Scroll to top of page

Cybersecurity Law: China builds its new Great Wall

In June 2017, China’s newly-established cybersecurity law came into effect. The law refines rules about personal information protection and related sanctions, and defines rules about cross-border data transmission. The establishment of the law standardises network operators’ rights and duties in Chinese cyberspace, and sets forth clear guidelines regarding data use both for local companies and international brands operating in China. Should these new laws be cause for concern for Western multinational brands and tech companies?

Data management in Chinese cyberspace is no longer a grey area

The new law standardises previous regulations and obligations, and transforms them into actual legislation. It reveals network operators’ obligations, namely to guarantee the security of their network products and services. If any risks are discovered, such as security shortcomings, providers must take immediate action. The law also dictates specific requirements that are directly imposed on operators, including recording network operation, categorising data, encrypting data and preserving relevant web logs for at least six months.

Who are exactly the “network operators” mentioned above?
The phrase refers to network owners and administrators, like telecom companies, but also network service providers who use networks owned and managed by others to offer relevant services - including information. Commercial sites with ICP Licenses like e-commerce platforms, non-commercial sites with ICP Registration Record like official brand sites, and online news sites are all considered to be network operators.

Protecting personal information is central to the new law

In the Chinese netizens’ rights protection report 2016 published by the Internet Society of China, it is estimated that in the past year, spam SMS, scam information and personal information leaks were responsible for a loss of 91.5 billion yuan and affected 688 million Chinese netizens nationwide. Personal data protection is becoming an urgent matter. This law and the importance it gives to personal information protection were triggered by a scandalous fraud case in which a Chinese student died from a heart attack after falling victim to fraud following her personal information being leaked.

The law doesn’t clearly define “personal information”, but it is generally considered to be individually identifying information – similar to the Western concept of “PIIPIIPersonally Identifiable Information (PII) are specific information that allow an individual to be identified in a direct or indirect way. It can be his full name, address, email, birth date, or sets of anonymous data that make it possible to identify him. Learn more”. The new legislation mentions principles of “legality, rightfulness and necessity” with regards to using personal information. The law strictly limits collecting, transferring, and otherwise exploiting personal information gathered by network operators:

  • Rightfulness and necessity: personal data collection should be relevant to the service provided;

  • Legality: personal data collection must not violate any law or regulation;

  • Strict privacy: divulging or damaging personal information is strictly prohibited;

  • Prior consent: operators are required to obtain consent from individuals in question when collecting personal information or sharing personal data with a third party; 

  • Sanctions: operators who fail to uphold cybersecurity protection standards may face a fine of up to one million yuan (about €130,000*). 

After the incident that led to this law, the Chinese government set up a special investigation group to investigate the growing problem of personal information leakage. Many big databig dataAlthough the concept of big data became very popular in the 2010s, it still remains quite nebulous. It actually refers to the massive amounts of data collected by organisations, data which are now exploitable thanks to recent advances in computer and information sciences. Thanks to big data methodologies, these organisations are able to gain precious insight into their own activity and clients, and to predict specific events with a high confidence interval. The marketing industry, in particular, was completely disrupted by the possibilities opened by big data: indeed, the digital and advertising industries are among the industries generating, but also reusing, most of these data.Learn more companies were involved as some of them might have crossed the line. Just before the cybersecurity law came into being, the VP of a listed big data company (Datatang) was under arrest and to be investigated.

Is free data movement over?

The new rules about cross-border data transmission are a source of worry for all international companies based in China. The law stipulates that “personal information and important data collected and produced by critical information infrastructure operators during their operations within the territory of PRC shall be stored within China.” This clause led to many discussions, as it made companies nervous. Regarding this controversy, a spokesperson from China’s Office of the Central Leading Group for Cyberspace Affairs clarified during a press conference: “Cross-border data transmission is not forbidden, but it requires authorisation from the government and from users beforehand.” Despite protests by certain global companies concerning these recent clauses, it is undeniable that cross-border data transmission has been a topic of discussion for many years in the legal sphere, particularly in the Western world. As early as 2009, the EU’s famous “E-Privacy Directive”4 was passed, which sets forth similar principles as the Chinese law regarding consent. Today, the EU-US Privacy Shield framework allows US companies to operate data services cross-border, as long as their transatlantic data exchangedata exchangeData exchange services are platforms that sell socio-demographic or behavioural data to other platforms (websites, advertising networks, DSPs, SSPs...) through DMPs. Learn mores conform to EU and Swiss privacy laws.

The new data storage rule could have a profound impact on data strategies and the organisation of many multinational groups in China. Several tech giants, including Apple, were quick to comply with the law. Recently, Apple announced that it would be creating a new iCloud data center in Guizhou, China, which will ultimately mean that Chinese Apple users’ iClouds will be eventually stored in China.

The design of this Chinese cybersecurity law is based on the specific local context, and aims at adapting the law to an ever-developing digital society. Consumer data is becoming increasingly important in business affairs for strategic corporate decision-making, product development, and effective marketing and sales. Multinational companies like Procter & Gamble actually taught Chinese business for data-driven decision making over the past 3 decades since they started operating in China in the late 1980s. This long-awaited data law paves the way for a new racing track for all players in the digital space. We have seen very quick responses from MNCs to adapt in the past months, including from Apple as above mentioned. As a specialised data consulting company, 55 helps brands customise and develop effective digital and data approaches in China, as part of their global customer strategy. Get in touch with us to achieve quick wins and to build long-term data assets to fuel growth in China.


 *About £114,000 or $152,000

Want to learn more? Get in touch!


close legal

À propos

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a venenatis dolor, non ornare ligula. Nam ultricies elementum tellus, sed pulvinar libero egestas nec. Fusce facilisis nulla vestibulum, commodo neque eget, dapibus lacus. Aliquam neque felis, sagittis nec consequat sed, commodo ac ipsum. Sed neque tortor, semper quis viverra et, malesuada et eros. Donec at dui ut ligula pharetra aliquet. Etiam dapibus semper orci. Integer efficitur dolor tortor, nec mattis elit placerat vel. Ut nulla enim, lacinia in pharetra id, convallis vitae massa. Donec neque est, tincidunt non ullamcorper commodo, tincidunt non turpis. Pellentesque viverra enim a sapien placerat, ut volutpat mauris condimentum. Proin tincidunt sollicitudin dui, sit amet condimentum ante commodo a. Aenean posuere aliquam purus, sed aliquam magna sagittis finibus. Morbi molestie feugiat feugiat. Phasellus tempus in dolor vel maximus. Cras efficitur sagittis lorem porta iaculis. Maecenas sed hendrerit urna. In mattis posuere purus, sit amet placerat arcu posuere quis. Etiam nec arcu nec magna interdum maximus. Integer sit amet lacus neque. Curabitur interdum molestie magna, in scelerisque tellus iaculis sed. Sed nec metus ut purus efficitur laoreet a quis eros. Proin dui dui, dignissim eget risus sit amet, bibendum condimentum velit. Maecenas in justo eu elit eleifend consectetur. Aenean scelerisque fringilla sollicitudin. Nam sem nibh, pharetra nec lacus non, mollis interdum odio. Aliquam sollicitudin posuere nibh sed eleifend.


Mats Carduner, Adobe Stock & Unsplash

Vous avez aimé nos nouvelles fraîches sur l'état du marché brandtech ? Inscrivez vous à notre newsletter