The new China Cybersecurity Law and data protection obligations
While many of us were focused on the European Union’s GDPR and California’s Consumer Privacy Act (CCPA), the giant on the other side of the world implemented China’s Cybersecurity Law (CSL) in June 2017.
While CSL laid out broad data protection principles, there were noticeable implementation and scope gaps.
To operationalize and further clarify China Cybersecurity Law scope the Chinese government instituted six systems:
- the Internet Information Content Management System;
- the Cybersecurity Multi-Level Protection System (MLPS);
- the Critical Information Infrastructure Security Protection System;
- the Network Products and Services Management System;
- the Cybersecurity Incident Management System;
- and the Personal Information and Important Data Protection System.
While it is important for foreign businesses to review all aspects of CSL and the six systems, TrustArc has helped clients focus on the implications of the Personal Information and Important Data Protection System.
Specifically addressing the following regulations:
- What are the requirements to store certain information (including a negative list) inside China, and at what level of required security measures (e.g., Ministry of Public Security [MPS] Regulation)?
- What procedures and reviews are needed before transferring certain information out of China (e.g., Cross-Border Data Transfer)?
- What are the required notice and consent requirements when collecting personal data?
- What are the MPS requirements in reporting a cyber incident within 24 hours?
- What does the Cyberspace Administration of China (CAC) require in the security assessment report annually?
- Data subjects have what individual rights under the PI Security Specification?