The Chinese Cybersecurity Law

The Chinese Cybersecurity Law

China’s Cybersecurity Law is a data privacy law that was passed by the Chinese government in 2017. As China is the world’s most populous country and in turn has the largest online presence in the world, protecting the data privacy rights of Chinese citizens is of the utmost importance. Consisting of 79 articles broken up into 7 chapters, China’s Cybersecurity Law is particularly large in scope. The law contains an encompassing framework that targets the regulation of internet security, the protection of personal or sensitive data and information, and the development of safeguards for both cyberspace security and sovereignty. China’s Cybersecurity law is similar in scope and function to the cybersecurity framework that has been adopted by the U.S. National Institute of Standards and Technology or NIST.

To this point, the Chinese Cybersecurity Law also emphasizes specific requirements in regards to network services, products, information, and operations security, early detection, monitoring, emergency response, and reporting. In terms of the data privacy aspect of the Chinese Cybersecurity Law, the law is similar to other data protection privacy laws around the world that place requirements and restrictions on the processing of personal data or information. Moreover, the law also offers insights in relation to how the Chinese government plans to handle the flow of personal data and information across international borders?

What are the requirements of network operators under The Chinese Cybersecurity Law?

Under China’s Cybersecurity Law, network operators must follow a list of requirements in order to achieve compliance. These requirements are as follows:

Conversely, the Chinese Cybersecurity law also lays out various requirements related to operations security for Critical Information Infrastructure or CII for short. Under the Chinese Cybersecurity Law, CIIs must adhere to the following operations security provisions:

How is personal information defined under the Chinese Cybersecurity Law?

Under China’s Cybersecurity Law, personal information is defined to mean “information recorded by electronic or other means that can be used alone or in combination with other information to identify a person, including name, date of birth, identity document number, personal biometric information (such as fingerprints, facial recognition, and retina scans), address, telephone number, and similar personal details”. Under the Chinese Cybersecurity Law, network providers must adhere to the following requirements in relation to protecting the personal information of Chinese citizens:

What are the penalties for violating the Chinese Cybersecurity Law?

Under China’s Cybersecurity Law, network operators who are found to be in violation of the law can face both monetary and penalties as well as legal liabilities. These penalties can be applied to both individuals as well as business entities and enterprises. Monetary penalties for violation of the Chinese Cybersecurity Law can range anywhere from RMB 5,000 ($773.91) to RMB 1,000,000 ($154,781). On the contrary, potential legal consequences can include the suspension of an organization’s or enterprise’s business license, the revocation of said business license, the removal of liable individuals from their office or job function, and criminal liability.

While the Chinese Cybersecurity Law has drawn some criticism from American media outlets in relation to the somewhat ambiguous nature and scope of the law, the law undoubtedly provides Chinese citizens with another layer of protection in regard to their personal information. As China is the world’s most populous country and by extension boasts the most internet users of any other country in the world, laws such as the Chinese Cybersecurity law are very much needed. With such legislation, Chinese citizens can rest assured that they are afforded an avenue of recourse in regards to the personal information that they share with network operators via the internet.

Related Reads