In recent years, the Chinese government has tightened the regulation of cybersecurity, data security, and personal information protection.  Since 2016, three important laws (hereinafter referred to as the “Three Basic Laws"), namely, (i) the Cybersecurity Law of the People's Republic of China/《中华人民共和国网络安全法》 (“Cybersecurity Law"), (ii) the Data Security Law of the People's Republic of China/《中华人民共和国数据安全法》 (“Data Security Law") and (iii) the Personal Information Protection Law of the People's Republic of China/《中华人民共和国个人信息保护法》 (“PIPL") have been promulgated to lay down the foundation for the regulation in these areas.

Government authorities, such as the Cyberspace Administration of China (“CAC"), have issued various regulations to implement the “Three Basic Laws".  In addition, other government and semi-government agencies, such as China’s National Information Security Standardization Technical Committee, have also released many national standards for more detailed guidance.  More implementing regulations and national standards are being or yet to be drafted.

This article summarizes China’s current regulatory system of cybersecurity, data security and personal information protection based on the “Three Basic Laws".

The Cybersecurity Law applies to all network operators in China, including network owners, operators, and service providers.  An entity that establishes and operates an internal network for its internal management purpose is also regarded as a network operator under the Cybersecurity Law. 

Under the Cybersecurity Law, all network operators are required to fulfill the obligations under MLPS, including MLPS level determination and MLPS assessment.

1. MLPS Level Determination

There are five levels under the MLPS. The higher the level, the stricter the required protection measures. 

a. Factors of MLPS Level Determination

In determining the MLPS level, the following factors will be considered:

(1) importance of the network system in national security and social and economic development; and

(2) degree of damage that may be caused to national security, social and economic development, and legitimate rights and interests of other individuals or organizations in case of damage of the network system.

b. Process of MLPS Level Determination

(1) A network operator is responsible to determine its own network system’s MLPS level.

(2) An operator of level-1 network systems does not need to file the level determination result to the public security authority for review. 

(3) An operator of level-2 or higher-level network systems needs to: (i) organize experts to review the rationality of the determination; (ii) obtain the approval from the competent industry authority (if any); and (iii) file the result to the public security authority for review.  If it fails the review, re-determination is needed.

2. MLPS Assessment

a. The MLPS assessment is to assess whether a network operator’s protection measures can meet the requirements of the corresponding MLPS level.

b. Process of MLPS Assessment

(1) A network operator should engage an assessment service provider recognized by the government to conduct the assessment and issue an assessment report.

(2) An operator of level-2 or higher-level network systems is required to file such assessment report to the competent public security authority, which will issue a filing certificate if such report is approved.

1. Definition of CII and CIIO

CII refers to key network facilities and information systems of key industries related to national security and public interest.

A CII operator (“CIIO") is an entity that operates CII.  A CIIO is required to implement special protection measures to protect its CII in accordance with applicable laws and regulations.

2. Identification and Protection of CII

Pursuant to the Regulations on the Security Protection of Critical Information Infrastructures/《关键信息基础设施安全保护条例》, governing authorities of key industries are responsible for formulating CII identification rules for their respective industries. 

Typical key industries include public communications and information service, energy, transportation, water conservancy, finance, public services, e-government, and national defense industries. 

In practice, an entity that is identified as a CIIO will receive a specific notification from the authority.  Once identified as a CIIO, the entity should implement more stringent security protection measures according to the applicable laws and regulations.

The Data Security Law applies to all data processing activities conducted in China.

If data processing activities conducted outside China jeopardize (i) China's national security; (ii) China’s public interests, or (iii) the legitimate rights and interests of Chinese citizens or organizations, they will also be subject to the Data Security Law.

Under the Data Security Law, “data" includes not only electronic data, but also data recorded or stored in non-electronic forms (such as data recorded in paper files).

The data classified and graded system requires relevant authorities to classify and grade data based on its importance and the degree of harm that will be caused by leakage or illegal use.

