Cybersecurity: protection of personal data

Last year, the Cybersecurity Law of the People’s Republic of China (CSL) came into effect from 1 June 2017. CSL brought about national standards for cybersecurity protection, specifying security measures for network operators and providers of network goods and services. Key aspects of the law were highlighted previously on this blog, of which you can read here.

This year, the General Data Protection Regulation, promulgated by the Europe Union, was effective from 25 May. GDPR unifies the protection of personal data and privacy in the EU into one singular regulation (we wrote about it here). Companies within and outside the EU, who collect, use and store personal data of EU citizens are subject to GDPR and may have already initiated compliance measures.

Companies working within the territory of China could be subject to both GDPR and CSL. Therefore, companies in China should take note and devise internal measures to ensure GDPR and CSL compliance. At Horizons, it is our experience that many companies in China have internal procedures aligned with one regulation and not both. Under CSL, companies collecting and using personal data within the territory of China are subject to the personal information protection provisions established in CSL.

Personal Data Protection is outlined within the Network Information Security chapter of CSL. Primarily, the provision introduces standards for network owners, administrators of networks and network service providers (herein referred to as “network operators”) to safeguard the collection and use of personal data.

Key Points


Personal information is referred under CSL as all types of information recorded by electronic or other methods which can be used to independently or combined with other information to identify a natural person’s personal information, including (but not limited to) that natural person’s name, date of birth, ID number, biologically identified personal information, residential address and telephone number(s), among other similar identifying items.


Personal data protection provisions require network operators to strictly retain confidential collected users’ personal information as well as establish and improve the users’ information protection system.

Main principles

Personal data collection shall be acquired and used by network operations under the following principles:

  • Collection and use is legitimate, rightful and necessary
  • Rules of data collection and use are disclosed
  • The purposes, means and scope of collection and use of information are clearly notified to users
  • Consent of the respective persons are obtained

Collection of personal data unrelated to the services provided by the network operator is forbidden. Any personal data collected in violation of the provisions of laws and administrative regulations or the agreements entered into shall dispose of the personal information saved in accordance with the provisions of the laws and administrative regulations and agreements concluded with users. No individual or organisation may either acquire personal information by stealing or through other illegal ways and illegal selling or providing personal information is strictly prohibited.


Network operators are required to adopt technical measures and other necessary measures to ensure the security of the collected personal information from divulgence, damages or losses. Equally, such personal information is forbidden from being divulged, tampered or damaged or provided to third parties without the consent of the respective person. However, where processed information cannot be recovered, and such information is impossible to match with specific persons, the circumstance is exempted from a violation.

In cases where personal information has been or may have been divulged, damaged or lost, network operators are required to proceed with the following measures:

  • Immediately implement remedial measures
  • Promptly inform users according to the provisions
  • Report to the relevant competent departments

If individuals discover their personal information is collected or used in violation of the provisions of laws and administrative regulations or the agreements concluded, the individuals are entitled to request networks operators to delete such information. In cases where personal information is collected or stored or subject to any mistake, the individuals are entitled to request that network operators make corrections. Network operators are obliged to implement measures to delete or correct such information.


Infringement of personal information rights is a violation of the law. Network operators or providers of cyber products and services in violation are subject to rectification, warning and confiscation of illegal gains or a fine between one to ten times the illegal gains (violators with illegal gains may be subject to both confiscation and a fine). Where there is no illegal gain, a fine of up to RMB 1,000,000 shall be imposed. In serious cases, the authorities may impose the following:

  • Suspension of relevant business; or
  • Prohibit business for internal rectification; or
  • Shut down website; or
  • Revoke relevant business permits or business licences

Operators stealing, illegally acquiring, illegal selling or providing personal information to others shall result in the following penalty (if the violation does not constitute as a crime):

  • Confiscation of illegal gains
  • A fine between one to ten times the illegal gains
  • Where there is no illegal gain, a fine of up to RMB 1,000,000 shall be imposed

Generally, personal data protection under CSL focuses on the collection and management of personal data. Violations of the provisions face strict penalties and high fines. Therefore, companies should ensure personal data is clearly obtained lawfully and internal servers and relevant systems are fully equipped to securely store personal information. Equally, in cases of cybersecurity incidents, proper remedial measures in line with CSL and relevant regulations and laws should be implemented to avoid facing penalties.

Today, personal data is collected, used and stored across industries and few companies are exempted from working with data. Personal data of network users, clients and customers hold high value in relation to sales and marketing. In numerous cybersecurity incidents, we see personal data as having been exploited or misused. GDPR and CSL introduce regulation standards in a unified manner for the digital age. Therefore, companies in China should be familiarised and updated on the latest laws and regulations, particularly in light of the forthcoming E-Commerce Law of People’s Republic of China, which will go into effect on 1 January 2019.

If you would like more information about cybersecurity or other related corporate matters, send us an email at, and we’ll have a Horizons professional contact you.

Horizons Corporate Advisory helps clients solve complex problems, thrive and be inherently responsible in their business activities worldwide. The countries we operate in include Belarus, Belgium, China, Colombia, Costa Rica, Cyprus, Ecuador, France, Germany, Hong Kong, Indonesia, Italy, Lichtenstein, Luxemburg, Macau, Malta, Mexico, Mongolia, Netherlands, Nigeria, Portugal, Russia, Singapore, Spain, Switzerland (French and German-speaking cantons), Turkey, United Kingdom (England and Wales) and the United States of America.

 Please visit our website at