The Civil Code of the PRC (Civil Code) is a periodic legislative response to the problem of personal information (PI) protection. The personality rights chapter of the Civil Code adopts a special section to provide protection on both PI and privacy rights, recognising the personality attributes of PI. In addition, the Civil Code preliminarily stipulates the definition and types of PI, the legal basis for processing PI, the rights of PI subjects, etc. The provisions on PI are periodical and general, so are to be further refined and implemented by subsequent legislation.

Compared to the scattered provisions set forth by the Civil Code, the Cybersecurity Law (CSL) of the PRC acts as the overarching construct of the cybersecurity regime in China and sets forth specific requirements in various cybersecurity segments. CSL applies to network operators (NOs) in China (ie, any entities that own or administer a network or provide network services), setting forth liabilities for violation in the form of fines and injunctions against NOs and/or their responsible personnel.

The subject matter regulated by CSL, supplemented by relevant regulatory documents (including drafts), can be split into two main categories:

• network operation security, which addresses the security of the operation, structure and management of a network system; and
• network information security, which mainly focuses on measures and structural arrangements to protect PI and important data.

The Cyberspace Administration of China (CAC) released proposed revisions of CSL on 14 September 2022, five years after CSL came into force. The revisions elevated the range of administrative penalties and added punitive measures, including temporary employment prohibition.

In addition, the Data Security Law (DSL), which was released on 10 June 2021, and came into effect on 1 September 2021, articulates specific security requirements for data processing. DSL explicitly articulates extraterritorial jurisdiction in the Chinese data regulation regime for the first time, applying to overseas data processing activities that jeopardise China’s national security or the interests of the state or citizens. DSL contemplates a variety of state data protection mechanisms from an overarching architecture perspective, such as a classified data protection system, state data security certification and standardisation, a data transaction system, a state open data system and others, with implementation measures to be later promulgated by state and municipal regulatory authorities.

Lastly, the Personal Information Protection Law (PIPL), which was released on 20 August 2021, and became effective on 1 November 2021, builds upon the general principles and rules established under CSL, and provides detailed PI protection requirements. While recognising that consent is still the cornerstone of PI processing activities, PIPL provides other lawful bases, such as the necessity for enacting and performing contracts to which the individuals are a party. In addition, PIPL puts forward requirements for sensitive PI protection, cross-border transfers, PI protection impact assessments, compliance audits, separate consent and liabilities.

CSL, DSL and PIPL form the three “pillars” of China’s cybersecurity and data protection regime, which are continuously implemented by a series of subsequent regulations, measures and national standards.

Network Operation Security

Multi-level protection scheme (MLPS)

A classified cybersecurity protection scheme (also known as the multi-level protection scheme or MLPS) is recognised as the basic legal system to ensure structural network security in China. Under the MLPS, NOs must be classified in one of five levels according to their security impact if the system is damaged, with classification levels ranging from one to five. Progressively stringent requirements for network security and filing obligations with authorities are imposed on NOs at higher MLPS classification levels. Please refer to 4.3 Critical Infrastructure, Networks, Systems and Software for further details of the MLPS.

Security requirements

Pursuant to CSL, NOs must establish internal security protocols, appoint cybersecurity personnel, implement technical safeguards against cyber-threats, and encrypt critical data.

Additionally, NOs are required by Article 25 of CSL to formulate response plans for cybersecurity incidents and report the incident occurred to a competent department in accordance with relevant provisions. It is notable that on 8 December 2023, the National CAC issued the Measures for the Management of Cybersecurity Incident Reports (Draft for Comments). It specifies the subject to perform the reporting obligation and the procedure and contents to be reported.

Furthermore, suppliers of network products and services are obliged to, for example, take remedial actions to correct security vulnerabilities and continuously provide security maintenance service. They are also required to report identified security vulnerabilities to the China National Vulnerability Database (CNVD). Please refer to 5.7 Requirements for Secure Software Development (Network Product Security) for further details about security vulnerabilities.

Critical information infrastructures (CIIs)

CIIs are defined as important network facilities and information systems, in industries and sectors such as:

• telecommunications and information services;
• energy;
• transportation;
• water conservancy;
• finance;
• public service;
• e-government;
• national defence;
• science; and
• any other important network facilities and information systems that may severely endanger national security, social welfare and public interests upon sabotage, malfunction or data breach.

The competent authorities and administration departments of CIIs, referred as “protection departments”, are responsible for the CII security protection. The protection departments are in charge of CII identification and file them to the public security department under the State Council. The factors which help to identify CII include its importance to the smooth operation of core businesses in the industry concerned, the possible damage which would be caused by incidents such as data leakage, and the influence to other industries and fields.

CIIs must adhere to stringent security requirements, including security management, training, cybersecurity measures, network product and service procurement, and emergency planning, with protection measures integrated from the design phase. For procurements impacting national security, a cybersecurity review is mandatory. As of 1 May 2023, new national standards for CII cybersecurity, aligning with the MLPS, mandate comprehensive security enhancements, including risk analysis, protection, monitoring, and incident response.

Monitoring, etc

NOs shall set up cybersecurity monitoring, early warning and emergency response plans to mitigate cybersecurity risks, and timely notify the relevant parties upon the occurrence of cybersecurity incidents.

Network Information Security

Legitimate processing

NOs shall process (collect, store, use, handle, transfer, provide, disclose, delete, etc) PI lawfully, legitimately, in good faith, and only to the extent necessary, and shall obtain informed consent from the PI subjects regarding the purpose, methods and scope of processing. NOs shall also take the necessary measures to ensure the security of PI it collects, and promptly inform PI subjects and the relevant authorities upon discovering possible or identified PI security incidents.

NOs must process PI lawfully, with informed consent covering purpose, methods and scope. They are responsible for PI security and must notify subjects and authorities of security incidents. NOs should also accommodate PI subjects’ legitimate requests. Under the PIPL, NOs are classified as personal information processors (PIPs) or entrusted processors (EPs), based on their PI processing roles. For sensitive personal information (SPI), PIPs face stricter requirements like separate consent and encryption. Detailed PI protection requirements for NOs, PIPs, and EPs can be found in section 4.1 Personal Data.

Important data

Important data refers to data that may potentially harm national security, economic security, social stability, public health and security, which might include undisclosed government information, information regarding the mass population, genetic health and geographical and mineral resources, as well as the production and operation information of CIIs. Entities responsible for processing important data are subject to various security obligations under DSL, such as conducting periodic risk assessments and filing the relevant reports, as well as adopting technical measures, such as encryption, back-up and monitoring.

Definitions of important data can be found in some regulations in certain industries. For example, the Several Provisions on the Management of Automobile Data Security (Trial), issued by CAC and another four departments in 2021, defines the important data in the automobile industry; the Administrative Measures for Data Security in the Field of Industry and Information Technology, issued by the Ministry of Industry and Information Technology of China (MIIT) in 2021 and entered into effect in 2023, defines the important data in the concerned field.

Please see 4.2 Material Business Data and Material Non-public Information for details on important data protection requirements.

Cross-border data transfer

CIIOs must store PI and important data within China and obtain approval on an authority-led security assessment before transferring such data out of China. PIPs who processed PI reaching a threshold to be determined by CAC are subject to the same localisation and security assessment requirement. Data processors (ie, those who have the ability to determine the purposes and means of data processing activities) that process a certain amount of natural persons’ PI are similarly subject to the security assessment requirement. Data processors who do not meet the threshold for security assessment as defined by the regulations on cross-border data transfer can transfer PI overseas if they are certified by competent agencies or if they execute cross-border data transfer contracts with the overseas recipients.

The regulations on cross-border data transfer came into effect on 1 September 2022. Data processors shall conduct a self-risk assessment before performing cross-border transfers of PI and important data. The self-risk assessment and the authority-led security assessment may cover:

• the nature and quantity of data to be transferred;
• the purposes, means and scope of data to be transferred and its respective legality, legitimacy and necessity;
• the data recipient’s data security protection abilities;
• the security measures taken to protect data in transit;
• the receiving country or region’s political and legal environment of data protection; and
• an evaluation of the impact to PI subjects, national security and social interests by such transfer, etc.

