China Moving Towards Stricter Data Protection and Cyber Security Legislation

China is enhancing its oversight in the data privacy and internet sectors and recently released the full text of the second draft of the Cyber Security Law. Marissa Dong, partner at leading Chinese law firm JunHe, decodes in detail the key points of this draft law and its potential impact.

Posted Thursday, September 1st 2016
China Moving Towards Stricter Data Protection and Cyber Security Legislation

The full text of the second draft (the “Second Draft”) Cyber Security Law (the “CSL”) was released on July 5, 2016 to solicit public comment until August 5, 2016, after its second deliberation during the 21st session of the 12th NPC Standing Committee, and one year after the first draft CSL was released to the public. The CSL is expected to be finalized and enacted before the end of the year. The CSL is one of the key pieces of legislation that China is introducing to enhance the administration in the data privacy and internet sectors. 


By way of background, although China still does not have an omnibus data privacy law like in the EU, various sector-specific laws and regulations have incorporated provisions relating to the protection of personal information. Examples include the amendment to the Consumer Rights Protection Law in 2013 and the Advertisement Law in 2015, both of which  include new provisions relating to personal information and restrict direct marketing. Also industrial regulators, such as the People’s Bank of China, the Ministry of Industry and Information Technology, the National Health and Family Planning Commission have all promulgated specific regulations relating to protection of personal information in their respective areas. With respect to the cyber security issue, in April 2014, to respond to the various challenges in the new era, President Xi Jinping for the first time raised the “overall concept of national security.” Thereafter, a series of legislation relating to national security was put on an accelerated track, including the Counter-terrorism Law, the National Security Law, the CLS, the Foreign Non-governmental Organization Administration Law, and the Counter-espionage Law. The CTL, NSL and CSL all include or are likely to include provisions relating to information and technology security, and have drawn wide attention from foreign companies especially high-tech and internet companies who have operations in China.


The draft CSL further provides for “safeguarding the national cyberspace sovereignty” as a fundamental principle, and, for that purpose, the draft includes provisions on, inter alia, the strategy, planning and promotion of cyber security, network operation security, network information security, and alarm and emergency response systems. The CSL endeavors to strengthen network operation security obligations, for example, the draft sets out various security obligations for network products and service providers, makes classified network security protection a legal obligation of network operators including classifying data as well as backing up key data and the encryption of same. Network operators are also required to provide assistance and support to investigation agencies where necessary in order to protect national security and investigate crimes. The recently released Second Draft further imposes certain obligations on network operators, including: (i) network operators shall comply with laws and regulations, uphold social and commercial standards of morality, perform cyber security protection obligations, accept government and public supervision, and observe social responsibility; (ii) the period for network operators to retain network logs is at least six months; (iii) network operators providing instant message services are clearly required to verify users’ identities; (iv) and network operators shall cooperate with the supervision and inspection of cyberspace administrative authorities and other relevant authorities.


Furthermore, the draft CSL heightens protection for the operation of “critical information infrastructure facilities” and imposes various obligations on the operator of critical information infrastructure facilities (“CIIO”). Such requirements include that CIIOs store citizens personal information and other important business data (the latter is added in the Second Draft) within the territory of the PRC (unless there is a business imperative to store data overseas, in which case they can apply to government who will evaluate the specific situation). Secondly, a security review is required to be conducted on the procurement of network products and services by CIIOs. Thirdly, the Second Draft adds that the State encourages network operators falling outside the statutory scope of CIIO to join the CIIO protection system voluntarily. It is also notable that the Second Draft removes the definition of CIIO with specific enumeration and leaves the specific scope of CIIO in implementing regulation of the CSL to State Council. 


The draft CSL also includes requirements for network operators on the protection of users’ personal information. Such requirements are primarily based on those of existing laws and regulations (such as notification and consent requirement for collecting and using personal information), with a few new requirements such as notifying users who may be affected in the event of a data breach. The draft also requires network operators to record the real identity of users, to cease and prevent the dissemination of unlawful and harmful information, and to make records and report to government. Also it is notable that the Second Draft introduced the concept that the application of big data could be carried out on the basis of data anonymization.


Once adopted and implemented, the CSL may influence the technology and internet industries significantly, and may even impact enterprises in finance, energy, transportation, medical and health services and other public service areas. It is worth following up on the development of CSL and data privacy law in China.



? About the author

Marissa (Xiao) Dong, Partner –

Ms. Dong is a partner at JunHe’s Beijing office and specializes in the areas of foreign direct investment, mergers and acquisitions, and internet, high-tech and data privacy and information law. She represents multinationals, foreign investment enterprises, and large Chinese state-owned and private companies. In her corporate and M&A practice, Ms. Dong guides inbound investors through all stages of operating in China, from market investigation to market entry and business expansion (including incorporating PRC entities, mergers and acquisitions, business permits and application, corporate restructuring and compliance issues). Her clients include industry leaders in manufacturing, high-tech and internet and telecommunications services and education. By supporting clients in their operations in China, Ms. Dong has not only gained substantial experience in dealing with complex commercial transactions but also a deep understanding of the law and its implementation, government policies and business environment, which enables her to assist clients to set up sensible strategies and explore practical approaches in doing business in China.


She also advises clients on all aspects of matters involving new technology and data, with a special emphasis on information privacy (consumers, employees, and patients), data security and breaches, and international data transfers. In these businesses, she has gained an understanding of new business models and technology, such as targeted advertising, internet payments, telematics, IoT and cloud computing, so as to help clients navigate China’s complex and sector-specific policy and regulatory landscape. Her clients include national and international information technology vendors, internet service providers, data brokers, retailers and distributors, and manufacturers of medical, industrial, and consumer products.


She also consults with JunHe lawyers and clients on eDiscovery strategy, data privacy and state secret law matters. Such matters are normally related to pending or threatened litigation, government investigation, internal investigation and white color matters, carried out in China or overseas, relating to Chinese companies and foreign operations in China and in various industries such as manufacturing, pharmaceutical, financial services, and professional services.


She wrote the PRC component of Global Privacy and Security Law, The Privacy, Data Protection and Cybersecurity Law Review, and is a contributing legal expert to MULTILAW's Global Data Privacy Tool. She has written several articles on data protection for PLC and BNA Bloomberg. She is constantly recognized as an expert in Information Technology by Who’s Who Legal. 


? About the firm

JunHe, founded in Beijing in 1989, was one of the first private partnership law firms in China. Since its establishment, JunHe has grown to be one of the largest and most recognized Chinese law firms. The firm has nine offices around the world and a team comprised of more than 600 professionals, including over 180 partners and legal counsel, as well as over 420 associates and legal translators.

  • Our solid foundation is laid upon delivering premier legal services
  • Our network growth is achieved through prudence and independence
  • Our relentless power is sourced from attracting talented lawyers worldwide
  • Our competitive edge is maintained through constant innovation
  • Our global strategy is devoted to collaborating with our peers