China releases draft cyber data security regulation rules

Out-Law News | 19 Nov 2021 | 7:28 am | 2 min. read

China’s cybersecurity regulator has issued draft cyber data security rules which, among other things, require companies listing in Hong Kong Special Administrative Region (SAR) to undergo a cyber security review if doing so may affect national security.

China’s Cyberspace Administration of Office released the consultation draft of its Cyber Data Security Administration Regulations last Sunday. the draft rules require companies to undergo a cyber security review if they hold large amounts of data related to issues of national security, economic development or public interest before carrying out mergers, restructuring or splits that affect or may affect national security.

A company who handles the personal information of more than one million users must undergo a cyber security review if it plans to list aboard. Large internet platform operators should inform the national internet information department and the competent authorities if they want to set up headquarters, operation centres or research and development centres abroad, according to the draft.

Data processors caught by the new rules will be required to submit their annual data security assessments by 31 January of the following year.

Leo Xin

Leo Xin

Senior Associate

Compared to the General Data Protection Regulation (GDPR), it does not only focus on personal information protection, but also addresses the security concerns for other non-personal data.

The consultation draft mentions matter such as blocking some overseas websites and software enabling people to bypass a firewall, and sets out rules for penalties.

If an individual or organisation violates the rules, they will receive a warning and the illegal proceeds will be confiscated; they will be fined at least twice the amount of their illegal proceeds up to ten times the proceeds; the person who is in charge will be fined no less than 50,000 yuan up to 500,000 yuan.

In serious cases, the penalties include business suspension, rectification and revocation of the business licence. If the individual or organisation has committed a crime, the penalty will be in accordance with the provisions of the relevant laws and administrative regulations. 

It says individuals and organisations are not allowed to provide programmes or tools to penetrate or bypass the data cross-border security gateway, or to provide services including internet access, technical support, promotion, or payment for penetrating or bypassing the data cross-border security gateway.

The traffic of domestic users accessing the domestic network is not allowed to be routed abroad.

Leo Xin of Pinsent Masons, the law firm behind Out-Law, said: “The Cyber Data Security Administration Regulations clarify several issues not clear or not covered by the Data Security Law and the Personal Information Protection Law. For example, some fundamental concepts for data protection are further clarified and defined, such as what ‘important data’ covers, and what ‘large-scale internet platform operators’ are. We expect that these draft regulations together with other follow-up implementation rules, guidelines and standards will establish a more comprehensive, systematic and procedural framework for data protection with Chinese unique features.”

“Compared to the General Data Protection Regulation (GDPR), it does not only focus on personal information protection, but also addresses the security concerns for other non-personal data,” he said.

The proposed rules are open to public review until 13 December.