In this article I’m going to touch the most important topics about compliance and cybersecurity in China and try to solve all your questions and doubts about the Chinese regulations.
Introduction
Organizations across a whole range of industries such as e-commerce, insurance, banking, IT, pharma, and automotive are in possession of an increasing amount of personal information and transaction data. As a result, these organizations are now the main targets of cybersecurity attacks, sometimes even with sensitive data being leaked due to organizational system vulnerabilities. In China, cybersecurity has received greater attention having been elevated to the level of national security.
Government regulation can help companies improve their data protection measures. In Europe, the Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR) form the legislative basis for the cybersecurity regulation. The Chinese equivalent, China’s Cybersecurity Law (CSL), is similarly designed to ensure internet security and protect individuals’ rights, but it also gives the Chinese authorities extensive rights to access and store data traffic. Companies doing business with Chinese companies, or operating their own facilities in China, need to familiarise themselves with this law. If they don’t, they could face penalties up to and including being prohibited from doing business in China.
China’s Cybersecurity Law (CSL)
In June 2017, China implemented the cybersecurity law. Initially approved in 2016, the law was created to provide guidelines for maintaining network security, protecting the rights and interests of individuals and organizations, and promoting the secure development of technology. The Cyber Administration of China (CAC) is the principal governmental authority supervising and administering the cybersecurity law. Critics of the law argue that requiring companies to submit information for spot-checks further increases the risk of a security breach or loss of information. The ambiguous nature of the law allows the government more space to request and control information, while also leading to misunderstandings within businesses as to what constitutes acceptable use of data.
I would recommend to every organization planning to or already doing business in China to read the complete CSL. You can find it here translated to English.
In 2018, one of the top European retailers launched his online shop in China. But the company was found to be in breach not only of the Advertising Law but also Article 12 of the CSL. As a result, the authorities shut down the website and its booking apps for a week. The penalty was applied because the company’s website listed Hong Kong, Macau, Tibet, and Taiwan, as separate countries of China.
Data storage and transfer
Western companies should take a particularly close look at Article 37 of the CSL. This grants the Chinese government the right to view and store all personal data and confidential information sent to or originating in China. This needs to be regarded critically because the use of virtual private networks (VPNs) is strictly regulated in China, unlike in Europe, depriving companies of access to an encrypted communications channel for secure data sharing. The law requires that data, critical and personal information, is stored within China and that organizations and network operators submit to government-conducted security checks.
A recommended first step to meeting the Chinese Government’s compliance requirements is to identify and classify the data before it is sent. Confidential data should also be encrypted before transmission.
Strict rules also apply to data transfers from China to other countries. Companies must obtain a permit from the Chinese Cyberspace Administration (CCA) before transferring any data. If data is regularly transmitted to the same recipient, the permit does not need to be continuously reviewed by the CCA. However, companies do need to document data transfers from China to other countries regularly and notify the CCA on an annual basis. Data must be retained together with the transfer documentation for a minimum of five years. Companies must provide the authorities with regular reports on large-scale data transfers. Companies that fail to do so risk having restrictions or blanket bans imposed on future transfers by the CCA.
Virtual Private Networks (VPNs)
For years many internet users in China relied on Virtual Private Networks (VPNs) and other technologies to bypass the Great Firewall of China to receive uncensored internet access. However, since 2017 with the CSL in place, VPN services are subject to licensing in China and cannot lawfully deliver unfiltered internet content.
Cloud technologies regulations
There is a clear law and regulation for migrating and managing cloud technologies for business purposes. The data centers are not directly connected internationally. In short, China doesn’t allow foreign cloud service providers to operate their data in China. According to Chinese laws and regulations, foreigners can only operate the data in China. They need to obtain a value-added telecom permit and foreign entrepreneurs need a separate user account to get access to their business personal in China.
Roopu Cloud provides cybersecurity services
Roopu Cloud has been providing cybersecurity consulting and advisory services in China for the last 2 years and has a deep understanding of the current cybersecurity situation in China including existing laws and regulations. Based on organizations’ needs, we provide different cybersecurity services including IT security, data protection, identity and access management, and security auditing. Do not hesitate to contact us.