1. Governing authorities in charge of some sectors, such as industrial manufacturing, finance, and telecommunications, have already issued their data classification and grading guidelines for their respective sectors.

2. In November 2021, CAC released the draft Administrative Regulations on Network Data Security (Draft for Comment)/《网络数据安全管理条例（征求意见稿）》 (“Administrative Regulations") for public commenting, which divides data into three categories, namely (i) ordinary data, (ii) important data, and (iii) core data.  However, the Administrative Regulations does not provide detailed data catalogues under these three categories.

3. In December 2021, the Practice Guidelines for Cybersecurity Standards — Guidelines for Network Data Classification and Grading/《网络安全标准实践指南—网络数据分类分级指引》 (“Data Classification and Grading Guidelines") was released, dividing data into three categories and four levels:

4. There are inconsistencies between the Administrative Regulations and the Data Classification and Grading Guidelines.  As of the date of this article, the Administrative Regulations is still a draft for public commenting and has not been officially adopted.  The Data Classification and Grading Guidelines has already taken effect, but it is a recommended standard without mandatory power.  It is still unclear what the final data classification and grading rules would be. 

1. Formulation of the Catalogue of Important Data

China’s central government is required by the Data Security Law to formulate a catalogue of important data based on the data classified and graded system, while relevant authorities in different regions and industries are then required to identify important data and formulate detailed implementing catalogues for their respective regions and industries.

2. Identification of Important Data

Both the Administrative Regulations and the Information Security Technology - Guidelines for Important Data Identification (Draft for Comments)/《信息安全技术 重要数据识别指南（征求意见稿）》 (“Guidelines for Important Data Identification"), a non-mandatory national standard issued by China’s National Information Security Standardization Technical Committee, provide rules for identifying important data.

Important data refers to the data that may endanger national security or public interests once tampered, damaged, leaked, illegally obtained, or illegally utilized.

Identification rules under the Administrative Regulations and the Guidelines for Important Data Identification are generally consistent with each other.

However, although the Guidelines for Important Data Identification expressly excludes personal information from the scope of important data, the Administrative Regulations requires processors of personal information with an amount of more than 1 million people to take security measures equivalent to those of important data processors.

Both documents are still drafts for public commenting and may be amended before being officially promulgated.

3. Obligations of Important Data Processors

A processor of important data needs to (i) designate a person in charge of data security; (ii) set up a security management department; (iii) conduct regular risk assessment for its processing activities, and (iv) report the assessment’s result to the relevant authority.

A CIIO should store important data in China.  If it needs to transfer important data out of China, it needs to (i) go through security assessment organized by CAC; (ii) draft annual reports on the safety of such transfer, and (iii) file such reports to the local cyberspace administration.

If a processor needs to transfer its data out of China to a foreign judicial or law enforcement agency, it must obtain prior approval from the relevant authority before providing the data.  However, as of the date of this article, relevant procedure to obtain such approval and the identity of “relevant authority" remains unknown.  Also, what are deemed as “foreign judicial or law enforcement agencies" remain unclear.

Under PIPL, “personal information" refers to all kinds of information related to an identified or identifiable natural person stored in both electronic and non-electronic form.  Anonymized information will not be deemed as personal information.

1. PIPL is applicable to all personal information processing activities conducted in China.

2. PIPL also has extraterritorial jurisdiction.  Processing activities conducted outside China will also be subject to PIPL, if:

a. the purpose of the processing is to provide products or services to natural persons in China;

b. the purpose of the processing is to analyze and evaluate the behavior of natural persons in China; or

c. other circumstances provided by laws and administrative regulations.

3. If an overseas entity is subject to PIPL, it needs to set up specialized agencies or designate representatives in China to handle personal information protection related matters and submit their names and contact information to relevant authorities. However, the detailed implementing rules have yet to be clarified. 