Cross-border data transfer is prohibited if it threatens national security or public interests. For detailed cross-border data transfer descriptions, please see 3.1 De Jure or De Facto Standards (Cross-border data transfer).

CSL and relevant regulatory documents are mainly enforced by CAC, the MIIT, the Ministry of Public Security of China (MPS), and the State Administration for Market Regulation (SAMR).

CAC published the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft) on 28 September 2023 and further finalised it on 22 March 2024 (Provisions on Promoting and Regulating Cross-border Data Flows, the “Provisions”).

In addition, the Provisions also clarify the duty of the relevant authority or region to identify important data, and a pilot free trade zone (FTZ) may develop a negative list of data.

State secrets

The Guarding State Secrets Law of PRC classifies state secrets into three tiers and articulates respective protection requirements, which generally prevail over other data protection requirements when data is identified as a state secret.

Restrictions on state activities

Under DSL and other implementing regulations, governmental authorities bear confidentiality obligations with respect to PI, trade secrets and other confidential business information disclosed by NOs.

Furthermore, data processors shall conduct and file the security assessment before performing cross-border transfers of important data, which may potentially threaten national security. If data processors provide important data to overseas recipients without fulfilling the required obligations, they may be given punishments such as fines, business suspension, or revocation of business licence, based on seriousness of the violation.

Other Laws and Regulations

Various other laws and regulations also contribute to other segments of the cybersecurity regime, as illustrated below.

The Counterespionage Law

The newly amended Counterespionage Law came into force on 1 July 2023, and establishes a close connection between data security and national security. It identifies acts such as the unauthorised provision of data and cyber-attacks against specific authorities as espionage. Moreover, national security agencies are given the responsibility to safeguard the confidentiality of commercial secrets, individual privacy, and personal information obtained in the course of their counter-espionage duties.

The Cryptography Law

The Cryptography Law is mainly enforced by the Cryptography Administration of China (SCA) and sets forth the requirements for supplying and adopting various encryption methods, particularly commercial encryption, which plays a key role in network security required by CSL. The law also sets forth the civil liabilities for violation.

The Criminal Law

The Criminal Law of the People’s Republic of China recognises various cybercrimes infringing PI or computing systems and crimes utilising networks, and the crime of failure to perform cybersecurity obligations, which are punishable by imprisonment and/or fines. These provisions are enforced by the MPS and its local agencies.

All key regulators of cybersecurity in China – namely CAC, the MIIT, the MPS and the SAMR – have regulatory authority at a national level, and branch agencies at a county level or above that exercise their authority within their respective geographic jurisdiction, including audits and investigations of NOs regarding violation of cybersecurity-related laws and regulations.

CAC has the overarching responsibility for planning and co-ordinating cybersecurity regulation. It is the most active regulator in terms of enacting cybersecurity regulatory documents, and its enforcement focuses on the governance of the “internet ecology” and network information content.

The MPS is the key regulator and enforcement authority of the MLPS and network operation security, and is responsible for investigating and preventing crimes related to infringement of computing systems and PI.

The MIIT oversees the telecommunication and information technology industry and thus administers the licences of market participants in this industry. Its enforcement focuses on PI protection, especially telecommunications value-added services.

The SAMR is responsible for the protection of consumer rights, including consumers’ rights in PI and fair market competition.

The National Data Administration (NDA) was officially unveiled in Beijing in 2023, which is administered by the National Development and Reform Commission, the country’s top economic regulator. The NDA is tasked with various responsibilities, such as promoting the development of data-related fundamental institutions; co-ordinating the integration, sharing, development and application of data resources; and pushing forward the establishment of a Digital China, the digital economy and a digital society.

In general, the penalties imposed on investigated entities or individuals by cybersecurity regulators or data protection authorities must comply with the liabilities articulated by CSL, DSL, PIPL and, in cases where criminal culpability arises, the Criminal Law.

On 23 March 2023, CAC announced the Regulations on Administrative Law Enforcement Procedures of Cyberspace Affairs Departments (Regulations on Enforcement Procedures). It is observed that the Regulations on Enforcement Procedures comprehensively update the Regulations for Internet Content Management Administration Law Enforcement Procedures, which were published on 2 May 2017, and stipulate the regional jurisdiction, level jurisdiction, designated jurisdiction, transfer jurisdiction and other systems for the administrative law enforcement of the cyberspace department.

Other due process and appeal rights issues not contemplated by the above-mentioned laws and regulations shall, in theory, apply the administration laws of China, namely the Administrative Penalty Law, the Administrative Reconsideration Law, the Administrative Litigation Law, etc. In practice, no remedies under the aforementioned administration laws have been initiated by respondents, as far as is known, so further observation is advised regarding the applicability of the administration laws to cybersecurity-related administrative processes and enforcement.

Currently, most cybersecurity enforcement actions are based on laws and regulations at the national level. Regulations at provincial or municipal levels are comparatively limited in number and lack uniformity and consistency in subject matter and legal effectiveness. Although such regional regulations may only specify and not exceed the requirements already contemplated by CSL, they can shed light on interpreting CSL. For example, the Shanghai Public Security Bureau issued the Administrative Penalty Guidance of Cybersecurity Management, setting detailed rules for issuing administrative penalties for violations of CSL. Moreover, Henan Province Cybersecurity Regulations, which came into force in June 2023, specifies the construction, protection and supervision of network security in Henan Province.

Since 2001, the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNERT) has been a pivotal non-governmental entity for cybersecurity information sharing and emergency co-ordination in China. CNERT oversees the CNVD and the Critical Information Infrastructure Security Response Centre (CII-SRC), which are collaborative efforts involving system operators and cybersecurity providers, focusing on vulnerability and malware detection and resolution. Additionally, the China National Vulnerability Database of Information Security (CNNVD), funded by the central government since 2009, plays a crucial role in vulnerability analysis and response. Following the Vulnerability Regulation, the MIIT launched the National Vulnerabilities Database in 2021 to compile and share vulnerabilities identified by network operators and product suppliers. The Cyber Security Association of China (CSAC), a non-profit, industry-wide organisation, fosters participation in cybersecurity construction, supporting members, industry, and national cybersecurity strategies.

In addition, the China Cybersecurity Review Technology and Certification Center (CCRC), under the State Administration for Market Regulation, provides cybersecurity technical support and certification, including personal information, data security management, mobile app security, and critical network equipment security certificates. In December 2023, it was renamed the China Cybersecurity Review Certification and Market Supervision Big Data Center, following the Office of the Central Institutional Establishment Committee’s approval. The National Internet Finance Association of China (NIFA), initiated by regulatory bodies including the People’s Bank of China and the Ministry of Public Security, serves as the internet finance industry’s self-regulatory organisation. NIFA’s roles include setting operational standards, fostering industry communication, establishing a self-discipline punishment mechanism, and enhancing legal compliance and integrity to support economic and social development.

Cybersecurity

While the scope of the cybersecurity regime in China is comparatively comprehensive and diverse in subject matter, it is still under development, with more supplemental measures expected to be released.

Cybersecurity enforcement in China has been active and aggressive, and 2023 has seen more cybersecurity cases than previously. According to statistics, the number of cybersecurity enforcement cases in 2023 is over 2,500. Among these cases, more than half of them are related to failing to fulfil cybersecurity protection obligations, such as failing to develop internal security management rules, specifying the person in charge of cybersecurity or taking insufficient measures to prevent computer viruses and cyber-attacks.

Data Protection

China is similar to most other jurisdictions in that the consent of PI subjects is still the cornerstone of PI protection while affording other limited lawful bases, yet it is different in at least four major respects:

• performing commercial transactions of PI is currently a criminal offence;
• consent by the PI subject is absolutely central to the legal system in China, and thus the dominant source of the lawfulness of PI processing, save for other limited lawful bases provided by PIPL, such as processing activities necessary for the compliance of legal obligations;
• the China regime affords additional protection to important data, which is a concept that the EU and US systems do not explicitly contemplate; and
• although cross-border data transfer is encouraged, localisation and authority approval is required if regulators decide the transfer may affect national security and public interests.

