Fintech Security

Q&A Of The Cyber, Data, And Personal Information Security In China – Security

To print this article, all you need is to be registered or login on

In China, the Cybersecurity Law of the People’s Republic of
China (‘CSL’) effective on 11 June 2017 sets the legal
foundations for networks and information handling. Under CSL, the
principle legal basis is established to regulate digital security
and guide relevant bodies to adopt rules and regulations. Today,
the legal framework for cyber, data and personal information
security reflects the comprehensive and mature digital ecosystem in
China and cross-border exchanges.

The following table below shows the three main laws regulating
cyber, data, and personal information security and its primary
associated rules and regulations.

PRC National Security Law

Cybersecurity Law

Data Security Law

Personal Information Protection Law

Regulations on Network Data Security Management (Draft for

Guideline for identification of critical data (Draft for

Information Security Technology – Personal Information Security
Specifications (GB/T 35273-2020)

Measures for Cybersecurity Reviews

Administrative Measures for Data Security in the Field of
Industry and Information Technology (for Trial Implementation)
(Draft for Comment)

Provisions on the Cyber Protection of Personal Information of

Guiding Opinions on Implementing the Cybersecurity Multi-Level
Protection System and Critical Information Infrastructure Security
Protection System

Cyber, data, and personal information security legislation is
regularly enforced, and criminal liabilities can be pursued if the
violation constitutes a crime. For companies, implementing the
correct control mechanisms and reporting systems is extremely
important to reduce legal liabilities. We provide a Q&A
summarising what is deemed as cyber, data, and personal information
security in China and best compliance practices.


Q: Which companies are subject to CSL?

A: CSL applies to all network operators in
China and is defined as owners, administrators of the network, and
network service providers. In other words, companies that establish
and utilise an internal network such as an IT system to manage the
company is regarded as network operator.

Q: What are the security obligations for
network operators?

A: Under Article 21 of CSL, network operators
shall fulfill the following obligations of security protection
according to the requirements of the classified protection system
and ensure that the network is free from interference, damage, or
unauthorised access, and prevent network data from being divulged,
stolen or falsified.

In practice, companies should determine the security level of
their network and establish corresponding measures to protect the
network. Such obligations are further fleshed out in the Guiding
Opinions on Implementing the Cybersecurity Multi-Level Protection
System and Critical Information Infrastructure Security
Protection System (‘Opinions’). Under the Opinions,
network operators shall conduct a self-assessment and set out a
defined corresponding multi-level protection scheme
(‘MLPS’). Self-assessment shall first determine the MLPS
level and assess whether the current measures meet the requirements
of the determined MLPS level.

There are 5 MLPS levels and the higher levels require stricter
protection measures. The MLPS level is determined by the following
two factors:

  • the importance of the network system concerning national
    security and social and economic development; and

  • in the case the network is damaged, the corresponding degree of
    damage may be caused to national security, social, and economic
    development, and legitimate rights and interests of other
    individuals or organisations.

Usually, critical information infrastructure (‘CII’)
networks that may affect social order and public interest are
classified as level 2 or above and level 5 is utilised for
state-owned military systems.

MLPS levels above 1 require an authorised third-party assessment
and such assessment shall be filed at the public security for
review. Once approved, the MLPS certification shall be issued. It
is important to note that MLPS certification for MLPS levels above
1 is mandatory.

Q: What network operators are deemed as

A: CII is defined under CSL
network infrastructure and information systems operated
and managed, which will result in serious damage to national
security, national economy and people’s livelihoods, and the
public interest if they are sabotaged, broken down, or suffering
from information leakage.

Currently, the industries provisioned in Article 31 of CSL are
as follows:

  • public communications and informationservice,

  • energy, transport;

  • water conservancy;

  • finance;

  • public services;

  • e-government affairs and

  • other important industries and fields and other critical

Q: What are the security obligations for

A: Under CSL, CII shall fulfill the following
obligations of security protection,

  • Set up independent security management institutions and
    designate persons responsible for security management, and review
    the security background of the said responsible persons and
    personnel in key positions;

  • Periodically conduct cybersecurity education, technical
    training, and skill assessment for practitioners;

  • Make disaster recovery backups of important systems and

  • Formulate contingency plans for cybersecurity incidents, carry
    out drills periodically; and

  • Other obligations stipulated by laws and administrative

In practice, a Chief Operator Officer (‘COO’)shall be
established as the key person responsible for CII security
protection and duties shall include establishing, refining, and
implementing the cyber security accountability system. The COO is
fully responsible for CII security protection and subject to
penalties and liabilities, as stipulated in the legal liabilities
of CSL, the person directly in charge can be punished for

Additionally, CII are required to store data related to
personal information and important data in the territory of
China and a security assessment is required to export such data.
Therefore, relevant personal information and general data cannot be
collected in China and exported to data centres outside China
without meeting specific criteria. Under DSL and PIPL, the
cross-border transfer shall proceed through a graded data

Data Security

Q: What is defined as data under the Data
Security Law (‘DSL’)?

