Cybersecurity Law of the People's Republic of China
Posted by , Last modified by Matthias Haarmann on 19 January 2023 12:32
Although the Cybersecurity Law of the People's Republic of China (中华人民共和国网络安全法) (sometimes abbreviated as CSL) already came into force in June 2017 many Western companies are still in uncertainty about which areas of the Cybersecurity Law directly affect them when operating a Chinese website and what needs to be considered in terms of compliance.
In general, the Chinese Cybersecurity Law sets rules in the areas of data protection, general behavior on the Internet and IT security, especially with regard to network operational security. The key point is that the Chinese Cybersecurity Law differentiates between critical and non-critical information infrastructure, and many of the law's regulations and compliance requirements apply only to critical information infrastructure.
What is specified as critical information infrastructure?
The law's text specifically lists critical information infrastructure as public communications and information services, electricity, transport, water resources, finance, public services, e-government, but also "other critical information infrastructure" which, in the event of destruction, loss of function or data leakage, could seriously endanger national security, national welfare, the livelihood of the population or the public interest.
As usual with Chinese laws, the addition of "other critical information infrastructure" to the list leaves enough room for interpretation. In general, the Chinese website of most Western companies should not fall under this category. Nevertheless, experience has shown that in rare cases companies from the high-tech sector (but not exclusively) may fall into this category of the Cybersecurity Law. In the event that a company falls into this category, firstly, a Safety Assessment Report (完安全评估报) must be carried out as part of the PSB Filing.
Secondly, additional regulations and compliance requirements apply to critical information infrastructures that do not apply to other companies. The most important regulation here is that personal or important data collected or created within the territory of the People's Republic of China must also be stored there. If it is necessary for business reasons to move the data outside of Mainland China, Article 37 of the Chinese Cybersecurity Law states that this can only be done after a security assessment by the state cybersecurity and information authorities. These provisions have been specified within the Data Security Law of the People's Republic of China in 2021.
Development of the legal situation
At present, the stricter requirements of the Cybersecurity Law apply only to critical information infrastructures. In the past, there have already been several political efforts to extend at least parts of the stricter regulations to non-critical information infrastructures:
So far, these are only drafts, none of which have yet come into effect. However, it shows possible further legal developments in China. Therefore, Western companies expanding to China should pay close attention to future legislation in China.
The most relevant rules of the Chinese Cybersecurity Law
In addition to the special regulations for critical information infrastructures within the Cybersecurity Law of China, there are general regulations and compliance requirements that are relevant for all companies. In the following, we focus on the most important aspects of the law with regard to the operation of a website or web application in China.
The vague wording runs through the entire text of the law. This gives the legislator sufficient scope for interpretation to impose penalties that are not explicitly named in the Cybersecurity Law. For example, in 2018, the Chinese website and booking app of the Marriott International hotel chain was shut down for several days after it was accused of violating the Chinese Cybersecurity Law and the Advertising Law of the People's Republic of China. The violation was that Marriott had listed various countries, such as Taiwan and Tibet, as separate countries in an online survey. This was seen by the Chinese government as an indication of support for separatist movements and as a threat to Chinese sovereignty and territorial integrity, which thus constituted a violation of Article 12 of the Cybersecurity Law of the People's Republic of China.
English translation of the Cybersecurity Law of the People's Republic of China
As a special service, we offer our customers a free English translation of the Cybersecurity Law, to further view some points in more detail. However, this is a free translation for which weber.cloud China assumes no liability for the topicality, correctness, completeness or quality.
Consequences of non-compliance
The sanctions for a violation of the Cybersecurity Law or the compliance requirements described therein vary depending on the severity of the violation. For example, the text of the law stipulates a penalty "in accordance with the relevant laws and administrative regulations" in the event of a violation of Article 12, which the Marriott company was also specifically accused of in the mentioned example. Therefore, in the case of such a violation, it is not possible to determine the resulting penalty in a general manner, as this is determined depending on the exact case. In addition, in the case of an illegal activity, this is also noted accordingly in the files of the authorities and, furthermore, made public.
In the case of more serious violations, such as a violation of Article 46, i.e. the operation of a website through which illegal activities are enabled, depending on the severity, a shutdown of the website for a certain period of time, but also fines or the complete blocking of the site will be imposed.
Companies that fall under the critical information infrastructure and that do not store their data in the territory of the People's Republic of China also face severe fines and even the revocation of their business license.
It is therefore essential for companies to always consider the cultural context and the corresponding rules and compliance requirements defined in the Cybersecurity Law of the People's Republic of China when operating a Chinese website. In doing so, it should first be evaluated whether one's own company falls under the critical information infrastructures and which points of the Cybersecurity Law must therefore be followed. Since the Chinese Cybersecurity Law is often very vaguely formulated, points that could even remotely be sanctioned should also be avoided. Otherwise, in the worst case, a complete shutdown of the respective website is possible.