Data Protection Report - Norton Rose Fulbright

On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China.

The draft expressly provides that the law will apply equally to both Chinese and international businesses.

The draft law states that its objectives are to:

  • Safeguard China’s cyber sovereignty;
  • Protect against cyber-attacks;
  • Augment Internet security and safety; and
  • Regulate the use of personal data.


The draft law would apply broadly to the construction, operation, maintenance and usage of networks, as well as the supervision and management of cybersecurity within China.

The draft proposes to impose various requirements on “network operators.” It defines “network operators” broadly to include “owners, administrators and network service providers who use a network owned or administrated by another in order to provide relevant services, including telecommunications operators, Internet information services providers and important information system operators.”

Cybersecurity requirements

The draft law would require network operators to comply with stringent cybersecurity obligations. Network operators would be required to:

  • Put in place internal cybersecurity system and operation processes;
  • Adopt strong technical measures to prevent computer viruses and cyber-attacks;
  • Procure only the network products or services that comply with relevant national and industry standards, and prohibit the suppliers of network products and services from installing any malicious computer programs within such products and services;
  • Take responsive action immediately and promptly notify affected users upon discovery of any security flaws or other risks in network products or services;
  • Verify the identity of users when providing services such as landline and mobile subscription, Internet access and domain name registration, and not provide such services until the user has sufficiently disclosed his or her identity; and
  • Set up an emergency response system and have the emergency plans in place.

In addition, the draft requires “key network equipment” and “specialized network security products” to be either certified or tested by a licensed security certification institution to ensure compliance with relevant national and industry standards. The certification or testing must take place before the equipment or products are released into the market. The draft provides that the scope of “key network equipment” and “specialized network security products” would be determined by the Cyberspace Administration of China (CAC) jointly with other Chinese regulators. CAC would also promote the recognition and simplification of the certification process.

Special requirements for “critical information infrastructure facilities”

The draft mandates enhanced protections for “critical information infrastructure facilities.” The broad scope of what could constitute “crucial information infrastructure facilities” means that the draft law could cast a wide net over a wide range of sectors, and both network operators and network products and services providers will be affected. Specifically, the draft defines such facilities to include:

  • Essential information networks that provide services such as public communications and radio and television broadcasts;
  • Critical information systems that support key industries, such as energy, transportation, water, financial institutions and public utilities (such as electricity supply, water supply, gas supply, medical/healthcare and social security);
  • Domestic military networks;
  • Networks of government organizations at city level and above; and
  • Internet networks and systems owned or managed by network service providers with substantial numbers of Internet users.

The draft law imposes the following obligations on operators of “critical information infrastructure facilities” (these obligations are in addition to the general network security responsibilities already described above):

  • Procurement of network products or services that may give rise to national security concerns will be subject to a security review jointly conducted by CAC and other relevant governmental agencies;
  • Operators must enter into security and confidentiality agreements with suppliers of network products and services;
  • Where operators collect or generate personal information or other important data in the course of network operation in China, the data must be stored in China. Operators may be able to store the data outside China for business purposes, provided they submit an appropriate request to CAC, and CAC approves the request following a security review; and
  • Operators must conduct an annual security review either by using internal resources or by appointing a qualified third party and must adopt proper measures for security risk mitigation.

Privacy and confidentiality

In the absence of a comprehensive data privacy law in China, the draft contains certain provisions in relation to personal data privacy and data protection to supplement existing data privacy rules which are scattered in various administrative regulations and judicial interpretations.

Specifically, the draft requires network operators to improve protection for personal data, privacy and commercial confidentiality. Where network operators collect and use personal data, they must follow what the draft terms “the principles of legality, propriety and necessity.” Data collectors must notify data subjects of the purpose, manner and scope of data collection and usage, and express consent must be obtained from the data subjects to process their data (subject to certain exceptions). The draft law also requires network operators to safeguard the confidentiality of personal data and take technical and other appropriate steps to avoid data leakage or loss. The draft requires reporting data breaches to relevant authorities and the notification of affected data subjects.


Businesses will be subject to liability and to various sanctions for breach of the proposed law’s requirements. For example, an operator of critical information infrastructure facilities may face a fine of up to RMB 500,000, and suspension of its business license if it stores data outside of China without first undergoing the security review and approval by CAC.

The draft law also empowers the State Council, and provincial governments upon approval by the State Council, to restrict Internet communication where public security emergencies occur.

Our take

The draft law demonstrates the Chinese government’s ongoing effort to enhance the supervision of Internet and telecommunication networks. The new requirements in relation to cybersecurity standards and procurement requirements will therefore have significant operational and business implications for domestic and international network operators, as well as for suppliers of network products and services. While IT, Internet and telecommunication industries will clearly be affected, the requirements also affect businesses operating in the energy, financial services, transportation, medical/healthcare and other public services sectors.

The draft law is open to public discussion and feedback from interested parties until August 5, 2015. Interest in the legislation has been strong, as legislators are reported to have received over 1,000 submissions as of last week, just days after the draft law became public. We will monitor and provide updates on the law as it makes its way through the legislative process.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.