A series of key laws and regulations (including drafts) were released or came into force over the past year, including the following.

• The Measures for the Standard Contract for the Outbound Transfer of Personal Information and its annexes of Standard Contract for Outbound Transfer of Personal Information came into force on 1 June 2023, specifying another approach to legitimate PI outbound transfer activities.
• The Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comments) was issued on 3 August 2023, clarifying how PIPs should conduct PI protection compliance audits.
• The Provisions on Regulating and Promoting Cross-border Data Flows (Draft for Comments) were published on 28 September 2023 and finalised as the Provisions on Promoting and Regulating Cross-border Data Flows on 22 March 2024, intending to ease some of the cross-border data transfer obligations and promote free data flow.
• The Regulation on the Protection of Minors in Cyberspace was issued on 20 September 2023, setting forward a number of requirements to protect the mental health of minors in cyberspace.
• Measures for the Management of Cybersecurity Incident Reports (Draft for Comments) was issued on 8 December 2023, aiming to standardise the cybersecurity incidents reporting mechanism. The Regulations on Administrative Law Enforcement Procedures of Cyberspace Affairs Departments came into force on 1 June 2023, specifying the scope of administrative and legal enforcement by cyberspace administrations, the case filing system and standards, case processing procedures and time limits, providing a critical legal framework for law enforcement in the field of data compliance.

In 2023, cybersecurity and data protection continues to evolve at a rapid pace in China, with a particular focus on cross-border data transfer governance and data protection of minors.

Following the dynamic implementation practice of cross-border data transfer compliance requirements under PIPL, regulators promptly updated the cross-border data transfer governance schemes in 2023, so as to protect the security of cross-border data transfer activities as well as facilitating economic development. For instance, for the purpose of further promoting free flow of data in an orderly manner, CAC opened a public consultation  on the Provisions on Promoting and Regulating Cross-border Data Flows and finalised it on on 22 March 2024 (the Provisions on Promoting and Regulating Cross-border Data Flows, the “Provisions”). The Provisions exempt a variety of scenarios from the compliance requirements under PIPL, such as to transmit data out of China without introducing any additional personal information or important data collected and generated within China, to necessarily perform a contract, to conduct human resource management, to protect vital interests, etc. Moreover, on 20 September 2023, the Regulation on the Protection of Minors Online (the “Regulation”) was adopted by the State Council, and will take effect on 1 January 2024. As the first regulation specialised in minor protection in cyberspace, the Regulation aims to create a cyber-environment conducive to the physical and mental health of minors, as well as protecting legitimate rights and interests of minors. Furthermore, on 3 August 2023, CAC drafted the Measures for the Administration of Personal Information Protection Compliance Audits (Exposure Draft) (the Audits Measures) and solicited public opinions. Based on PIPL, the Audit Measures intends to establish a mandatory personal information protection compliance audit mechanism, enabling enterprises to self-review the effectiveness of their efforts on personal information protection.

A number of draft industry-specific regulations and national standards have been formulated as well, such as the Interim Measures for the Management of Intelligent Vehicle Road Testing and Demonstration Applications in Hainan Province issued by the Department of Industry and Information Technology, Public Security Department, and Transportation Department of Hainan Province, jointly issued.

As mentioned in 1.1 Laws, CSL, along with DSL and PIPL, lay the foundation for the cybersecurity legal system in China that applies to all kinds of data, systems and information infrastructures, supplemented by a series of implementation measures and other laws and regulations as listed below, sorted by cybersecurity segment.

Network Operation Security

• A1: MLPS – Regulation on Graded Protection of Cybersecurity (Draft for Comments) (Draft MLPS Regulations).
• A2: CII Protection – CII Security Regulation, Cybersecurity Review Measures, as amended, Information Security Technology – CII Security Protection Requirements.
• A3: Cybersecurity Review and data security incidents – Cybersecurity Review Measures, as amended, Administrative Measures for Cybersecurity Incidents Reporting (Draft for Comments).
• A4: Encryption – the Cryptography Law and the Law on Guarding State Secrets.

Network Information Security

• B1: Personal Information Protection – Civil Code, PIPL, draft Data Security Regulation, Provisions on the Scope of Necessary Personal Information of Common Mobile Applications and Provisions on the Cyber Protection of Children’s Personal Information, Measures for the Administration of Personal Information Protection Compliance Audits (Exposure Draft), Regulation on the Protection of Minors in Cyberspace, Guidelines for the Construction of Juvenile Modes of Mobile Internet (Exposure Draft).
• B2: Important Data and State Secrets – DSL, Law on Guarding State Secrets; Information Security Technology – Important Data Identification Guidelines.
• B3: Cross-border Data Transfer – DSL, PIPL, Cross-border Data Transfer Security Assessment, Provisions on Promoting and Regulating Cross-border Data Flows Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong).
• B4: Internet Information Content Administration – Provisions on Governance of Network Information Content Ecology, Algorithmic Recommendation of Internet Information Service Measures, Provisions on the Administration of Blockchain Information Services, Provisions for the Administration of Internet News Information Services, and others, Provisions on Governance of Cyber Violence Information (Exposure Draft), Working Rules for the Acceptance and Handling of Reports on Enterprise-related Online Infringement Information on Website Platforms, Guidelines for the Construction of Juvenile Modes of Mobile Internet (Exposure Draft).

In addition, Articles 253(1), 285, 286 and 287(2) of the Criminal Law apply to crimes related to cybersecurity.

Please see 1.2 Regulators regarding the regulators and their respective areas of responsibility within cybersecurity.

Under Article 8 of CSL, CAC is the overarching cybersecurity regulator and agency in China. Please refer to 1.2 Regulators for its specific regulatory role.

CAC, MIIT, MPS and SAMR at the national level, and their branches at the county level or above, are the major data protection authorities and privacy regulators; please refer to 1.2 Regulators regarding their respective roles in data protection. The TC260 is also an important privacy regulator that focuses on the promulgation of data protection-related national standards. In addition, the NDA is responsible for advancing the development of data-related fundamental institutions, co-ordinating the integration, sharing, development and application of data resources, and pushing forward the establishment of a Digital China, the digital economy and society.

The CSRC administers a series of securities-related financial activities in China, including initial public offering (IPO), corporate restructuring and related transactions. Data compliance of listing companies has become one of the key factors in CSRC approving such activities, and contributes to CSRC’s rejection of IPO listing applications in some cases.

The NFRA oversees the financial industry, excluding securities, focusing on lawful and stable operations through various forms of supervision.

The PBC and its branches shall conduct data security supervision and administration in accordance with these measures, proactively support other appropriate authorities in conducting data security supervision and administration according to their duties, and may enter into co-operation agreements with other appropriate authorities when necessary to further agree on the modes of co-operation in data security supervision and administration.

Other key regulators include the NASSP and the SCA, as discussed in 1.2 Regulators.

Key Frameworks

A series of national standards and government announcements have been released. However, in practice, a number of these documents are commonly deployed as guidance for law enforcement and corporate compliance, such as the following.

MLPS and network security in general

Specifications encompassing the MLPS classification and evaluation process and the respective requirements for systems at each MLPS classification level are set forth in:

• the Information Security Technology – Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019) (MLPS Baseline Standards); and
• the Information Security Technology – Classification Guide for Classified Protection of Cybersecurity.

The Guidelines on the Protection of Information Security of Industrial Control Systems (ICS Guidelines), promulgated by the MIIT, set forth security protection for industrial control systems (ICS) in various aspects. Additionally, on 24 October 2023, the MIIT introduced the Measures for the Classified and Graded Management of Industrial Internet Security (Draft for Comment), proposing classification of enterprises and requiring self-assessment for security based on their operational scale and internet usage.

