Point of View: Interpretations of the updates of China’s Cyber Security Law

Point of View: Interpretations of the updates of China’s Cyber Security Law

All companies incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. Given the complex business relationships within the international market, the Cybersecurity Law will continue to have important political, economic, and technical implications for both domestic and multinational corporations (MNC). As updated regulations and interpretations to the Law have been released since 2017, this Point of View (POV) aims to provide further insight to the Law and expand on our July 2017 white paper, China’s Cybersecurity Law and Its Impacts: Key requirements businesses need to understand to ensure compliance.

Technically speaking, the Cybersecurity Law is an “umbrella law” that encompasses a structured suite of security and privacy laws that are enforced by official sources of law. To be in compliance, companies must understand not only the Cybersecurity Law but also these supportive regulations, rules, and interpretations. This POV offers an overview of recent updates to the Law and addresses the compliance challenges that they may pose.

Point of View: Interpretations of the updates of China’s Cyber Security Law

Overview of the Cybersecurity Law

The Cybersecurity Law integrates preexisting regulations and rules of the PRC to create a structured and statutory law addressing the following legislative objectives:

  • Define the principle of cyberspace sovereignty
  • Define the cybersecurity obligations of internet products and services
  • Formulate the rules of personal information protection
  • Establish a security baseline for critical information infrastructure
  • Institute rules for cross-border transmission of data

The Cybersecurity Law also provides detailed articles and provisions on legal liability, prescribing a variety of penalties that include fines, certificate suspension, and revocation of permits and/or business licenses. Where criminal acts are involved, offenders will be punishable according to the Criminal Law of the People’s Republic of China. The Cybersecurity Law grants the Cyber Security Administrative Authorities (CSAA) with rights and guidelines to carry out legal enforcement on illegal acts.

Affected Organizations and Updated Compliance Requirements

The Cybersecurity Law expressly applies to network operators and critical information infrastructure (CII) operators within mainland China. Since the release of its updated guidelines, more details have become available regarding compliance requirements for network operators and CIIs.

“Network operator,” as defined in the appendix to the Cybersecurity Law, could be applicable to almost all businesses in mainland China that own or administer their networks. The Cybersecurity Law may also be interpreted to encompass a wide set of industries apart from traditional information technology, internet service providers, and telecommunications companies. Therefore it is safe to assume that any company operating its network - including websites, as well as internal and external networks - to conduct business, provide a service, or collect data in mainland China falls within the scope of “Network operator.”

Although the Cyberspace Administration of China (CAC) has yet to issue further guidance on CIIs, it has incorporated a wide range of industries, including but not limited to communications, information services, energy, transportation, utility, financial services, public services, and government services. In general, the requirements for network operators and CIIs are similar in terms of their objectives, but the requirements for CIIs are more stringent. The differences in obligations between network operators and CIIs are detailed below and organizations should take note of where they fall.