Cyber Security Law(Mainland China)

James Cheng
The Cyber Security Law was adopted by the Standing Committee of the National People’s Congress of the People’s Republic of China on November 7, 2016 and will go into effect on June 1, 2017. Consisting of seven chapters, the Cyber Security Law contains institutional arrangements in matters such as cyber security support and enhancement, network operation security, network information security, monitoring, early warnings, emergency measures and legal obligations to create a fundamental institutional framework for cyber security. As the first piece of network legislation in China, this law timely incorporates the country’s experience in cyber security by making specific provisions concerning the personal information security of the citizens and the operation security of the key information infrastructure. This carries great significance in enhancing network information security and improving the control capabilities for cyber security.
To protect the personal information security of the citizens and prevent such information from being stolen, leaked or illegally used, the Cyber Security Law first requires Internet operators to follow the principles of lawfulness, appropriateness and necessity in collecting and using personal information; the purpose of collecting and using citizens’ personal information must be clearly specified and with their informed consent. The Cyber Security Law also stresses that the citizens shall have the right to delete and correct their personal information. If an Internet operator or an Internet-based product or service provider infringes on any protectable personal information under law, the relevant departments may sanction and warn the Internet operator based on the severity of the violation, confiscate illegal proceeds or impose a fine of one to ten times such proceeds. In the absence of illegal proceeds, a fine of up to RMB1 million may be imposed, along with a fine of RMB10,000 to RMB100,000 on the directly responsible individuals and other responsible individuals. In case of serious violations, the operator may be shut down, the website may be closed down, and the relevant business permits or licenses may be revoked. Any individual or organization that stole or otherwise illegally obtained, sold or provided to others, personal information shall be subject to a fine of one to ten times the illegal proceeds, or a fine of up to RMB1 million in the absence of illegal proceeds.
In addition, the Cyber Security Law establishes a protection system for securing key information infrastructure with a dedicated section under the network operation security chapter for setting out specific provisions concerning such system. In the section, the state will provide focused protection to key information infrastructure in public sectors and domains, such as public communications and information services, energy, transportation, irrigation, finance, public services and e-Government. Operators of key information infrastructure to store within the territories of China personal information and vital data collected and produced in their operations within the territories of China. If their business requires providing such information outside of China, a security assessment shall be conducted pursuant to the relevant measures. Operators of key information infrastructure are further required to inspect and assess the network security and potential risks at least once a year and report the outcome and improvement measures to the relevant departments. Network operation security is central to cyber security, and key information infrastructure is of paramount importance and is closed linked to national security and social and public interest. The Cyber Security Law thus carries great strategic significance in providing focused protection of key information infrastructure.
The Cyber Security Law is a fundamental law on cyber security as well as the enabling law. As a result, the legal provisions are unavoidably more principle-based and not sufficiently specific, as well as being rather limited in practical operability. The State Council and the cyber security authorities will further prescribe implementation regulations of the Cyber Security Law and other relevant administrative regulations to improve and enhance the rights protection in the cyber security domain of the country.