CIIs

The requirements for the identification, inspection, evaluation and security of CIIs are set forth in the following:

• the Information Security Technology – Cybersecurity Protection Requirements of Critical Information Infrastructure (Draft for Comments);
• the Information Security Technology – Guide to Security Inspection and Evaluation of Critical Information Infrastructure (Draft for Comments);
• the Information Security Technology – Security Protection Requirements of Critical Information Infrastructure; and
• the Information Security Technology – Indicator System of Critical Information Infrastructure Security Assurance (Draft for Comments).

On 1 May 2023, the Information Security Technology – Cybersecurity Requirements for Critical Information Infrastructure Protection (GB/T 39204-2022) (the “Cybersecurity Requirements”) was officially implemented. The Cybersecurity Requirements stipulates the elements for CII identification, as well as specific requirements regarding security protection and evaluation, incident monitoring and early warning, etc. The Cybersecurity Requirements guides operators to carry out full life-cycle security protection of CII, and can also be utilised as a reference for other parties in respect of CII security protection.

Emergency response

The National Cybersecurity Incident Emergency Response Plan, promulgated by CAC, sets forth emergency response measures to various cybersecurity incidents by authorities. The Emergency Response Plan for Cybersecurity Incidents in Public Internet Network, promulgated by the MIIT, sets forth emergency response measures applicable to internet industry participants. The draft Data Security Regulation proposes the time limits and procedures for reporting incidents.

On 8 December 2023, the National CAC drafted the Measures for the Management of Cybersecurity Incident Reports (Draft for Comments) (the “Measures”), which aims to standardise the reporting of cyber security incidents, reduce the losses and harm caused by cyber security incidents, and maintain national security. The upper-level legal basis for the Measures includes CSL, DSL, PIPL and CII protection regulations.

Personal information

PIPL provides an expanded definition of PI and specifies rules for PI processing activities, PI protection measures and rights for PI subjects. PIPL is regarded as the fundamental legislation that puts a key building block of personal data protection in place. However, national standard PI Specifications are still practical guidance to PI protection-applicable PIPs and are referred to in data protection compliance practice and enforcement.

On 21 March 2023, TC260 released Information Security Technology – Security Requirements for Processing of Sensitive Personal Information (Draft for Comments) (the “Security Requirements”). The Security Requirements defines sensitive personal information and stipulates security requirements for sensitive personal information processing activities. It provides reference for regulatory authorities and third-party assessment agencies to supervise, manage and evaluate the sensitive personal information processing activities of PIPs.

On 23 May 2023, TC260 released the Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (GB/T 42574-2023) (the “Implementation Guidelines”), which took effect on 1 December 2023. The Implementation Guidelines apply to the protection of personal information rights and interests of PIPs when carrying out personal information handling activities. Nonetheless, the Implementation Guidelines do not constitute a mandatory standard, instead, they merely provide references for PIPs when performing the duty under PIPL in relation to notification and consent.

Cross-border data transfer

Under CSL and DSL, unless otherwise required by laws and regulations, CIIOs are required to localise PI and important data obtained from operations in China, conduct cross-border transfer of such data only when necessary, and meet security assessment requirements beforehand. Pursuant to PIPL, general PIPs intending to conduct PI cross-border transfers shall inform the PI subjects concerned and obtain their separate consent. The PIPs shall also conduct a personal information impact assessment (PIIA) with regard to the necessity, legitimacy and lawfulness of the transfer, its impact on the PI subject, the security risk and corresponding measures to mitigate the risk. Moreover, PIPs shall satisfy at least one of the following conditions:

• conducting security assessment (if meeting the localisation threshold);
• obtaining PI protection certification from qualified entities;
• entering into standard contracts recognised by the state with the PI receiver; or
• other conditions provided by applicable regulations.

On 28 September 2023, CAC published the Provisions on Regulating and Promoting Cross-border Data Flow and finalised it on 22 March 2024 (the Provisions on Promoting and Regulating Cross-border Data Flows, the “Provisions”). The Provisions suggested a variety of scenarios to be exempted from performing compliance requirements under PIPL, as aforementioned. It also requests the relevant authority or region to identify and make public important data, and allows the pilot FTZ to develop a negative list of data.

On 13 December 2023, CAC and the ITIB published the template Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (the “Standard Contract”) and its implementation guidelines. The Standard Contract and its implementation guidelines clarify the obligations and responsibilities in relation to data security of PIPs (including data users) as well as recipients. Similarly, the Standard Contract intends to ease the compliance requirements over CBDT activities, which will facilitate data flow and promote economic development.

The main commonly applied framework for required “reasonable security” are the regulations and national standards related to the MLPS. Please see 2.1 Key Laws and 3.1 De Jure or De Facto Standards for further details.

The following illustrate the legal requirements and applicable standards for specific cybersecurity sectors.

Written Information Security Plans or Programmes

China has not established any legal requirements regarding written information security plans or programmes. However, NOs are generally required to provide PI subjects with written documents, usually in the form of privacy policies or consent letters, to inform them of the purpose, methods and scope of PI collection and processing, the NOs’ PI security protection mechanisms, PI subjects’ approaches to asserting PI-related claims, risks of PI processing, and other matters.

Incident Response Plans

CSL requires relevant government authorities to formulate emergency response plans for their respective industries and fields. Such emergency response plans shall comply with the National Cybersecurity Incident Emergency Response Plan, which classifies cybersecurity incidents into four categories according to their severity and articulates the respective responses to each level. Consistent with CSL, DSL requires the competent authority to initiate the incident response plan, take the corresponding emergency response measures, and timely report to the public in the event of a data security incident.

As for private sectors, PIPL put forward the same obligations by requiring PIPs to formulate incident response plans for PI security incidents.

CSL also stipulates that where a security incident occurs, the relevant network operator shall take technical measures to eliminate potential security hazards, prevent the harm from further expansion, and release warning information to the general public in a timely manner.

The Data Security Regulation proposes more detailed requirements concerning this mechanism by specifying that PIPs shall notify interested parties and authorities within three working days. Where the incidents involve important data or the PI of more than 100,000 individuals, PIPs shall report to authorities within eight hours.

Required Security Practices Applicable Generally, or to Specific Sectors or Data

Under CSL and MLPS-related regulations, from a management perspective, NOs shall formulate internal security management systems and operating procedures and determine the person in charge of network security. As for technical measures, NOs shall take technical measures to:

• prevent viruses, network attacks, network intrusions and other acts that endanger network security;
• monitor and record network operation status and network security incidents, and keep relevant logs for no less than six months;
• perform the data classification, back-up and encryption of important data; and
• meet other obligations stipulated by laws and administrative regulations.

Furthermore, network products and services providers shall immediately take remedial measures, inform users in a timely manner, and report to the relevant competent authorities when they discover risks such as security flaws.

Under DSL, the data processor shall strengthen risk monitoring when carrying out data processing activities. When risks such as data security defects are discovered, remedial measures should be taken immediately.

Under PIPL, PIPs shall be responsible for their personal information processing activities, and take necessary measures to guarantee the security of the personal information they process.

Appointment of Chief Information Security Officer or Equivalent

Under CSL and MLPS-related regulations, each NO shall appoint an officer with the general responsibility of overseeing the NO’s cybersecurity and MLPS-related arrangements. In addition to appointing such officer, CIIOs shall also conduct a security background check on such officer. Furthermore, DSL sets out that processors of important data shall appoint a data security officer to be in charge of data security protection. PIPL requires a personal information protection officer to be designated if a PIP processes PI reaching a threshold specified by CAC.

Involvement of Board of Directors or Equivalent

In China, there is no general legal requirement for the direct involvement of the board of directors or equivalent in the cybersecurity matters of a company. However, the fiduciary duty of the board of directors under the Company Law of the PRC may give rise to the board’s obligations to establish and maintain effective cybersecurity systems and to take corresponding security measures, depending on the circumstances – for example, the company’s affiliated industry or the significance of cybersecurity risks.

The Provisions on the Administration of Informatisation of Insurance Institutions issued by CBIRC require institutions to appoint an executive to be fully responsible for informatisation matters, including cybersecurity, under the direct leadership of the board of directors.