1. According to PIPL, a processor may process personal information on one of the following legal bases:

a. the individual's consent has been obtained[1];

b. the personal information is necessary for the conclusion or performance of a contract to which the individual is a party, or for the implementation of human resource management pursuant to a lawfully concluded collective employment contract;

c. the processing of personal information is necessary for the performance of statutory duties or obligations;

d. the processing of personal information is necessary for the response to a public health emergency, or to protect the life, health and property safety of natural persons in an emergency;

e. the processing of personal information is necessary for carrying out activities for public interests, such as news reporting and supervision by public opinion, and the processing is carried out within a reasonable scope;

f. personal information that has been legally disclosed is processed within a reasonable scope in accordance with the PIPL; or

g. other circumstances provided by laws and regulations.

2. It is noteworthy that if the legal basis is individual’s consent, the processor should bear the burden of proof in the event of a dispute over the validity of the individual’s consent.

1. Principle of Minimality and Necessity

The scope of personal information’s collection and processing should be kept to the minimum extent that is necessary to achieve the purpose of processing.  The processing activity’s impact on the individuals’ legitimate rights and interests should also be minimized.

2. Principle of Openness and Transparency

The personal information processor should clearly disclose to the individuals of (i) the scope of personal information to be collected, (ii) rules and purpose of the processing activity, (iii) name and contact information of the processor, and (iv) the ways for individuals to exercise their statutory rights under PIPL.

1. Under any of the following circumstances, a processor should delete or anonymize an individual’s personal information:

a. the purpose of processing personal information has been achieved;

b. the processing of personal information is no longer necessary to achieve the purpose;

c. the storage of personal information has reached the statutory or agreed period; or

d. the individual exercises his/her rights to request deletion/anonymization.

2. If laws and regulations require the continuous storage of personal information, the processor should take measures to ensure that such personal information will not be used for any purpose other than storage.

1. Requirements of Outbound Transfer

a. The processor should inform individuals of (i) the name and contact information of the receiver; (ii) the receiver’s processing method and purpose; (iii) the type of personal information to be transferred, and (iv) the ways for the individuals to exercise their relevant rights against the receiver, and the processor should also obtain the individuals’ separate consent.

b. The processor also needs to conduct personal information protection impact assessment (“PIPIA") for such outbound transfer.

c. If the processor is a CIIO, it should pass the security assessment organized by CAC in advance.

d. If the processor is not a CIIO, depending on the volume and nature of the personal information to be transferred, the CAC’s security assessment may or may not be required.

e. If the processor is not a CIIO and CAC’s security assessment does not apply, it should meet one of the following requirements: (i) obtaining personal information protection certification issued by a professional organization; (ii) entering into a standard data protection contract with the receiver in accordance with CAC’s standard contract template; or (iii) satisfying other requirements stipulated by laws and regulations.

2. As of the date of this article, both the detailed guidance on how to obtain the personal information protection certification and the standard contract template are yet to be clarified or published.

Individuals have the following rights:

1. The right of access and replication. Individuals have the right to access and replicate the personal information collected by processors.

2. The right of portability. Individuals have the right to request their processors to transfer their personal information to other processors, if the conditions prescribed by CAC are met.

3. The right of correction and supplementation. Individuals have the right to correct or supplement their inaccurate or incomplete personal information.

4. The right of deletion. Individuals have the right to request processors to delete their personal information, if the conditions prescribed by laws and regulations are met.

5. The right of withdrawal of consent. Individuals have the right to withdraw the consent to the processing of their personal information.

6. The right for an explanation. Individuals have the right to request their processors to explain the rules for processing their personal information.

China's regulatory system of cybersecurity, data security, and personal information protection is still in the process of dynamic development, and many implementation issues have yet to be clarified. According to Protocol, a US tech media, in the last several months, CAC on average issued 40 notices each month.[2]

More regulations, national standards and notices may be issued in 2022 and going forward.  To be well prepared for the challenges brought about by the uncertainties down the road, network operators and data processors should pay close attention to legislative developments and seek professional advice when necessary.