Cybersecurity Law of the People's Republic of China (CSL)
- Lawfulness, Fairness and Nondiscrimination
- Transparency & Free Access
- Purpose Specification, Use Limitation and Suitability
- Data Minimisation, Storage Limitation and Accuracy
- Security and Prevention
- Accountability & Recordkeeping
- Data Protection Officer
- Data Subject Rights
- Vendor Management
- Cross-Border Data Transfer and Data Localization
- Incident & Breach
The Cybersecurity Law of China covers all “network operators”. The definition is broad, including owners and administrators of computer information networks, as well as network service providers. There is no extraterritorial effect of data protection provisions of China.
“Personal information” means all kinds of information recorded in an electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person’s personal identity, including but not limited to the natural person’s name, date of birth, identity certificate number, biology-identified personal information, address and telephone number.
Network & Network Operators
“Network” means the system that consists of computers or other information terminals and related equipment for collecting, storing, transmitting, exchanging, and processing information according to certain rules and procedures.
“Network operator” means the owners and administrators of the network as well as network service providers.
Data Processing Principles
Data processing should follow the principle of legitimacy, reasonableness and necessity for collecting and processing of personal data by network operators.
Critical Information Infrastructures (“CII”) Operators
Critical Information Infrastructures (“CII”) operators are subject to more requirements under the Cybersecurity Law, such as implementing additional security measures and mandatory security reviews (i.e. privacy impact assessment). CII operators are defined as operators of systems that if being destroyed, suffering a loss of function, or experiencing leakage of data, might seriously endanger national security, national welfare, the people’s livelihood, or the public interest. Some examples for CII include public communication and information services, power, traffic, water resources, finance, public service, e-government, etc.
The Cybersecurity Administration of China (“CAC”) released a draft of the Regulations for the Security Protection of Critical Information Infrastructure (“Draft CII Regulations”). Once finalized, the Draft CII Regulations should provide more detailed guidance on the scope of CII operators.
The National Standard GB/T 35273–2017 and Its Proposed Revisions
The National Standard of Personal Information Security Specification (GB/T 35273–2017) became effective on May 1, 2018. The Standard has provided guidelines in various law enforcement actions to assess whether a company has met the requirement of “implementing technical and other necessary measures to protect personal data” as required under the China Cybersecurity Law. Although not mandatory for companies to adopt, it is viewed as a “soft law” in China.
The following summarized some key takeaways from a proposed revision published by China’s National Information Security Standardization Technical Committee (TC260) on February 1, 2019. TC260 closed the public consultation for the proposed revision on March 3, 2019. Although it is not clear when the revision will become effective, businesses in China should be aware of the potential regulatory changes.
- Consent must be freely-given: The network providers shall provide privacy notice in plain, clear and concise wording and obtain freely given consent from data subjects. The bundled consent, or “take-it-or-leave-it” approach, is strongly discouraged.
- Core function vs. extended function: There are different expectations on consent requirements for the application of core function and extended function of a network service. TC260, China Consumers Association, Internet Society of China, and the Cybersecurity Association of China will prepare a new national standard on the differentiation of core function and extended function and to clarify the enforcement requirements. The differentiation of core function and extended function would be an innovative attempt by China to address data subject consent in different processing activities. The core function refers to the core function that meets the requirements of consumers from the consumers’ perspective. Other functions are extended functions.
- Opt-out from behavioral advertising: App operators shall provide an opt-out mechanism for online behavioral advertisement or personalized recommendations, as well as displays for news, feeds or advertisement.
- Accountability and documentation requirement: This requirement will be similar to Article 30 of the GDPR. The documentation should follow the lifecycle of the data.
- Due diligence and control over third-party API: Network providers are expected to have control over the third-party application programming interface when it is neither processor nor joint controller.
- Data protection officer (DPO): The proposed revision provides clarification on the circumstances where the appointment of a data protection officer is required under the China Cybersecurity Law: a) where the principal business involves processing of personal data, and there are more than 200 people involved in such processing activities, or b) processing of more than 1 million people’s data or the processing of personal data of 1 million people accumulative over a period of 12 months. The revision also includes responsibilities and requirements for the DPO.
- Data breach reporting threshold: Article 42 of the China Cybersecurity Law requires data breach notification to both Chinese authorities and the affected data subject. The revised proposal recommends that the threshold for a reportable data breach to the Cyberspace Administration of China is a) where the breach involves more than 1 million people’s data or b) if it involves sensitive personal data that may impact public interest or society as a whole, such as genetic information or biometric data. Notice to affected subjects is necessary when the data breach may have a significant impact on the data subject.
- Cyberspace Administration of China website
- Standardization Administration of the People's Republic of China website
- China Internet Network Information Centre (CNNIC) website
- China's National Information Security Standardization Technical Committee (TC260) website
- IAPP: GDPR matchup: China’s Cybersecurity Law
- KPMG: Overview of China's Cybersecurity Law
- PWC: China CSL Overview
- DLA Piper: China’s new data protection standard – what you need to know
- IAPP - What's on Chinese data protection regulators' enforcement agenda for 2019?