The draft Data Security Regulation similarly also proposes that the data security officer role shall be assumed by someone at the executive level.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, etc

MLPS national standards and draft regulations set forth a large variety of risk-assessment requirements, such as periodical security assessments taken by systems at level 3 or above.

The CII Security Regulations require CIIOs to establish and maintain a CII risk assessment mechanism and to conduct assessment at least annually, and to rectify security risks discovered in a timely manner and report to the competent authority as required.

According to PIPL and other draft regulations, PIPs conducting PI cross-border transfers or data processors transferring important data abroad may be required to conduct security assessments.

Under PIPL, as mentioned above, PIPs shall conduct a PIIA in certain circumstances, such as when processing sensitive PI, utilising PI for automatic decision-making, entrusting, sharing or transferring PI to a third party or publicly disclosing PI, and transferring PI cross-border. The assessment factors shall include the lawfulness, legitimacy and necessity of processing, the risks of adverse effect to the PI subjects and the effectiveness of corresponding security measures. The Information Security Technology – Guidance for Personal Information Security Impact Assessment defines the framework, methods and processes of the PI security impact assessment under different scenarios.

Moreover, pursuant to the Administrative Measures for Cybersecurity and Information Security in the Securities and Futures Industry, the CSRC and its local offices may entrust relevant national or industrial specialised agencies to assist in the supervision and inspection of core agencies, business operators and information technology system service providers by means of vulnerability scanning and risk assessment, etc. Also, based on the Measures for the Administration of Electronic Banking Services, financial institutions shall set up an intrusion detection and protection system for electronic banking to monitor the operation of electronic banking on a real-time basis and conduct vulnerability scanning in the electronic banking system on a periodic basis and shall set up a mechanism to identify, address and report unauthorised access.

Multi-factor Authentication, Anti-phishing Measures, Ransomware, Threat Intelligence

The MLPS national standards set forth a variety of security requirements for network and computing systems, such as:

• systems at level 2 or above shall adopt multi-factor authentication of user identity using passcodes, encryption, biometric technologies and/or other technical measures, in which at least one factor must be encryption; 
• all systems shall install counter-malware software, update malware code database regularly, and establish internal policies of malware countermeasures;
• all systems shall take the necessary measures to identify security vulnerabilities and hidden dangers, and patch the discovered security vulnerabilities and hidden dangers in a timely manner or after assessing the possible impact; and
• all systems shall follow the principle of minimal installation and install only the components and applications that are needed: unwanted system services, default shares, and high-risk ports shall be turned off; systems at level 2 or above shall conduct security audits at network boundaries and important network nodes to audit important user behaviours and important security events.

Insider Threat Programmes

The MLPS national standards set forth a variety of security requirements for network and computing systems, such as:

• systems at level 2 or above shall adopt multi-factor authentication of user identity, in which at least one factor must be encryption; 
• all systems shall install and maintain updated counter-malware software and establish internal policies correspondingly;
• all systems shall designate special departments or personnel for account management, and control the application of accounts, the establishment of accounts, the deletion of accounts, etc;
• all systems shall designate or authorise special departments or personnel to be responsible for the recruitment of personnel, and terminate all access rights of off-the-job personnel in a timely manner;
• all systems shall ensure that external personnel are authorised or approved before they can access controlled areas; and
• all systems shall ensure that the selection of service providers complies with relevant regulations.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

Obtaining PI from vendors and service providers is recognised as indirect collection of PI. The PI Specifications articulate that PIPs indirectly collecting PI shall request the PI providers to clarify the source of the PI, the lawfulness of the source and the scope of the PI subjects’ consent, and obtain supplemental consent from the PI subjects if the intended processing exceeds the scope of consent.

When PIPs provide PI to their vendors or service providers, their activities constitute the entrusting, sharing or transferring of PI. PIPL sets forth a series of requirements for such PI provision, such as obtaining informed separate consent from PI subjects, conducting a PIIA, contracting with and monitoring PI recipients, and assisting PI subjects in asserting lawful requests.

In the event of providing PI to vendors and service providers abroad, PIPs shall ensure the PI would be subject to the same protection as afforded by PIPL by satisfying the requirements listed in 3.1 De Jure or De Facto Standards (Cross-border data transfer).

When procuring network products or services from vendors or providers, under the MLPS, the NOs shall ensure that the products or services comply with applicable regulations and standards, and systems at level 3 or above shall conduct inspections before procurement and regularly update and review the list of candidate products. In addition, CIIOs shall ensure that the products or services procured have passed the cybersecurity review by the state if such procurement may affect national security.

Use of Cloud, Outsourcing, Offshoring

The use of cloud is mainly regulated from the MLPS aspect, and further guided by a series of national standards. The MLPS national standards articulate complex and extended security requirements for cloud computing at each MLPS level, covering various aspects of cloud computing security, such as physical environment, network structure, access control, audits, authentication, data integrity and back-up, internal management and service providers. Cloud computing systems at level 2 or above shall maintain their servers physically within China. According to the Information security technology – Baseline for classified protection of cybersecurity (GB/T 22239-2019), when the use of cloud involves PI, PIPs shall keep such PI physically stored within China. If PIPs transfer PI outside the territory of PRC, relevant national regulations should be followed. Furthermore, Information technology – Security techniques – Code of practice for protection of personal information in public clouds (GB/T 41574-2022) regulates the protection of personally identifiable information (PII) in public clouds acting as PII processors. In addition, Information security technology – Security guidance for cloud computing services (GB/T 31167-2023) provides detailed clarifications regarding cloud service in terms of its definition, deployment model and service model etc.

Training

Under CSL, CIIOs are required to conduct cybersecurity education, technical training and skill assessment for employees on a periodical basis. In line with CSL, both PIPL and DSL require data processors to carry out PI protection and data security education and training for relevant employees on a regular basis. It is worth mentioning that the Data Security Regulation proposes that data processors with important data shall provide no less than 20 hours of data security training for technical and managerial personnel per year.

On 16 September 2021, China sought membership in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), aiming to engage in the largest regional trade pact that promotes e-commerce and cross-border data flows, minimising data localisation requirements. By joining the Regional Comprehensive Economic Partnership (RCEP) in 2020, effective from 1 January 2022, China further supported regional data circulation and digital trade among 15 countries. Additionally, in August 2022, China began efforts to join the Digital Economic Partnership Agreement (DEPA), the pioneering agreement in digital economy co-operation initiated by New Zealand, Singapore, and Chile.

China has also established bilateral legal assistance treaties with numerous countries to aid in multinational co-operation against internet crimes and fraud, while actively participating in the development of international standards with the International Organisation for Standardization (ISO). These activities underscore China’s commitment to global legal and regulatory collaboration.

In 2023, China played a significant role in global data and digital governance initiatives. At the fourth United Nations World Data Forum, China endorsed the UN’s call for improved data management aligned with sustainable development goals. Moreover, China contributed to the Global Digital Compact released in May 2023, advocating for an open, secure, and inclusive digital future, highlighting its support for multilateralism and equitable digital governance.

The information security requirements in CSL focus on de-identification, secure transmission, deletion and contingency plans. The internal department or personnel in charge of cybersecurity must keep any and all PI, privacy and business secrets obtained during their performance of duties in strict confidence.

Aligned with CSL, PIPL requires PIPs to take corresponding security measures to ensure the security of PI processed. Such security measures include:

• implementing multi-level protection schemes;
• adopting encryption and de-identification methods;
• adopting access control methods; and
• formulating an incident response plan.

DSL requires data processors to adopt data security measures covering every step of data processing activities.

De-identification

PI should be immediately de-identified after being collected by PIPs, and technical and managerial measures should be taken to separately store the de-identified data and information that can be used to restore the identification; it should be ensured that no particular individual will be identified during subsequent processing of such data.

