In this article, we'll answer some of the most common questions about the CSL, and make compliance goals as clear as possible.
China’s first comprehensive regulation for digital privacy and security, Cybersecurity Law (CSL) was passed on November 7th, 2016, and first came into effect on June 1st of 2017. Since then, there has been sporadic enforcement of certain sections of the law, while others are being dealt with less consistently.
Whatever the enforcement, the CSL imposes massive new requirements on a broad range of companies, both domestic and foreign, operating in China, and sets major penalties for failure to comply, such as fines or even jail time. In this article, we'll answer some of the most common questions about the CSL, and make compliance goals as clear as possible.
Who is Affected by the CSL? Do I Need to Comply?
According to the official language of the regulation, the CSL applies to what China refers to as “Network Operators,” as well as operators of “Critical Information Infrastructure” (CII). The term “Network Operators,” is defined as the “owners, operators, and service providers of networks,” and could be interpreted to include just about any companies providing services, or running their business through a computer network.
The regulation’s definition of operators of CII is similarly broad, and includes companies from the telecom sector, as well as radio, television, and the operators of any infrastructure that is deemed critical, i.e., infrastructure “will result in serious damage to state security, the national economy and the people’s livelihood and public interest if it is destroyed, loses function or encounters data leakage.”
To put it bluntly, if your business operates online in China, you should be prepared to comply with the CSL.
If You Are Compliant with GDPR, Are you Also Compliant with China’s CSL?
In short, no. While some of the requirements of the new law, such as data localization and the designation of security personnel, may be reminiscent of the EU’s Global Data Protection Regulation (GDPR), the two laws are actually very different, and actions taken to comply with GDPR should not be assumed as compliant with the CSL.
The CSL is simultaneously less comprehensive and broader than the GDPR, which, I know, seems confusing. Basically, it is a less prescriptive law but gives enforcement agencies broad leeway to decide which companies must be compliant, and what, exactly, compliance looks like. This can spell trouble for Western companies operating in China, as even now, two years after the initial implementation of the law, some aspects of regulation and enforcement remain unclear.
Is there a Data Localization Requirement?
Like the GDPR, the CSL has a data localization requirement, the language of the regulation is much more vague. Under the CSL, any “personal information” or “important data” that is collected or generated by CII operators or so-called Network operators in China must be stored in China. That means no warehousing the data of Chinese citizens overseas.
However, it is possible to transfer personal or important data overseas if your business can demonstrate the necessity of data export, and pass a security assessment to prove that the data will be handled securely. That means first proving that the data transfer is “lawful, legitimate, and necessary,” and then evaluating the risks associated with the transfer itself.
There is a provision in the regulation, for that test to be self-administered, but it is more likely to be conducted by Chinese authorities, either remotely, or on-site. In either case, we can expect that the process would not move at the speed of business, so it is best to meet the data localization requirement in all circumstances.
What are the Security Requirements?
The CSL also has a laundry list of security requirements, some of which mirror the GDPR closely, though without the tight, prescriptive language of its EU equivalent. According to Article 21 of the CSL, businesses falling under the regulation must appoint personnel who will be responsible for network security, and implement security protocols according to network security guidelines set by the Chinese Government.
Businesses must also adopt technological measures that will allow them to prevent, investigate and fend off cyberattacks. According to a draft guideline, these technological measures include password protection, encryption, and intrusion prevention. Its also required that all systems or devices storing personal information use at least two methods of authentication.
Finally, the CSL requires the establishment of a reporting procedure for security issues.
What are the Privacy Requirements?
The CSL is not only concerned with the security of data, it is also concerned with the type of data that is collected, and how that data is collected. The regulation lays out a series of privacy requirements, including the requirement to obtain consent before collecting any personal information.
Information that is collected must be relevant to the services of your business, and you must explicitly lay out the purpose for which you are collecting information, the way you are collecting it, and the scope of the use of that data.
In a provision similar to the GDPR’s “Right to Erasure,” the CSL requires Network Operators to delete or change the personal data of users upon their request.
The CSL also includes requirements for breach notification, which specify that a breach must be disclosed to both the individuals affected and the relevant government departments.
Will I Have to Censor Content?
Paradoxically, the CSL is less concerned with user’s privacy rights when it comes to monitoring and surveillance.
According to Article 47 of the CSL, Network Operators are required to monitor the information released by their users for information that is “prohibited from being published or transmitted by laws or administrative regulations.”
If such information is discovered, Network Operators are required to remove the information, keep records, and report any unlawful content to authorities.
How is the CSL Enforced?
As China’s central internet regulator, the Cyberspace Administration of China (CAC) is the main authority tasked with supervising and enforcing the CSL.
In the years since the law was first put in place, the CAC has been primarily focused on the user-content monitoring outlined above.
The CAC has already imposed fines on several large technology companies, including Alibaba Cloud and Taobao, for “failure to implement measures to prevent the dissemination of prohibited information.”
On the local level, China’s Public Security Bureaus (PSBs), i.e. the local and provincial police, were recently granted enforcement powers of the law. That means they may conduct inspections of a broad range of businesses—basically anything that is registered as a “network-using-entity”—that includes network operators, ISPs, data centers, domain name services, and internet information services.
PSBs are granted the authority to inspect not only the premises of regulated companies, but their networks too. These inspections may be carried out on-site, or via remote inspections of networks. Inspection processes may include the reviewing and copying of documents, interviews of company personnel, or the inspection of cybersecurity protection measures.
What’s more, because of the regulation’s broad language, PSBs have a lot of leeway in determining which companies are subject to the regulation, and the timing and scope of inspections.
What are the Penalties for Noncompliance?
The CSL included both monetary and criminal penalties for noncompliance as well as operation penalties for businesses that cannot comply. According to Article 66 of the law, companies that violate data localization can be fined roughly $7,500-75,000 USD. Personnel directly in charge of noncompliant companies can also be fined, or even subject to up to 15 days of jail-time for violating certain parts of the law.
Additionally, the CAC reserves the right to close websites or pull business licenses or permits, effectively preventing a given business from operating in China.
Jeff Edwards
Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.