The Advent Of Cyber Security And The Information Protection Era
The Advent Of Cyber Security And The Information Protection Era

The Advent of Cyber Security and the Information Protection Era
Claire Gu, European-American Desk
The Cyber Security Law of the People’s Republic of China (Cyber Security Law) 《中华人民共和国网络安全法》 was promulgated in conjunction with the issuance of other important supplementary laws and regulations, which stands out as one of the notable landmarks in the progress of network security and personal private information protection.
Background
Prior to the issuance, there was no substantial personal information protection law in China. Even though relevant provisions were scattered throughout several laws, administrative regulations and department rules, a violation of which may result in civil and administrative liabilities, key criminal components of cyber-crime were vague in practice.
Briefly summary of Cyber Security Law and Other Supplementary Regulations
NAME | RELEASE TIME | HIGHTLIGHTS |
---|---|---|
The People’s Republic of China Cyber Security Law 《中华人民共和国网络安全法》 |
November 7, 2016 |
1. Clarifying the definition of “personal information”; 2. Clarifying the responsibilities relevant to “network operators”; 3. Heightening the protection of Critical Information Infrastructure; 4. Clarifying the responsible authorities; 5. Clarifying the application scope. |
Interpretation by the Supreme People's Court and the Supreme People's Procuratorate on Issues Concerning the Application of Law in Handling Criminal Cases of Infringing on Citizens' Personal Information 《最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》 |
May 8, 2017 |
1. Clarifying the scope of “violation of the relevant state provisions”; 2. Clearly stipulating that providing citizen's personal information without consent constitutes a crime; 3. Expanding the definition of “illegally obtaining.” |
Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comments) 《个人信息和重要数据出境安全评估办法(征求意见稿)》 |
April 11, 2017 |
1. Clarifying the scope of security assessment; 2. Clarifying the definition of “data transfer;” 3. Stipulating two assessment procedures; 4. Clarifying the supervision authorities. |
Measures on Security Review of Network Products and Services (Trial for Implementation) 《网络产品和服务安全审查办法(试行)》 |
May 7, 2017 |
1. Clarifying the scope of products and services subject to review; 2. Clarifying the authorities and entities responsible for review; 3. Stating that the review would be a multi-dimensional and ongoing process. |
Provisions for the Administration of the Internet News Information Services 《互联网新闻信息服务管理规定》 |
May 2, 2017 |
1. Clarifying the Internet news information service licensing administration and the network information management system; 2. Clarifying responsibilities of the Internet news information service providers; 3. Clarifying the legal responsibilities for Internet news information services. |
Provisions for the Administrative Execution Procedure of the Internet Services 《互联网信息内容管理行政执法程序规定》 |
May 2, 2017 |
1. Clarifying the legal basis for the administrative execution procedure. |
Implementing Regulations for Licensing Management of Internet News Information Services 《互联网新闻信息服务许可管理实施细则》 |
May 22, 2017 |
1. Further clarifying the related provisions under provisions for the Administration of the Internet news information services; 2. Clearing the categories of the new Internet information services; 3. Identifying the relevant requirements for the technical safety assessment. |
Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments) 《信息安全技术数据出境安全评估指南(草案)》征求意见稿》 |
May 27, 2017 |
1. Providing the guidance for the assessment; 2. Clarifying the scope of “important data”; 3. Clarifying the methods of assessment. |
A&Z observations
From now on,the Cyber Security Law for the first time rose cyber security and information protection requirements to the level of law, while the interpretation and related provisions have further clarified the boundaries of legal responsibilities in respect of personal information protection, which will call on enterprises to enhance the compliance duties. It will bring new possibilities for the business model and human life as well. In the future, those heatedly debated issues may no longer exist.
Strictly speaking, there remains a degree of uncertainty in the enforcement of the above-mentioned provisions and regulations, especially for multinational corporations operating in China. The current scope of application makes it hard for multinational corporations who provide services outside China to users within territory to determine whether they fall under the purview of the Cyber Security Law. In addition, the Cyber Security Law clarifies a legal basis for enforcing its cyber security laws extraterritorially. However, it does not straightforwardly specify the content and methods to take such measures mentioned. Moreover, it is noted that such acts may undermine benefits brought about by globalization, technological innovation, and informatization.
Whether or not these unclear provisions will be improved remains to be seen, however, at least the Cyber security law and other supplementary regulations that have been released, or are to be released, are presided-over by institutionalized governance, providing guarantees for multinational corporations in China to conduct business.