Cyber Security in China and Data Protection


With  China's  new  Cybersecurity  Law,  effective  1st  June  2017,  businesses  in  China  will  find  themselves  facing  increased  internet regulation with the aim to protect Critical Information Infrastructure (CII). Critical Information Infrastructure is broadly defined in Article 31 of the law as "public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people's livelihood, or the public interest”.

Important definitions relevant to the law are found in Article 76 of the law.

1."Networks"  refers  to  systems  comprised  of  computers  or  other  information  terminals  and  related  equipment  that  follow certain rules and procedures for information gathering, storage, transmission, exchange and processing.

2."Network security" refers to taking necessary measures to prevent network attacks, incursions, interference,    destruction and their unlawful use, as well as unexpected accidents; to put the networks in a state of stable and reliable operation, as well as ensuring the capacity for network data to be complete, confidential and usable.

3."Network operators" refers to network owners, managers and network service providers.

4. "Network  data"  refers  to   all  kinds  of  electronic  data  collected,  stored,  transmitted,   processed,  and  produced  through networks.

5."Personal information" refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, natural persons' full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.

(2016 Cybersecurity Law; Article 76)

Because "Network Operators” is a term so broad that it can include any business which operates a website within mainland China, it is important to understand the new law.

Important aspects of the law

Privacy Protections:

  • The bill grants many privacy protections for network users in mainland China. Network operators will be required to strictly  maintain  confidentiality  of  user  information  and  will  be  required  to  install  protection  systems  to  defend  user information. It is required that network operators explicitly state their purpose, means, and scope when collecting user data. The network operator must gain the user¡¯s permission before they collect any data and no data unrelated to the services  the  network  operator  provides  can  be  legally  gathered.  In  the  event  that  data  is  leaked,  corrupted,  or  lost, network operators must immediately take remedial measures, quickly inform users and make a report to the relevant departments in accordance with regulations. Network operators may not unlawfully sell or provide a users information to any other party. (Articles 40-44)

Network Security:

  • The new cybersecurity law implements a tiered network security system. Network operators will be required to follow measures   designed  to   prevent   network  interference,   damage,   unauthorized  access,   data   leaks,  theft, and   data falsification. Network operators will be required to immediately remedy security flaws and vulnerabilities when they are discovered and must provide security maintenance throughout the time period agreed upon with clients (Articles 21 & 22).
  • Network operators will be required to generate emergency   response plans  and  put  them into immediate action   for network security incidents, such as computer viruses or network attacks (Article 25).
  • Critical Information Infrastructure (CII) Operators purchasing network products and services that could impact national security must have their purchases sent through a national security review. (Article 35)
  • The law requires that information gathered and produced in mainland China must be stored in mainland China. If it is truly necessary that information be stored outside of the mainland then a security assessment must be conducted (Article 37).
  • At least once a year Critical Information Infrastructure operators must perform an inspection of network security and submit  a  security  report.  CII  operators  will  be  subject  to  spot  tests  to  test  readiness,  they  must perform  emergency response drills, share network security information with relevant parties, and provide technical assistance for network security management and recovery. (Articles 38 & 39)


  • Violating  the  provisions  in  Articles  41-43  can  result  in  the  confiscation  of  unlawful  gains  and  a  fine  1-10  times  the amount of the unlawful gains. In situations where there are no unlawful gains then a fine up to rmb1,000,000 may be administered and responsible personnel may be fined up to rmb500,000 in serious circumstances. (Article 64)
  • Using products or services that have not been given a security review can get a fine of 1-10 times the purchase price and responsible personnel may be fined up to rmb100,000. (Article 65)
  • Storing  network  data  outside  of  mainland  China  can  result  in  confiscation  of  unlawful  gains,  a  fine  of  rmb500,000, temporary suspension of operations, revocation of business licenses and permits and individual fines up to rmb100,000 for responsible personnel. (Article 66)

LehmanBrown Cybersecurity Service

Performing an internal audit of your business can help prepare you for the era of cybersecurity by providing you with the information necessary to formulate a unique cybersecurity strategy and adapt to new regulations. Internal audits analyse the business processes, goals, management systems and risks within a company to provide valuable unbiased feedback and recommends steps to be taken to improve.

LehmanBrown can support you in the field of cybersecurity by offering an internal audit of your company.


The information on this page may have been provided by a contributor to ChinaGoAbroad, and ChinaGoAbroad makes no guarantees about the accuracy of any content. All content shall be used for informational purposes only. Contributors must obtain all necessary licenses and/or ownership rights from the relevant content owner(s) before submitting such content (including texts, pictures, photos and diagrams) to ChinaGoAbroad for publication. ChinaGoAbroad disclaims all liability arising from the publication of any content/information (such as texts, pictures, photos and diagrams that infringe on any copyright) received from contributors. Links may direct to third party sites out of the control of ChinaGoAbroad, and such links shall not be considered an endorsement by ChinaGoAbroad of any information contained on such third party sites. Please refer to our Disclaimer for more details.


LehmanBrown Accounting And Financial Consulting Ltd.


Regions & Countries
Information Technology
Service Areas

Contact Us