A: The DSL defines the scope of data to
encompass both electronic and non-electronic forms. Companies that
handle data including collection, storage, use, processing,
transmission, provision, and disclosure of data, shall be subject
to DSL.

Q: What are the security obligations for
companies handling data?

A: Obligations are dependent on the type of
data handled. For all companies conducting data handling
activities, the DSL stipulates the following obligations:

  • establish and perfect a data security management system across
    the entire workflow;

  • adopt lawful and proper methods in collecting data and
    obtaining data by illegal means is forbidden;

  • organise and conduct data security education and training;

  • adopt the corresponding technical measures and other necessary
    measures to ensure data security; and

  • take immediate disposal measures, notify users as required and
    report the matter to the relevant competent department.

For companies handling data classified as important data, the
following obligations are provisioned:

  • specifying responsible personnel and management bodies for data

  • designating a data security officer and establishing a data
    security management body.

The data security management body is led by the data security
officer and shall perform the following responsibilities:

  • studying and making recommendations for major decisions related
    to data security;

  • developing and implementing data security protection plans and
    data security incident emergency response plans;

  • conducting data security risk monitoring, and disposing of data
    security risks and incidents promptly;

  • organising activities such as data security awareness,
    education and training, risk assessment, and emergency drills to be
    conducted regularly;

  • receiving and disposing of data security-related complaints and

  • reporting data security situations to cyberspace authorities
    and other competent or regulatory authorities promptly as

The data security officer is a significant role and shall hold
relevant data security expertise and management experience.
Additionally, the personnel shall be a member of the data
processor’s decision-making level and be authorised to directly
report data security situations to cyberspace authorities and other
competent or regulatory authorities.

Q: What data is classified as important

A: DSL identifies two types of
data subject to stricter data management and legal
liabilities. Firstly, core data is defined as related to national
security, the lifelines of the national economy, important aspects
of people’s livelihood, and major public interests shall be
subject to stricter management.

Secondly, a specific important data catalogue shall be
formulated by each region and department according to their varying
needs. Though formulations of regional and industry standards shall
be guided by the national mechanism, to ensure uniformity.
Competent industry departments are entrusted to define the scope
and permit the scope to adjust according to industry

Currently, there are two regulations drafts for comment which
specify general definitions of data grading.

  • The Draft Administration Regulations on Network Data Security
    outlines data to be classified into ordinary, important data, and
    core data.

  • Practice Guidelines for Cybersecurity Standards –
    Guidelines for Network Data Classification and Grading outline the
    Data levels according to the damage level.

  • Level One Data: if data is leaked and misused there are no
    damages to the legitimate rights and interests of individuals and

  • Level Two Data: if data is leaked and misused there are minor
    damages to the legitimate rights and interests of individuals and

  • Level Three Data: if data is leaked and misused there are
    ordinary damages to the legitimate rights and interests of
    individuals and organisations

  • Level Four Data: if data is leaked and misused there are severe
    damages to the legitimate rights and interests of individuals and

Personal Information Protection

Q: What is deemed as personal information under
Personal Information Protection Law (‘PIPL’)

A: Personal information includes both
electronic and non-electronic records, however, excludes
information processed anonymously. In other words, information that
does not identify a natural person – for example, the address
of Joe X.

Companies outside of China are not exempted from PIPL. Any
company outside of China that processes the personal
information data of individuals in China can be subject
to PIPL.

Specifically, PIPL outlines the following circumstances for
companies outside of China:

  • Where the purpose of the activity is to provide a product or
    service to an individual located within China;

  • Where the purpose of the activity is to analyze or assess the
    behavior of an individual within China; or 

  • Any other circumstance as provided by law or administrative

Practically, companies outside of China should conduct a risk
assessment of their information database.

Q: What are the security obligations for
companies handling personal data?

A: PIPL provisions the following obligations
for companies processing personal information


Processors are required to inform the individual of the
following matters in a conspicuous way, in clear and
easy-to-understand language, and in a truthful, accurate, and
complete manner:

  • The organisational or personal name and contact informationof
    the personal information processor;

  • The purpose and method of processing personal information, the
    type of personal information to be processed, and its retention

  • The way and procedure for the individual to exercise his/her
    rights provided for by this Law; and

  • Any other matter is to be informed as required by law or
    administrative regulations.