Encryption

According to the Information security technology – Personal information security specification (GB/T 35273-2020), security measures such as encryption should be adopted when transmitting and storing sensitive personal information. When adopting cryptography technology, national standards regarding cryptographic management should be taken as reference.

Data Classification

According to PIPL and DSL, in general, PIPs shall classify personal information they have processed. Specifically, the Practice Guidelines for Cybersecurity Standards — Guidelines for Network Data Classification and Grading generally divide PI into 16 categories and set out the criteria for classification.

Access Control

The Information security technology – Personal information security specification (GB/T 35273-2020) stipulates access control measures for personal information. The PIPs shall establish an access control mechanism with minimum authorisation for personnel authorised to access personal information, and set up internal procedures to review significant operations on personal information.

Safe Transmission

According to PIPL and PI Specifications, in principle, PI is not encouraged to be shared or transferred unless there is a solid legal basis for doing so and appropriate safety measures are in place. If sharing or transferring by the PIPs is necessary, PIPs shall perform a PIIA beforehand, obtain PI subjects’ separate consent after proper notification, and accurately record the sharing or transferring of PI. Particularly, SPI shall be transferred and stored using encryption and other security measures.

Please see 1.1 Laws (Cross-border data transfer) for details on cross-border transfers of PI.

Deletion

PIPs shall take the initiative to delete PI under any of the following circumstances:

• where the purpose of processing has been achieved or is impossible to achieve, and the PI is no longer necessary to achieve the purpose;
• where the PIP ceases to provide products or services, or the retention period has expired;
• where the PI subject withdraws consent; or
• where the PIP processes PI in violation of laws, administrative regulations or countersigned agreements.

PI subjects may request the PIP to delete relevant PI, if the PIP has failed to do so. Furthermore, where the lawfully mandated minimum retention period has not expired, or the deletion is technically difficult to realise, the PIP shall stop all processing activities except storage and necessary security protection measures.

Emergency Response Plan

Please see 3.3 Legal Requirements and Specific Required Security Practices (Incident Response Plans).

In general, NOs’ internal department or personnel in charge of cybersecurity must keep all business secrets obtained during their performance of duties in strict confidence. Data protected by China’s cybersecurity regime can generally be divided into categories of PI, important data and national core data.

Enterprises are advised to first identify whether their material business data and material non-public information would fall under the definition of PI or important data. If both categories do not apply, such data may, if applicable, fall under the scope of trade secrets, the identification and protection of which are set forth in the Anti-Unfair Competition Law of the PRC.

Personal Information

Please see 4.1 Personal Data regarding the security requirements of business data or non-public information identified as PI.

Important Data

According to CSL, NOs are required to take measures such as back-up and encryption of important data. DSL also provides the protection system for important data. Article 21 states that each region and department shall formulate the specific catalogue of important data for the region, department, related industry and sector, and focus on the protection of data listed. Article 27 (2) further mandates that important data processors must appoint a data security officer and set up a management institution in charge of data security. Article 30 requires such processor to carry out a risk assessment on data processing activities on a regular basis, and to submit the risk assessment report to the relevant competent department.

Trade Secrets

Various requirements are imposed by the Cryptography Law when enterprises adopt commercial encryption to protect data. Commercially encrypted products closely related to national and social public interests shall be certified by qualified inspection agencies before going to market. CIIOs adopting commercial encryption shall conduct security assessments by themselves or by qualified inspection agencies. When CIIOs’ procurement of network products or services adopting commercial encryption may affect national security, a security review of the procurement shall be conducted by relevant state authorities.

The Interim Provisions on the Protection of Trade Secrets of Central Enterprises stipulate protection measures towards trade secrets of centrally administered enterprises, including but not limited signing confidentiality clauses, establishing confidentiality review procedures, implementing control over production, receipt, distribution, use, preservation and destruction of trade secrets, etc.

Under the MLPS, in principle NOs are required to:

• formulate internal security management systems and operation instructions to determine the person in charge of cybersecurity and define accountabilities for cybersecurity;
• take technical measures to prevent computer viruses, network attacks, network intrusions and other activities that endanger cybersecurity;
• monitor and record network operation and cybersecurity events, and maintain cyber-related logs for no less than six months as required; and
• take measures such as data classification, back-up and encryption of important data.

The MLPS protects generic information networks, ICS, cloud computing platforms, internet of things (IoT), big data platforms, mobile communication systems and other network systems (MLPS subjects). NOs have different filing and self-assessment obligations for their MLPS subjects at each of the five protection levels – the higher the level of classification, the higher the compliance obligations for NOs.

In addition to the above requirements applicable to all NOs, CIIOs have additional general obligations to:

• establish and improve a cybersecurity protection system and a responsibility system to ensure the input of human, financial, and material resources;
• set up a special security management organisation, and conduct security background checks on the head of such organisation and the personnel in key positions;
• ensure the operation funds for its specialised security management body, allocate corresponding personnel, and have the personnel of the specialised security management body participate in making decisions relating to cybersecurity and informatisation;
• conduct cybersecurity inspection and risk assessment of its CII at least once a year directly or through a cybersecurity service provider;
• give priority to purchasing safe and credible network products and services
• report the same to the protection department and the public security organ when a major cybersecurity event occurs to CII or a major cybersecurity threat is found; and
• enter into a security and confidentiality agreement with network product and service providers in accordance with relevant provisions of the state when purchasing network products and services.

In addition, the CII Security Regulations further specify the requirements for the security protection of CIIs, encompassing the identification of CIIs, response to security incidents, daily operation and security maintenance, security monitoring and inspections, security assessment of network products and services procurement, and others.

Apart from the general security requirements for NOs under CSL (see 4.3 Critical Infrastructure, Networks, Systems and Software), the Draft MLPS Regulations contemplate general MLPS monitoring requirements related to preventing the denial of service attacks. In particular, while NOs shall monitor and record their network security status, operators of MLPS subjects at level 3 or above shall also adopt further precautionary and monitoring measures and timely file the results with local public security bureaus. With regard to the technical specifications of preventing denial of service attacks, the MLPS Baseline Standards prescribe the respective requirements for MLPS subjects at each level regarding the security protection capacity in the four key technical aspects:

• secure management centre;
• secure network;
• safe regional boundary; and
• safe calculation environment.

Additionally, the Measures for the Administration of Operational Risk of Banking and Insurance Institutions regulates that a banking or insurance institution shall, within five working days from the date when it is aware of or should be aware of any of the significant operational risk events, report to the NAFR or its local office concerned according to the attribution of regulatory responsibilities.

Apart from overarching guidelines in CSL and supporting regulatory documents, particular industries or sectors have laws and regulations that also touch on the topic of cybersecurity, as follows.

• The Law of the People’s Republic of China on Guarding State Secrets mandates that hierarchical protection measures shall be adopted for computer information systems that are used for storing or processing state secrets, and agencies shall enhance their control over such information systems.
• The Administrative Regulations on Maps prescribe that entities engaging in internet map services shall establish a management system and protection measures for the data security of internet maps.
• The Cybersecurity Review Measures require CIIOs to conduct cybersecurity review prior to the purchase of network products and services that affect or may affect national security, to ensure the supply chain security of CII and to safeguard national security. The measures also apply to data processing activities by online platform operators when the processing activities impact or may impact national security.

China has not established any legal requirements regarding ransomware attacks, including payment prohibitions, restrictions or conditions, reporting obligations or required co-ordination with law enforcement. The National Computer Network Emergency Response Technical Team and some local agencies have issued guidance on the technical measures that should be taken regarding ransomware, including data back-up, installing and updating antivirus software, updating operating system patches in time, etc.

According to the Measures for the Management of Cybersecurity Incident Reporting, “cybersecurity incidents” are events that have a negative impact on society and will cause harm to network and information systems or the data therein due to human causes, software and hardware defects or failures, natural disasters, etc. They can be categorised as harmful program incidents, cyber-attack incidents, information destruction incidents, equipment failures, catastrophic incidents, and other incidents. Furthermore, cybersecurity incidents are graded into four levels:

• particularly significant;
• significant;
• relatively significant; and
• general.

