China's New Cyber-Security Law Effective June 1, 2017

In November of 2016, China passed a new law that broadened its cyber security requirements.  The law went into effect on June 1, 2017.  The effort by China is similar to other cybersecurity initiatives we've seen advanced in multiple jurisdictions around the world. 

The law focuses on cybersecurity but it also outlines how companies are to handle personal information and data.  The new law requires a user's consent before collecting personal information and the information must be kept confidential. 

Personal information is defined as that which can be used on its own or with other information to determine the identity of a natural person (including name, date of birth, ID card number, biological ID information, address, and telephone number).  

The Cyberspace Administration of China published a draft "Measures for Security Assessment of Personal Information and Important Data Leaving the Country" in April.  The guidance raises concerns for multi-national businesses that operate in China by expanding the measures to all network operators.  This means that all personal information and important data collected by network operators within China must be stored and kept within China.  The only exceptions are for a "genuine business need" and only after a security assessment is completed.

Network operators are owners of networks, administrators of networks, and network service providers.  Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information.  The definitions of network and network operators are vague enough to leave a lot of room for interpretation.   

If you are a multi-national company operating in China, and collect personal data you should follow the developments of the guidance documentation and the enforcement practices around this law.

Contact us at with any additional question's or for more information.   

Key Links: