Quick Guide: Cybersecurity and Data Protection: China | Practical Law
A quick guide to track the regulatory developments on China's cybersecurity and data protection since the Cybersecurity Law became effective on 1 June 2017.
A quick guide to track the regulatory developments on China's cybersecurity and data protection since the Cybersecurity Law became effective on 1 June 2017.
The cybersecurity and data protection regime in China (PRC) is rapidly evolving and becoming one of the most stringent in the world. Following the enactment of the Cybersecurity Law of the PRC 2016 (2016 CSL, with effect from 1 June 2017), there has been an abundance of implementing regulations and guidelines proposed, issued or revised to flesh out the essentials and concepts introduced under the 2016 top-tier law (see Legal Update, China passes Cybersecurity Law). On 12 September 2022, the regulator circulated a consultation draft of proposed revisions to the 2016 CSL, see Legal Update, CAC Circulates Draft Revisions to Cybersecurity Law.
There is no single regulatory authority, comparable for instance to the Privacy Commissioner in Hong Kong, which deals exclusively with privacy or data protection matters. Instead, various administrative authorities have claimed jurisdiction over data privacy and security matters, including:
For areas where there is no national legislation, the SAMR and the Standardization Administration of China (SAC) release non-binding guidelines and recommended national standards to fill the gap or work as a trial for future legislation, and these standards should be followed as the starting point for companies drawing up compliance programmes and policies in China. The subcommittee of the SAC responsible for preparing the non-binding guidelines and recommended national standards on data privacy is the National Information Security Standardization Technical Committee (全国信息安全标准化技术委员会) (also known as TC260).
With significant updates arriving frequently since 2016, and expected to continue in the near future, businesses from all walks of life are recommended to consistently monitor the developments and verify the latest situation before reaching any significant decision.
Measures on Cybersecurity Classification Evaluating Institutions Management 2018 (网络安全等级保护测评机构管理办法), issued by the MPS on 17 April 2018 with immediate effect.