Updated 8:47 AM EST, Fri, Mar 05, 2021

Make CT Your Homepage

Data Security Laws in China: An Introduction for Foreign Entrepreneurs and Investors

The Cybersecurity Law of the People's Republic of China was formally introduced on June 1, 2017. The law (also called "the cybersecurity law" has resulted in much debate since its inception. Here we'll provide a summary of the most important parts of the Law.


Like Us on Facebook

Source: Pixabay

What is it?

The macro-level law has developed from the cybersecurity rules and regulations that were previously in place from various fields and levels.

The Law further provides principal norms on particular issues that aren't considered to be high-priority in the short-term but have longer-term significance. When issues come to the fore, these norms will act as a legal reference.

The Cybersecurity Law also offers legal liability definitions and regulations. The Law sets a number of different punishments for various kinds of illegalities, including suspensions and fines.

How are businesses affected?

The majority of issues around cybersecurity are still covered by old laws, as opposed to the current Cybersecurity Law. Enterprises, therefore, are forced to work out the most applicable compliance issues and solutions themselves. Most business issues revolve around data security and VPN.

Complying with data security

Legal observers believe that cybersecurity legislation will view data security as its No. 1 concern when it comes to its next review. Enterprises may well be preparing themselves for this by being proactive in making compliance adjustments in advance. They may be looking more towards external solutions, for example, such as employing the services of a data security company capable of securing data from attacks and simplifying regulatory compliance. Data security is one of the most important elements of any organisation and especially so in this day and age with cybercriminals being more active than ever in their efforts to steal data.

The definition of the term 'personal data' hasn't been made entirely clear. Many believe that a more formal definition will be introduced at some point. 'Data monitoring' is largely thought to be the collection, storage, transference, and usage of data. There is much debate going on when it comes to enterprises collecting personal data during operations. Many are looking for ways to continue doing this while remaining compliant. Some have opted to update the privacy policy on their website, stating the reasons and scope of their personal data collection, in addition to the use and storage of that data.

Complying with VPN​


Source: Pixabay

VPN has been a problem for a long time. Authorities have tried numerous laws over the years in a bid to regulate VPN. Before the Cybersecurity Law was in place, corresponding law-enforcement failed to offer much by way of structure and many enterprises paid little attention when it came to complying with VPN laws.

After the Law was introduced, multinational corporations started to give more priority to VPN usage due to orders from authorities to "clean-up" their VPN usage. Current law states that enterprises can use VPN for internal work as long as they adhere to certain conditions, i.e. they buy VPN services from official suppliers and they file for a VPN usage record.

Real Time Analytics