Cybersecurity covers areas where almost all data is processed and stored digitally, including critical infrastructures such as computer systems, information systems, communication, energy, and financial systems. All industrialized countries, including China, apply various cybersecurity policies to ensure national critical infrastructures, public information and documents, and individual citizens' information security.
Cybersecurity Law in China from 2016-17
The Standing Committee of the Chinese National People's Congress adopted the Cybersecurity Law on July 11, 2016. By law, network operators were required to store certain data on their servers in China. And Chinese authorities had the right to make instant checks on the networks of companies operating in China.
Before 2016, China had laws associated with cybersecurity. Still, this law allowed the expansion of previously existing cybersecurity rules to be gathered under one roof. The cybersecurity law in China was revised on May 31, 2017. Although the law strengthens the protection of personal data and the fight against online theft, some issues were flagged by companies that were subject to the law from a commercial point of view.
Under the law, the Chinese government has laid the legal groundwork to monitor and combat cybersecurity risk threats domestically and overseas.
With this law, preventive penalties and deterrent measures have been brought to individuals, groups, and countries that attack China's official websites. It was decided to impose sanctions on individuals, companies, or organizations that harm China's national security and interests.
Another controversial issue in this law was national security. The law, provides the Chinese state with the right to conduct security investigations into technological products and services that could affect national security. But here, too, there were criticisms about which products would threaten national security.
The regulation on the protection of personal data in the law (now largely superseded by the new Personal Information Protection Law) included the obligation to host personal data on servers within the country in China as well as in the EU. In order for this data to be exported abroad, it was required to undergo a security test and obtain approval. If these conditions were not met while transferring the data abroad, companies could be fined between 50,000 and 500,000 yuan.
Chinese cyber security regulations are organized under five main headings.
· CSL: Cybersecurity Law
· CII: Critical Information Infrastructure
· MLPS: Multi-level Protection Scheme
· Data protection
· Personal Information protection
Internet Usage and Cyber Crime Statistics in China
The number of registered internet users in China is around 1 billion. The number of registered internet users does not refer to individual individuals. The same person can refer to multiple internet usages via home computer, mobile phone, and company computer. According to Symantec data, China has the most cybercrime cases after the USA. According to this, nine out of every 100 cybercrimes committed worldwide occur in China.
In 2021, 62,000 cases of cybercrime, including personal information breaches and hacking, were filed in China. In these cases, 103,000 people were put on trial, and more than 27,000 internet companies were fined. 96% of cyberattacks worldwide in 2021 are for data collection purposes. In 2022, more than 6,000 people in China who committed crimes such as online gambling, fraud, ransom, trafficking online, providing funds, or providing technical support were prosecuted and sentenced.
China New Data Privacy and Security Laws: 2021
In 2021, the Chinese state passed a series of new legislation that increased protective measures for data storage, data transmission, and personal data privacy. The Chinese government demonstrates the importance it attaches to cybersecurity by making legal regulations and promoting the integration of emerging technologies.
In the autumn of 2021, two new laws entered into force regarding data security and personal data privacy. These new laws also caused all companies to review the cybersecurity regulations that came into force in 2016-2017. Companies operating in China and many multinational companies that do business with China and whose operations extend to China are subject to these laws. The "data localization, data export, and data protection" clauses specified in the China Cybersecurity Law, which came into force in 2017, were evaluated more comprehensively with the laws in 2021.
In July 2021, new regulations published by the Ministry of Industry and Information Technology of China, focusing on the energy, finance, transportation, health, and education sectors, aim to increase network security due to research and application of data security technologies. In this way, it is aimed to provide the cyber security that artificial intelligence, 5G, big data, and cloud computing technologies will need.
The Data Security Law, passed in June 2021, took effect on September 1, 2021. While data security is among the top priorities in the new law, the law also focuses on data processing activities, including research and development of data technologies and data storage, use, transfer, and trade. The document primarily aims to strengthen the localization of data, i.e., data security control, which discusses ratonale that all data produced in China must be kept in China.
When the Cybersecurity Law and the Data Security Law are compared, it's clear that the measures regulating the export of data outside the country have increased. In addition, the penalties for companies violating the bans were doubled compared to 2017. Increasing fines ranging from 100,000 yuan (15,660 USD) to 1 million yuan (156,934 USD), up to 10 million yuan (1.56 billion USD) for large-scale crimes, as well as revoking companies' operating licenses are examples of penalties increased by this law.
The Cybersecurity Law focused on China's data security. The Data Security Law highlights Chinese cybersecurity and data security laws to increase China's network security and data storage. These law subjects companies and network operators to tighter government security controls.
Following the Data Security Law and regulations for the cybersecurity industry, the Personal Information Protection Act (PIPL) began to be implemented in the fall of 2021. Companies that process personal data in amounts exceeding the thresholds to be determined by the cyber security and informatics unit as per the law will have to store the personal data collected and produced within the borders of China in data storage units located within the borders of China in accordance with Article 40.
There are fundamental differences with the Cybersecurity Law. It is no longer possible to transfer personal data abroad, except under the conditions stipulated by the law and without obtaining permission from the competent authorities. For example: In the past, subject to data privacy screening, multinational companies operating in China were able to transfer data abroad regarding Chinese individuals or multinational companies' operations based in China without obtaining the approval of Chinese authorities. Much of that has now changed, which we'll discuss more regarding the new Personal Information Protection Law.
Expand into China without setting up a company, by employing or relocating key staff to take a first step in exploring the market. A professional employer organization (PEO) service can act as the official employer of record (EOR) for your staff in China while you expand your business. With the support of our trusted partner network, we can facilitate local hiring and employment without the time and cost of setting up a legal entity in country.
Contact us for more information at inquiries@ChinaLawSolutions.com