In June 2017, China’s Cybersecurity Law (the CSL) came into effect, bringing China’s patchwork of cybersecurity-related regulations under one comprehensive law. Importantly, the CSL also imposes a host of additional requirements on multinational companies operating in China related to data security, the protection of personal information, cross-border data transfers. The full scope and impact of CSL remain unclear, largely because the Chinese government has yet to finalize all of the CSL’s implementing regulations. However, we provide here an overview of the key requirements imposed by the CSL and a roadmap for multinational companies seeking to assess their obligations and responsibilities under the law.
Overview of the CSL
The key legal requirements of the CSL fall under three general categories: (1) data security; (2) protection of personal information; and (3) cross-border data transfers. The law imposes basic requirements related to these three categories on all “network operators” doing business within the territory of mainland China. The CSL broadly defines “network operators” to encompass “network owners, administrators, and network service providers”—which covers virtually any business that operates an internal computer network, or even just a website, in China. Multinational companies with Chinese subsidiaries or China-focused trade should assume that they are at least a network operator for purposes of the CSL.
