China Cybersecurity Law, GDPR move to safeguard data

Thirty years ago, the internet was still in its infancy, mobile phones were scarce and “social networks” consisted of little more than your friends from college or high school. Today, our personal and professional lives are connected to public and private digital online networks designed to close the geographical distance of the global world, enhancing businesses and their operations and connecting people—family, friends and strangers alike—in ways we never imagined just a decade ago. In 2018, the digital revolution driven by the internet remains is in full force. However, for all its advances, some view the high digitization of everyday life as data run amok.

The rise of the internet has conceived the rise of social media, personal data collection and personal data transmission. As the internet is a global network without physical regional boundaries, its governance, until recently, has remained largely undefined. But currently, in light of numerous high-profile data abuse cases, including the theft of personal people’s information, the idea of more information becoming “too much information” is raising concerns, particularly in the area of personal privacy.

In light of the latter, the compliance landscape is changing. On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect. The reform, promulgated by the European Commission, applies to European Union countries and unifies the protection of personal data in the EU into one singular law. In general, GDPR provides natural persons residing in the EU an increased level of control over their data while subjecting companies to stricter compliance. Natural persons exercise the right to know what and how their data is managed, as well as right for their data to be erased. Given the new mandate, companies are obliged to implement data protection mechanisms and designate a Data Protection Officer.

Equally, in June 2017, the Cybersecurity Law of the People’s Republic of China (CSL) went into effect. CSL paves the way for stricter supervision and management of information and network systems. The scope of cybersecurity extends to all systems utilized to collect, save, transmit exchange and process information. In other words, companies and individuals involved in any type of network as a network operator and/or network user are subject to the reforms. Primary, CSL establishes the compliance framework for network operators and is the overarching law for cybersecurity.

Further measures and regulations shall provide specific guidelines and enforcement.

In light of the implementation of GDPR, below we offer a recap of CSL and provide the key takeaways.

Network operator

Under the Cybersecurity Law, a network operator is defined as owners, administrators of the network and network service providers. The law calls on the network operator to:

  • Formulate internal security management systems and operating rules, determine persons responsible for network security, and implement network security protection responsibility;
  • Adopt technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering network security;
  • Adopt technological measures for monitoring and recording network operational statuses and network security incidents, and follow relevant provisions to store network logs for at least six months;
  • Adopt measures such as data classification, back-up of important data, and encryption; and
  • Carry out other obligations as mandated by law or administrative regulations.

Key information infrastructure

Information crucial to national security and economy is identified as key information infrastructure and is subject to specific security protection. Key information infrastructure includes:

  • Public communications and information service
  • Energy transport and water conservancy
  • Finance
  • Public services
  • E-government affairs
  • Other key information infrastructure in relation to national security, national economy, public interests and people’s livelihoods

It is important to note that operators of key information infrastructure are obliged to store the collected and produced personal information and important data within the PRC. Any data required to be transmitted aboard shall be conducted under measures of the Cyberspace Administration of China (CAC).

Authentic users

Network operators are required to request identification of users upon registration of fixed-line, mobile phones, information publication services, instant messaging services and other related services. Services cannot be provided without valid identification.

Personal data

In the collection and usage of personal data, the related individual’s consent is required to be obtained. The purpose, means and scope of collection should also be clearly expressed. Personal data shall only be collected in relation to the services of the network operator and personal information to third parties without consent, tampering with or damage the collected personal information is strictly forbidden.

Any individual who discovers their information is collected or used in violation of the laws and regulations or agreement exercises the right to request the information to be deleted.

As CSL lays the foundation and direction of cybersecurity within China, network operators are encouraged to start early in compliance development and execution. It is also worthwhile to provide cybersecurity training for employees to avoid any violations and imposed fines — although compliance systems and training should be updated in line with new laws and regulation.

The digital revolution has surely had a positive effect on people’s lives and the way businesses operate with increased globalization and connectivity around the world. However, a lack of regulation and governance can lead to abuse of data and risk cyber security, as seen in the recent news. The new regulations to safeguard data and network pave a positive direction for our digitalised world.

If you would like more information on cybersecurity in China or other related corporate issues, send us an email at, and we’ll have a Horizons professional contact you.  

Please visit our website at