Every day seems to bring another regulatory presence in cybersecurity, from the New York Department of Financial Services (NYDFS) to the EU’s General Data Protection Regulation (GDPR). But with so much focus on these new U.S. and EU challenges, many companies may be missing the increasing global importance of the Cybersecurity Law of the People’s Republic of China (the Chinese cybersecurity law), which is already in effect. The Chinese cybersecurity law may pose particular compliance challenges because it approaches cybersecurity with a focus on the protection of the Chinese state in a way that may make supplying information technology to China or merely running a business in China much more complicated for global businesses.

At first glance, the Chinese cybersecurity law may look like an extension of European data protection law. Indeed, it protects “personal data” which it defines broadly to include all information, whether in electronic or other form, which individually or in combination with other information allows the identification of a natural person’s individual identity, including but not limited to the natural person’s name, date of birth, identity card number, personally distinctive biological information, address, telephone number, etc.