- IAPP - More updates on the Chinese data protection regime in 2019
Lawfulness, Fairness and Nondiscrimination
Articles 12, 13, 22, 41, and 42 address several matters related to lawfulness, fairness, and nondiscrimination.
- Article 12 guarantees the lawful, orderly, and free circulation of network information and lists certain restrictions that network users must abide by. In particular, network users must not “create or disseminate information that infringes on the reputation, privacy, intellectual property or other lawful rights and interests of others.”
- Article 41 lists a number of principles that network operators collecting and using personal information must also abide by (e.g. legality, propriety, necessity, stating purposes of processing, and obtaining user consent).
- Article 13 places special emphasis on the protection of minors, noting that the State encourages research and development of network products and services conducive to the health upbringing of minors. Furthermore, those who use networks to engage in activates that endanger the psychological and physical well-being of minors could face certain punishment by the State.
- Consent is a specifically considered in Articles 22, 41, and 42. In essence Articles 22 and 41 both state that if user information or personal information is gathered by a network product or service, then consent must be obtained by the user. Article 42 further states that without the consent of the person whose information was collected such information cannot be provided to others.
Transparency & Free Access
Transparency, openness and free access are recurring themes in China Cybersecurity Law. According to Article 7, the State promotes constructing a peaceful, safe, open and cooperative cyberspace, and transparent Internet governance system. With respect to transparency specifically, according to Article 41, network operators collecting and using personal information must disclose rules for the collection and use of such personal information, explicitly stating the purposes, means, and scope for collecting or using such information.
Purpose Specification, Use Limitation and Suitability
The principles of purpose specification, necessity, and use limitations are addressed in various parts of China Cybersecurity Law. According to Articles 22 and 41, network operators shall:
- explicitly inform data subjects of the purposes, scope and manner of data collection and use, and must obtain their consent for the collection and use;
- only collect and use personal data in compliance with the law and as agreed with data subjects; and
- refrain from collecting personal data which is not relevant to the services provided to the data subjects.
Data Minimisation, Storage Limitation and Accuracy
As stated above, China Cybersecurity Law requires network operators to abide by the principles of legality, propriety, and necessity. Furthermore, they must not gather personal information unrelated to the services they provide. Where individuals discover that personal information gathered or stored by network operators has errors, network operators must employ measures for deletions and corrections.
Security and Prevention
As a general principle, Article 10 of the Cybersecurity Law states that the construction and operation of networks, or network services, must adopt technical and other measures to safeguard cybersecurity and operational stability, effectively respond to cybersecurity incidents and to prevent cybercrime.
Security of personal information and prevention of incidents and breaches are also fundamental principles under the Cybersecurity Law. At a high level, security measures adopted by network providers should maintain the integrity, confidentiality and accessibility of the network data.
Additionally, network operators shall:
- keep the collected personal data strictly confidential, and must not disclose, tamper with, damage, sell or unlawfully provide the same to a third party;
- adopt security measures for data protection, and must take remedial steps immediately where security breach occurs or may occur; and
- adopt technical measures to prevent computer viruses, cyber attacks, network intrusions, and other actions endangering cybersecurity.
CII operators also need to follow relevant provisions and sign a security and confidentiality agreement with vendors when purchasing network products and services.
Accountability & Recordkeeping
Several provisions of the Cybersecurity Law are relevant in demonstrating compliance and recordkeeping. The Cybersecurity Law provides that network-related industry shall formulate codes of conduct on cybersecurity and direct their members to strengthen cybersecurity protection.
There is an explicit requirement to maintain certain records in several areas of the Cybersecurity Law. First, as part of security performance, network operators must store network logs for at least six months. Second, upon discovery that the transmission or publication of certain information is prohibited, the network operator must, among other things, save relevant records and report the infraction to the relevant departments. Third, at least once a year, critical information infrastructure (CII) operators are required to conduct an inspection and assessment of their network’s security and any potential risks that might exist. CII operators should submit a report of the inspection and any improvement measures to the relevant department.
An implicit recordkeeping requirement is born out of the need to demonstrate compliance with key provisions such as consent and security safeguards. For example, operators must obtain consent from the person whose personal information is collected or used. Operators will need to put in place procedures to collect, manage, and record such consents.
Data Protection Officer
While not mentioned specifically, China Cybersecurity Law applies the concept of a data protection officer to both, network operators and CII operators. According to Article 21, Network operators shall determine persons who are responsible for cybersecurity, and implement cybersecurity protection responsibility. CII operators, in addition to the provisions of Article 21, shall also set up specialized security management bodies and persons responsible for security management and conduct security background checks on those responsible persons and personnel in critical positions.
