In November of 2016, China passed a new law that broadened its cyber security requirements. The law went into effect on June 1, 2017. The effort by China is similar to other cybersecurity initiatives we've seen advanced in multiple jurisdictions around the world.
The law focuses on cybersecurity but it also outlines how companies are to handle personal information and data. The new law requires a user's consent before collecting personal information and the information must be kept confidential.
Personal information is defined as that which can be used on its own or with other information to determine the identity of a natural person (including name, date of birth, ID card number, biological ID information, address, and telephone number).
The Cyberspace Administration of China published a draft "Measures for Security Assessment of Personal Information and Important Data Leaving the Country" in April. The guidance raises concerns for multi-national businesses that operate in China by expanding the measures to all network operators. This means that all personal information and important data collected by network operators within China must be stored and kept within China. The only exceptions are for a "genuine business need" and only after a security assessment is completed.
Network operators are owners of networks, administrators of networks, and network service providers. Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information. The definitions of network and network operators are vague enough to leave a lot of room for interpretation.
If you are a multi-national company operating in China, and collect personal data you should follow the developments of the guidance documentation and the enforcement practices around this law.
Contact us at firstname.lastname@example.org with any additional question's or for more information.
- China Law Translate - "2016 Cyber Security Law English Translation"
- Hunton & Williams LLP - "Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country English Translation"
- The National People's Congress of the People's Republic of China - "Internet Security Law of the People 's Republic of China, Adopted at the Twenty-fourth Meeting of the Standing Committee of the Twelfth National People's Congress on November 7, 2016"
- Forbes - "China's Cyber Security Law: Can Foreign Parties Sue China's Technology Cos. for Violating the Law?"
- Forbes - "China's Cyber Security Law: The Impossibility of Compliance?"
- Zasio - "China Further Expands Reach of Data Localization Law to Multinationals"