities with rights and guidelines to carry out legal enforcement on illegal acts.

Compliance Requirements of Cyber Security Law (CSL)

The Cyber Security Law (CSL) stipulate the responsibilities of network operators and operators of critical information infrastructure. A network operator, such as internet products and services provider, is required to fulfill certain technical security measures and compliance procedures to protect networks from compromise and registered in local administrative authorities. An operator of critical information infrastructure (CII) must comply with more strict regulations besides those followed by network operators. If they need to transmit data to overseas affiliates or headquarters, they will have to either restructure system architecture regarding cross-border data transfer or conduct assessment and prepare for regulatory authorities approval, in order to avoid violation of the data localization requirements under the Law. Personal information protection is another emphasis. The requirements can be compared with General Data Protection Regulation (GDPR) in European Union Law, but with some differences. The third area is in the area national sovereignty, such as data residency and real-name registration.

Click “Download” to read the full article.