Generally, all types of data may be covered by data security incident or breach regulations. In addition to the general types of protected data (ie, PI, important data, trade secrets and data contemplated under the National Cybersecurity Incident Emergency Response Plan), other data that may be covered includes state secret information, important sensitive information, critical data or other data the loss of which would pose certain threats to or have certain impacts on national security, social order, economic construction and public interests.

Based on the Measures, data elements covered are generally divided into four categories; ie, personal information, important data, important sensitive information, and state secret information.

The legal construct of data security incident or breach covers:

• systems involving important network and information systems that undertake business closely related to national security, social order, economic development and public interest; and
• network and information systems that would pose threats to or incur impacts on national security, social order, economic construction and public interests upon being damaged.

In November 2022, the Key Laboratory of Medical Devices Related to the State Drug Administration issued the Medical Device Cybersecurity Vulnerability Identification and Assessment Methodology (Draft for Comments), which describes the process of medical device cybersecurity vulnerability identification and assessment, and provides guidance to medical device registration applicants and third-party assessment organisations on the methodology for medical device cybersecurity vulnerability assessments.

On 8 August 2022, the National Health Commission, the National Administration of Traditional Chinese Medicine and the National Administration of Disease Control and Prevention issued the Measures for Administration of Cybersecurity of Medical and Health Institutions (the “Measures”). For the purposes of strengthening the administration of cybersecurity of medical and health institutions, the Measures focus on graded protection and the security of CII, networks of graded cybersecurity protection grade 3 or higher, as well as important data and personal information.

The fundamental security requirements for ICS (including SCADA) can be found in the ICS Guidelines, which list 11 protection requirements, covering the following:

• security software selection and management;
• configuration and patch management;
• boundary security;
• physical and environmental security;
• identity authentication;
• remote access security;
• security monitoring and emergency drills;
• asset security;
• data security;
• supply chain management; and
• responsibility implementation.

In addition, the MLPS Baseline Standards provide security requirements specifically for ICS, such as outdoor control equipment protection, network structure security, dial-up usage control, wireless use control and control equipment security. The Guidelines for Categorisation and Classification of Industry Data (Trial), circulated by the MIIT, put forward preliminary guidance on categorising data in combination with industrial manufacturing models and service operation models, and graded the industrial data into three levels by considering the potential impacts on industrial production and economic benefits after different types of industrial data are distorted, destroyed, disclosed or illegally used.

The MLPS Baseline Standards provide security extension requirements for IoT, such as the physical protection of sensor nodes, device security of sensor nodes, device security of gateway nodes, management of sensor nodes and data fusion processing. Other national standards also serve as references for IoT security, such as the security technical requirements for data transmission.

According to the Internet of things for lifts, escalators and moving walks – Technical requirements of enterprise application platform (GB/T 24476-2023), transmission and storage of data between the application platform of the elevator IoT enterprise and the public information service platform regarding elevator safety should have a security strategy, such as data encryption technology and remote access control mechanism.

Certification

CSL requests critical network equipment and special-purpose cybersecurity products to obtain certificate before selling on the market. On this basis, the Implementing Measures on Security Certification for Critical Network Equipment and Specialised Network Products further stipulates the procedures to apply for, extend, suspend, cancels and revoke the certificate. The specialised products for network security are divided into 34 categories, according to the Catalogue of Critical Network Equipment and Network Security Products 2023, including WAF, IDS, IPS and network security audit products. In addition, specialised network products shall be developed, produced, serviced and tested in accordance with the security technical requirements of Information security technology – Security technical requirements for specialised cybersecurity products (GB 42250-2022) and other technical specifications stipulated by the relevant national competent authorities.

Furthermore, pursuant to the Cryptography Law, commercial cryptography services using critical network equipment and specialised network products shall obtain a certificate issued by commercial cryptography certification agencies.

Network Product Security

The MIIT issued the Management Measures for the Record of Network Product Security Vulnerability Collection Platforms in 2022. As a complementary provision to the Vulnerability Regulation, systematic requirements are set out for the registration, filing, information change and cancellation procedures for networks and proposed network security vulnerability collection platforms.

Government Authorities

Under CSL, NOs shall report incidents that threaten cybersecurity to the competent authority, detailed requirements in this regard are as follows.

• The Measures for the Management of Cybersecurity Incident Reporting require NOs to report in the event of cybersecurity incidents. In accordance with the Guidelines for Classification of Cybersecurity Incidents, if a cybersecurity incident is relatively significant, significant or particularly significant, it should be reported within one hour.
• The Automotive Data Security Management Measures require the automotive data processor that conducts important data processing activities to submit the annual automotive data security management report to the provincial CAC and relevant authorities before 15 December of each year, including the automotive data security incidents and the handling thereof.
• The Telecommunications Regulations of the PRC prescribe that telecoms operators shall report to the relevant national authorities upon the discovery of illegal transmission of information contents as described in Article 56 in the course of their public information services.

As for CII, authorities in charge shall establish the cybersecurity monitoring mechanism and information reporting mechanism for specific industries/sectors within their respective jurisdictions.

If there is an increased risk of cybersecurity events, governments at provincial level and above shall take measures to require the authorities, agencies and personnel concerned to promptly collect and report necessary information and enhance monitoring of cybersecurity risks.

In accordance with CSL, PIPL and DSL, China has established a national cybersecurity information reporting mechanism led by CAC and MPS, in which multiple ministries/bureaus – including MIIT, NDRC and the secrecy bureau – are also participating.

Individuals

Under CSL, NOs are obliged to notify the affected users promptly of any disclosure, damage or loss (or possible disclosure, damage or loss). In addition, the product/service providers concerned shall inform the users of any risk such as security defects or bugs in network products or service. According to PIPL, in a PI security incident, the affected PI subjects shall be notified of information related to the incident.

Other Companies or Organisations

A duty to report to other companies may be triggered by contractual obligations.

Industry organisations may determine reporting obligations for their members, under Article 29 of CSL. Other industry self-regulated obligations to report to information-sharing organisations may also exist; see 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

There are various thresholds and standards of notification in China’s cybersecurity regime.

For instance, according to the Emergency Response Plan for Cybersecurity Incidents in Public Internet Network, the lowest level of network security incident is the general network security incident, which shall meet one of the following conditions:

• a large number of internet users within one municipality are unable to access the internet normally;
• the leakage of the information of more than 100,000 internet users; and
• other incidents that cause or may cause general harm or effect.

It could be implied that at least the same level of threshold of cybersecurity harm is applicable to data breach incident notification.

In addition to the harm to cybersecurity, notification obligations are also triggered when PI is “likely to be divulged, damaged or lost” under CSL.

According to the Measures for Monitoring and Handling Threats to the Cyber Security of Public Internet, telecommunications authorities (including the MIIT and provincial communication administrations) are in charge of monitoring cybersecurity threats. Thereafter, Information Security Technology – Basic Requirements and Implementation Guide of Network Security Monitoring 2018, sets out the framework and baselines for network security monitoring, which contemplate that network security monitoring is conducted through the real-time collection of network and security equipment logs, system operation data and other information.

Information security technology – Technical specification for network intrusion prevention system regulates the storage and transmission security for intrusion prevention system. It requires security measures such as backups of audit logs to be adopted.

According to the Information security techniques – Assessment criteria for cybersecurity emergency capability, all types of organisations shall carry out cybersecurity events, monitor and retain network logs for not less than six months.

The intersection of cybersecurity and privacy illustrates the conflict arising from the intertwined interests of the community and of individuals/entities. For instance, from a commercial practice perspective, as companies impose confidentiality obligations on their employees, an employee reporting the vulnerability of their company’s network system to a third party is in conflict with their confidentiality obligations.

Although it is difficult to clearly define the boundaries between the two, the state tries to balance the scales. For example, in PIPL, the processing of PI by state organs to perform their statutory functions shall be carried out in accordance with the authority and procedures provided in laws and administrative regulations, and shall not exceed the scope and limits necessary for statutory functions, which means public authorities may only collect and use PI upon data subjects’ authorised consent or statutory authorisations by laws or administrative regulations, even when a cybersecurity threat is involved. Generally speaking, only certain criminal investigations or threats to national security may trigger such statutory authorisation.