Processors may only collect personal information when the
individual’s consent is obtained. Companies shall note the
following when obtaining consent:

  • The consentshall be voluntary, and the individual shall be
    explicitly informed.

  • Individuals can request how their personal information is
    collected, stored, and require such information to be corrected and

  • An individual shall have the option to decline.

  • When users withdraw their consent, the processors shall halt
    the collection or promptly delete the collected personal

Though consent is waived under the following circumstances:

  • Where it is necessary for the conclusion or performance of a
    contract to which the individual is a contracting party, or where
    it is necessary for carrying out human resources management under
    an employment policy legally established or a collective contract
    legally concluded;

  • Where it is necessary for performing a statutory responsibility
    or statutory obligation;

  • Where it is necessary for responding to a public health
    emergency, or for protecting the life, health, or property safety
    of a natural person in the case of an emergency;

  • Where the personal informationis processed within a reasonable
    scope to carry out any news reporting, supervision by public
    opinions, or any other activity for public interest purposes;

  • Where the personal information, which has already been
    disclosed by the individual or otherwise legally disclosed

Sensitive Data

Sensitive personal information may only be processed for a
specified purpose and includes:

  • Religious beliefs;

  • Biometrics;

  • Specific identities, medical and health;

  • Financial accounts, whereabouts, and other informationof a
    natural person;

  • Personal informationof minors under the age of

For such data, companies are required to adopt strict measures.
protect such data obtain specific consent, and inform the
individual of the necessity and the impact on their rights and
interests. For personal information of a minor under the age
of fourteen, processors shall obtain the consent of a parent or
guardian of the minor.

Practically, the department highlighted below will be
substantially affected by sensitive data obligations.

Business Operation

Sensitive Personal Information

Impact on operations

Human Resources

  • Employees’ addresses personal phone numbers, email

  • Position, work unit, education, religion, transcripts

  • Bank accounts, salaries, and bonuses

Personal information in a labour contract does not require
separate consent. However, could be subject to further rules and

Finance and Accounting

  • Bank account, deposit information

  • Clients’ and suppliers’ names, addresses, personal
    phone, job position

  • Financial personal information faces specific

  • Certain categories of sensitive financial personal
    information may need to be localized

Marketing/ ecommerce

  • Clients’ address, personal phone number, email address

  • Software usage records, engagement records

  • Transaction and consumption records

Personal pricing algorithms and automated decision-making
through big data analysis are completely prohibited by the new
PIPL and supporting regulations

Q: Which type of personal information can be
transferred overseas?

A: Companies may only transfer personal
information outside of mainland China by meeting one of the
following conditions:

  • Where a security assessment organised by the national
    cyberspace authority has been passed;

  • Where certification of personal information protection has been
    provided by a professional institution, under the regulations of
    the national cyberspace authority;

  • Where a contract in compliance with the standard contract
    provided by the national cyberspace authority has been concluded
    with the overseas recipient, establishing the rights and
    obligations of both parties; or

  • Where any other condition prescribed by law, administrative
    regulations, or the national cyberspace authority is met.

For companies, especially multinationals working with the
personal information of employees and suppliers located in China,
implementing the provisions to transfer personal information is
essential to avoid penalties.

Under the Measures for the Security Assessment of Outbound Data
Transfers effective from 1 September (‘Measures’),
companies handling the personal information of more than 1 million
individuals shall perform a security assessment prior to an
overseas transform. Namely, companies processing the following
volume of personal data are subject to the Measures.

  • Transferring personal information of more than 100,000
    individuals in accumulative from 1 January of the preceding

  • Transferring sensitive personal information of more than
    100,000 individuals in accumulative from 1 January of the preceding

  • Other situations stipulated by the State Internet
    Information Department that require security

Practically, companies outside the scope should be aware
of the legal obligations since the Measures include a catch-all
clause in the application scope.


Legislation concerning cyber, data, and personal information
security in China are rapidly rolled out and enforcement is
increasing. For companies in China, it is critical to implement a
compliance mechanism and train employees on the changing
legislation. Primarily, companies working with technology and
handling data should take practical steps to understand and monitor
the landscape. At Horizons, we advise clients to evaluate the
following points:

  • Do we process high data volumes and export such data overseas?
    Companies should evaluate whether data is shared with politically
    sensitive countries and whether such transfers will be

  • Does the collected and processed data hold a high damage risk
    to national security? Specifically, the degree of damage in the
    case the data is leaked or tampered.

  • Which industries are subject to higher scrutiny and
    enforcement? Monitoring enforcement allows companies to understand
    the practical application of such laws, rules, and regulations.
    Additionally, the company can gain insight into what regulators

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link

Leave a Reply

Your email address will not be published.