The Cybersecurity Law mandates data protection/cybersecurity impact assessments for CII operators. CII operators purchasing network products and services that might impact national security shall undergo a state security review organized by the national cyberspace administration in conjunction with relevant departments of the State Council.
Data Subject Rights
The Cybersecurity Law gives users several rights exercisable against network operators.
Article 43 grants individuals the right to demand the network operators delete their personal information and the right to demand network operators make corrections. Network operators must employee measures for such deletions and corrections.
Article 14 states that all individuals and organizations have the right to report conduct endangering cybersecurity to the relevant department. Relevant departments shall preserve the confidentiality of the informant’s information and protect the lawful rights and interests of informants.
As general principles the Cybersecurity Law also promotes the right to be informed and the right to access in requiring network operators to publish rules for collection and use, explicitly stating the purposes, means, and scope for collecting or using information being collected.
The Cybersecurity Law does not distinguish between “data controllers” and “data processors.” The definition of “network operators” (network owners, managers, and network service providers) is broad enough to apply to both controllers and processors.
Cross-Border Data Transfer and Data Localization
The Cybersecurity Law requires security assessment when personal data are transferred cross-border. To help interpret and implement the requirements, the CAC released a draft of the Measures for Security Assessment of Outbound Transmission of personal Information and important Data (“Draft Measures”). The Draft Measures address obligations for network operators (and not just CII operators) to assess the necessity for and security of their cross-border data transfers. In some situations, a government-administered security assessment will be triggered.
Localization under the Cybersecurity Law
CII operators are required to store personal data and other important data (undefined) collected and generated during operations within China. If a CII operator wants to transfer such data cross border for business reasons, a security assessment process is required. The Draft Measures add such localization requirement to network operators as well.
Incident & Breach
When a security incident occurs, network operators shall take immediate remedies and inform affected users as well as the competent department.
When to notify?
The notification to individuals should be provided in a timely manner, and the notification to competent authority shall be provided in accordance with relevant provisions.
Article 22 provides that when a provider discovers any risk such as security defect and vulnerability of its network products or services, it shall immediately take remedial measures, inform users in a timely manner, and report it to the competent department in accordance with relevant provisions.
Article 25 requires that when any incident endangering cybersecurity occurs, the relevant operator shall immediately initiate the emergency response plan, take corresponding remedial measures, and report it to the competent department in accordance with relevant provisions.
How to notify?
- Notification to Regulators
Pursuant to the Chinese Cybersecurity Law, regulatory bodies with overarching responsibilities with respect to cybersecurity oversight in China include: the Cyberspace Administration of China (CAC); the Ministry of Industry and Information Technology (MIIT); the China Internet Network Information Centre (CNNIC); the Ministry of Public Security; and SAC.
With respect to particular industrial sectors, individual regulatory authorities have substantial authority with respect to oversight business related activities, encompassing cybersecurity preparedness, including: CBRC; CIRC; the China Securities Regulatory Commission; and PBOC.
Other relevant authorities include the NISSTC, which was formed in 2002 under the Standardization Administration of China and is responsible for the development of technical standards for information security.
- Notification to the Individuals
The affected individuals should be notified in a timely manner directly, i.e. by telephone, push notification, post, e-mail, electronically, or in person. If it is hard to notify each data subject, organizations shall take reasonable and effective measures to publish warning message relevant to the public.
Violation of the Cybersecurity Law may lead to a fine of up to 10 times the illegal gain or RMB 1 million (when there is no illegal gain) as well as the confiscation of the illegal gain. A serious violation could also result in suspension or revocation of business license. The responsible individual may be subject to a fine of up to RMB 100,000.
**All of the draft regulations mentioned above are still under deliberation by the Chinese Government.
In China, the network operators are required to take immediate remedies and to notify possible personal data breaches. As there is a number of regulatory bodies in China relevant to the security and IT, only those that have oversight over the particular organization’s business should be notified.
Is it Mandatory to Notify Individuals?
Is it Mandatory to Notify Regulator?
In a timely manner.
Ministry of Industry and Information Technology of the People’s Republic of China
13 West Chang’an Street,
China Post Code: 100804
Breach Notification Format
The affected individuals should be notified in a timely manner directly, i.e. by telephone, push notification, post, e-mail, electronically, or in person. If it is hard to notify each data subject, organizations shall take reasonable and effective measures to publish warning message relevant to the public. The regulators that should be considered for notification also include the Cyberspace Administration of China (CAC), China Internet Network Information Centre (CNNIC), and the Ministry of Public Security.
Cybersecurity Law of the People's Republic of China (CSL)
Order No. 53 of the President
In China, provisions for personal data protection can be found in Cybersecurity Law of the People’s Republic of China (China Cybersecurity Law). China Cybersecurity Law came into force on June 1, 2017. The law applies to the construction, operation, maintenance and use of the network as well as the supervision and administration of cybersecurity in China. Although the telecommunication sector already has similar provisions in place, provisions under China Cybersecurity Law has a much wider scope, applying to all “network operators”.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.