Additionally, under CSL, DSL, PIPL and implementing regulations, authorities and their staff bearing relevant regulatory authority must carefully keep strict confidentiality of any PI, privacy information and business secrets obtained in their performance of duties. Furthermore, Article 30 of CSL prescribes that cyberspace administrations and authorities concerned shall only use the information accessed in performance of their duties for cybersecurity protection purposes.

Please see 5.8 Reporting Triggers (Government Authorities).

Pursuant to Article 29 of CSL, the state supports co-operation among NOs in the collection, analysis and notification of cybersecurity information and emergency response. Besides, the relevant industry organisations shall establish and improve respective cybersecurity rules and co-ordination mechanisms, enhance analysis and assessment on cybersecurity risks, regularly release risk alerts to their members, and assist their members in coping with cybersecurity risks.

Furthermore, pursuant to the Vulnerability Regulation (implemented from September 2021), organisations or individuals are encouraged to voluntarily report product vulnerabilities to the CNVD (see 1.5 Information Sharing Organisations and Government Cybersecurity Assistance). Additionally, Information Security Technology – Specification for Cybersecurity Vulnerability Management, issued by TC260, specifies the requirements for vulnerability management and methods for vulnerability discovery, report, verification, release, and tracking.

Also, there are scenarios where system vulnerabilities shall be mandatorily reported, as described in 5.7 Requirements for Secure Software Development.

In December 2022, CAC finished a special campaign called “Operation Qinglang” to crack down on problematic applications in accordance with the Provisions on the Administration of Information Services of Mobile Internet Apps. Specifically, the operation targets issues that:

• users may encounter copycat applications, false rankings, misleading information, unregistered applications, etc, when searching for applications online;
• situations that users may encounter when downloading and installing applications, including forced, bundled download and installation, applications disguised to avoid supervision, applications that trick users into downloading with rewards, etc; and
• users may encounter pop-ups, malicious functions, and apps that try to trick users into making payments when using the app.

In 2023, the Supreme People’s Court, the Supreme People’s Procuratorate (SPP), and the Ministry of Public Security jointly issued the Guiding Opinions on Punishing Cyber Violence Violations and Crimes (the Guiding Opinions), which require courts, procuratorates, and public security authorities to:

• fully understand the social harm of cyber violence, safeguarding citizens’ rights and interests, and order in cyberspace;
• accurately apply the law and severely punish cyber violence violations and crimes in accordance with the law;
• facilitate litigation procedures and promptly provide effective legal remedies; and
• implement work requirements, promote and supervise comprehensive governance.

Based on the conclusion of the cybersecurity review and the issues and clues found, CAC opened a case to investigate the alleged violations of law by DiDi Global Co. In 2022, CAC imposed a fine of CNY8.026 billion on DiDi Global Co. and a fine of CNY1 million each on Cheng Wei, chairman and CEO of DiDi Global Co., and Liu Qing, president of DiDi Global Co., in accordance with the Network Security Law, DSL, PIPL, Administrative Punishment Law and other laws and regulations.

In March 2023, CAC initiated a cybersecurity review on a US semiconductor company and its products sold in China, such as core network equipment, important communication products and high-performance computers and servers, etc. This review will examine the safety, openness and transparency of the aforementioned products, and the risks of enterprises being manipulated due to use of the products and services.

In September 2023, CAC issued administrative penalties on CNKI upon cybersecurity review in accordance with CSL, the Administrative Penalty Law and other laws and regulations. Upon the investigation, 14 apps operated by CNKI, including Mobile Knowledge and Knowledge Reading, were found to violate the principle of necessity in collecting personal information. Also, CNKI does not disclose the rules of personal information processing activities and obtain consent accordingly. Hence, taking into account the nature, consequences, duration and other factors of the legal activities of CNKI, CAC eventually imposed a fine of CNY50 million on CNKI.

Please refer to 1.3 Administration and Enforcement Process and 1.4 Multilateral and Subnational Issues.

In 2022, some local courts – such as Hangzhou Internet Court, Guangzhou Internet Court and Guangdong High People’s Court – released typical cases covering algorithms incorrectly associating PI, merchants publishing consumers’ PI without permission, mobile apps collecting PI without consent, and platforms leaking information about complaints and reports.

PIPL was officially implemented on 1 November 2021, authorising procuratorial organs to initiate public interest litigation in the field of personal information protection. Procuratorates across the country filed more than 6,000 personal information protection public interest litigation cases in 2022.

In March 2023, SPP released the Eight Model Cases of Procuratorial Public Interest Litigation for Personal Information Protection, focusing on issues of public concern such as medical and health information, facial recognition, and logistics big data to ensure the correct implementation of PIPL. Among the eight cases announced, SPP include two administrative public interest litigation cases involving the protection of personal medical health information and personal biometric information, and a civil public interest litigation case involving criminal prosecution for infringement of personal information on express delivery labels.

In China, regulations highlight the accountability of top management for cybersecurity, advocating for its integration into corporate governance. This involves prioritising cybersecurity at the executive level, establishing accountability systems, and engaging senior leaders in incident management. For entities like CIIOs, CSL and DSL mandate specific security management structures, adaptable based on company size and focus.

Companies that meet the prescribed conditions need to have people responsible for cybersecurity, PI protection and data security. The person in charge should have both professional competence and a clear understanding of the responsibilities of that statutory role, and should implement the relevant work in concrete terms.

Companies need to establish a system for rating protection classification filing and assessment, network security risk assessment and reporting, product testing and certification assessment, vulnerability management, security monitoring and incident disposal, supply chain security management, personnel security management, security audit, assessment and accountability to better address cybersecurity risks and improve resilience.

The Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (the “Specification”), which came into effect on 1 October 2020, requires the clarification of the responsible departments and personnel for personal information security management within the organisation. The Specification stipulates that the legal representative or principal responsible person shall bear overall leadership responsibility for personal information security, including providing human, financial and material guarantees for personal information security work. The person in charge of personal information protection should be appointed by the person with relevant management experience and professional knowledge of personal information protection, and directly report to the main person in charge of the organisation for important decisions related to personal information processing activities.

The process of diligence in corporate transactions mainly concerns the security and the asset aspects of data.

For the security aspect, the MLPS classification and evaluation of a company’s information system are the first steps of due diligence. Comprehensive assessments of cybersecurity based on the MLPS classification will then be conducted to perform gap analyses of various security-related matters, including emergency response, PI protection, cross-border data transfer security and CII protection.

As for the asset aspect, due diligence will focus on confirming the legitimacy of the corporate data and identifying the legal boundary of corporate data assets. As security and compliance of data are the premises of data assets, taking data mapping as reference, assessment reports will be issued to review the corporate compliance of data regarding various matters, such as PI processing, internal corporate systems related to cybersecurity and data compliance, and information content administration. Identifying the boundary of the company’s data and the claims the company has over it will be the next step in confirming the company’s proprietary rights over the corporate data.

The National General Response Plans for the Public Emergency Incidents set forth local government authorities’ obligations to report public emergency incidents to higher level authorities. Cybersecurity risks that constitute a public emergency incident may be disclosed and reported to various level of authorities for emergency alerts and responses. The Emergency Response Law of the PRC also requires all entities to timely report their potential emergency incidents to local authorities in accordance with applicable laws and regulations. In the financial area, the Measures for the Administration of Initial Public Offering and Listing of Stocks and other similar IPO administration measures require that any information that may have any major impact on investors’ decisions on investment shall be disclosed in IPO prospectuses.

However, entities should note that the disclosure of cybersecurity information may be subject to certain limitations under recent draft measures by CAC, as described in 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

Considering the extraterritorial jurisdiction of PRC cybersecurity regulations, “domestic operation” also entails an enterprise’s acts that are intended to provide goods or services to individuals within the PRC.