China To Review Compliance With New Cyber And Data Laws.

Legal News & Analysis - Asia Pacific - China - Cybersecurity

Asia Pacific Legal Updates


12 September, 2017


China To Review Compliance With New Cyber And Data Laws.


Chinese authorities will carry out a review of compliance with cybersecurity and data laws later this year, according to a state news agency.


Inspectors will visit the Chongqing Municipality, Inner Mongolia Autonomous Region and the provinces of Heilongjiang, Fujian, Henan and Guangdong in September and October, before a report is submitted to the National People's Congress Standing Committee in China in December, Xinhua reported.


The new laws came into force on 1 June 2017. However, Chinese authorities previously said they would not be enforced for 19 months.


Experts at Pinsent Masons, the law firm behind, will be hosting an event in Hong Kong on Wednesday 27 September 2017 where they will be providing an update on the China Cyber Security Law. You can register for the event here.


Hong Kong-based technology law expert Paul Haswell of Pinsent Masons, raised concern earlier this month about the vagueness of many of the provisions. He said this made it difficult for "businesses to understand their remit, at whom they are targeted, and critically how to ensure compliance".


Haswell advised businesses to conduct an information audit to help address rules on data storage and transfers contained in the regulations.


"Rules regarding the handling and transfer of Chinese data are likely to have the biggest initial impact on how international businesses operating in China need to re-examine their data strategy," Haswell said at the time.


Under the law, there are restrictions on the storage and transfer of data by 'critical information infrastructure operators'. It has not been clarified what precisely would be classed as 'critical information infrastructure'.


Critical information infrastructure operators must store personal information and "other important data" that they gather or produce during their operations in China, in mainland China. What constitutes 'important data' is unclear.


If the business wants to transfer the data elsewhere in the world they must be able to show that it is "truly necessary" for "business requirements" and "conduct a security assessment" in relation to their prospective data transfers arrangements in accordance with measures set by the Chinese authorities.


'Network operators' must also take steps to prevent cybersecurity breaches and record and report such incidents. They also face new penalties if they mis-use personal information.

Pinsent Masons


For further information, please contact:


Ian Laing, Partner, Pinsent Masons