Knowledgebase: Important laws in China

Cybersecurity Law of the People's Republic of China

Posted by , Last modified by Matthias Haarmann on 19 January 2023 12:32

Although the Cybersecurity Law of the People's Republic of China (中华人民共和国网络安全法) (sometimes abbreviated as CSL) already came into force in June 2017 many Western companies are still in uncertainty about which areas of the Cybersecurity Law directly affect them when operating a Chinese website and what needs to be considered in terms of compliance.

In general, the Chinese Cybersecurity Law sets rules in the areas of data protection, general behavior on the Internet and IT security, especially with regard to network operational security. The key point is that the Chinese Cybersecurity Law differentiates between critical and non-critical information infrastructure, and many of the law's regulations and compliance requirements apply only to critical information infrastructure.

What is specified as critical information infrastructure?

The law's text specifically lists critical information infrastructure as public communications and information services, electricity, transport, water resources, finance, public services, e-government, but also "other critical information infrastructure" which, in the event of destruction, loss of function or data leakage, could seriously endanger national security, national welfare, the livelihood of the population or the public interest.

As usual with Chinese laws, the addition of "other critical information infrastructure" to the list leaves enough room for interpretation. In general, the Chinese website of most Western companies should not fall under this category. Nevertheless, experience has shown that in rare cases companies from the high-tech sector (but not exclusively) may fall into this category of the Cybersecurity Law. In the event that a company falls into this category, firstly, a Safety Assessment Report (完安全评估报) must be carried out as part of the PSB Filing.

Secondly, additional regulations and compliance requirements apply to critical information infrastructures that do not apply to other companies. The most important regulation here is that personal or important data collected or created within the territory of the People's Republic of China must also be stored there. If it is necessary for business reasons to move the data outside of Mainland China, Article 37 of the Chinese Cybersecurity Law states that this can only be done after a security assessment by the state cybersecurity and information authorities. These provisions have been specified within the Data Security Law of the People's Republic of China in 2021.

Development of the legal situation

At present, the stricter requirements of the Cybersecurity Law apply only to critical information infrastructures. In the past, there have already been several political efforts to extend at least parts of the stricter regulations to non-critical information infrastructures:

So far, these are only drafts, none of which have yet come into effect. However, it shows possible further legal developments in China. Therefore, Western companies expanding to China should pay close attention to future legislation in China.

The most relevant rules of the Chinese Cybersecurity Law

In addition to the special regulations for critical information infrastructures within the Cybersecurity Law of China, there are general regulations and compliance requirements that are relevant for all companies. In the following, we focus on the most important aspects of the law with regard to the operation of a website or web application in China.

  • The provision of services over a network must be in accordance with existing laws and regulations and must ensure the integrity, confidentiality and availability of network data. (Article 10)
  • All individuals and organizations using the Internet must comply with applicable laws and respect public order. Specifically, the Internet may not be used to engage in activities that, for example, endanger national security or national interests, incite separatism or undermine national unity, promote ethnic discrimination, spread violent, obscene and pornographic information, or violate the privacy, intellectual property rights or other rights and interests of other persons. (Article 12)
  • Each person and organization shall be responsible for their own use of the Internet and shall not operate a website that enables the production or sale of prohibited and controlled goods. Other illegal activities through a website are, of course, also prohibited. (Article 46)

The vague wording runs through the entire text of the law. This gives the legislator sufficient scope for interpretation to impose penalties that are not explicitly named in the Cybersecurity Law. For example, in 2018, the Chinese website and booking app of the Marriott International hotel chain was shut down for several days after it was accused of violating the Chinese Cybersecurity Law and the Advertising Law of the People's Republic of China. The violation was that Marriott had listed various countries, such as Taiwan and Tibet, as separate countries in an online survey. This was seen by the Chinese government as an indication of support for separatist movements and as a threat to Chinese sovereignty and territorial integrity, which thus constituted a violation of Article 12 of the Cybersecurity Law of the People's Republic of China.

English translation of the Cybersecurity Law of the People's Republic of China

As a special service, we offer our customers a free English translation of the Cybersecurity Law, to further view some points in more detail. However, this is a free translation for which China assumes no liability for the topicality, correctness, completeness or quality.

English translation of the Cybersecurity Law of the People's Republic of China (PDF, 334 KB)

Consequences of non-compliance

The sanctions for a violation of the Cybersecurity Law or the compliance requirements described therein vary depending on the severity of the violation. For example, the text of the law stipulates a penalty "in accordance with the relevant laws and administrative regulations" in the event of a violation of Article 12, which the Marriott company was also specifically accused of in the mentioned example. Therefore, in the case of such a violation, it is not possible to determine the resulting penalty in a general manner, as this is determined depending on the exact case. In addition, in the case of an illegal activity, this is also noted accordingly in the files of the authorities and, furthermore, made public.

In the case of more serious violations, such as a violation of Article 46, i.e. the operation of a website through which illegal activities are enabled, depending on the severity, a shutdown of the website for a certain period of time, but also fines or the complete blocking of the site will be imposed.

Companies that fall under the critical information infrastructure and that do not store their data in the territory of the People's Republic of China also face severe fines and even the revocation of their business license.

It is therefore essential for companies to always consider the cultural context and the corresponding rules and compliance requirements defined in the Cybersecurity Law of the People's Republic of China when operating a Chinese website. In doing so, it should first be evaluated whether one's own company falls under the critical information infrastructures and which points of the Cybersecurity Law must therefore be followed. Since the Chinese Cybersecurity Law is often very vaguely formulated, points that could even remotely be sanctioned should also be avoided. Otherwise, in the worst case, a complete shutdown of the respective website is possible.

You are not sure which aspects of the Chinese Cybersecurity Law are relevant for your company?

With several years of experience in hosting a wide variety of websites, webshops and web applications, including booking platforms or online expos, in China, China is happy to help you with your open questions. Our experts will be happy to advise you on the operation of your website in China and all related topics, such as the Cybersecurity Law and the implications for your company. For more in-depth legal questions, we can also put you in touch with our English-speaking partner lawyers in China. Of course, we can also assist you with all questions regarding hosting in China and offer you the right solution to deliver your website to China with high performance.

Sounds exciting? Simply get in touch with us.

The contents of this article have been compiled with the greatest possible care and to the best of our knowledge. However, GmbH does not assume any liability for the topicality, correctness, completeness or quality of the information provided. Any liability for damages arising directly or indirectly from the use of our knowledgebase is excluded, unless caused by intent or gross negligence.

Our knowledgebase contains external links to other websites over whose content we have no influence. For this reason, GmbH cannot accept any liability for these contents. The respective provider of the linked website is responsible for the content and correctness of the information provided. At the time of linking, no legal violations were recognizable. If such an infringement becomes known, the link will be removed immediately.

(4 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please complete the below captcha challenge (we use this to prevent automated submissions).

© Copyright GmbH · Address & Imprint · GTCs · Privacy policy