Home / Publications / PRC Cyber Security Law - What are the Most Important...

PRC Cyber Security Law - What are the Most Important Impacts on Foreign Businesses?

China Insight - IP

The PRC Cyber Security Law (“CSL”) issued by the Standing Committee of the National People’s Congress of the PRC has come into effect on 1 June 2017.

The CSL is the first set of comprehensive legislation governing cyber security and data privacy in China. It regulates all activites in relation to construction, operation, maintenance and use of networks as well as the supervision and administration of the cyber security within the territory of the PRC. Unfortunately, the definition of regulated entities such as the Network Operators (please see details under Section1. a)) and CII Operators (please see details under Section 1. b)) is very broad and ambiguous. Further, many requirements under the CSL, such as the requirement for localization of personal information and im-portant data in China lead to the result that companies in private sectors in particular foreign companies doing business in China are fairly concerned about the applicability of and compliance with the CSL requirements. Since many terms of the CSL are rather vague, many details are still subject to implementing regulations, some of which have already been published, the majority of which, however, still has to be enacted.

On 1 June 2017, the Provisions on Examination of Network Products and Services (Trial) (“NPS Provisions”) have also come into effect. They are the first and an important set of implementing regulations of the CSL. Although further clarifications are needed, the NPS Provisions are likely to mainly apply to the Critical Information Infrastructure Operators (as defined below). Other than the NPS Provisions, other regulations to supplement and implement the CLS have not yet been enacted and so far only drafts are available. They include, inter alia, Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (a draft was issued on 11 April 2017), Information Security Technology – Guidelines on Data Security Assessment (a draft issued on 27 May 2017), Guidelines on Identification of Major Data, Regulations on Security of Personal Data, Catalogue of Critical Network Equipment and Specialized Cyber Security Products; Provisions on Security Protection and Scope of Critical Information Infrastructure, etc.

The legal framework is still evolving, with supporting regulations and guidelines to be promulgated in the next a couple of months. Media reports indicate that the Cyberspace Administration of China (“CAC”) has informally agreed to delay the implementation of the CSL requirements governing cross-border transmission of information until the end of 2018. 

More details of Regulated Entities (Network Operators and CII Operators and NPS Providers) and Localization of data in China (Scope of Obliged Entities, Definition and Scope of Personal Information and Definition and Scope of Important Data), please click the link below.

PRC Cyber Security Law - What are the Most Important Impacts...
Read more


Portrait of Ulrike Glueck
Dr. Ulrike Glueck
Managing Partner
Portrait of Sammie Hu
Sammie Hu, LL.M.