What Is the Chinese Cybersecurity Law?
The Chinese Cybersecurity Law (CCL) provides a legislative framework to regulate the Chinese digital landscape, including the appropriate handling of personal information and important data.
This wide-reaching legislation mandates that data originating in China must be stored there, unless specific criteria are met. Should the data need to be transferred overseas for processing, the processor or ‘Network Operator’ must first conduct a security self-assessment. If the data contains personal information, individual consent is required from the data subject first; they must also be notified of who the data recipient is, the purpose, scope, content, and country the recipient resides in.
Where transfers meet the set criteria, the CCL requires network operators to entrust a government agency to conduct the security assessment and review.
Though the CCL legislation does not preclude the ability of non-domestic companies to manage Chinese data, it is vital that companies who do so ensure that they comply with, and are able to demonstrate, their adherence to these comprehensive regulations. There are significant fines for non-compliance with the law – potentially up to 1,000,000 RMB. Additionally, businesses can be closed, or face forfeiting their licensing to trade.
CCL At A Glance
What Is The Chinese Cybersecurity Law (CCL)?
The CCL regulates Chinese data deemed to be personal or important, as well as the organizations which collect, store, transmit, exchange and process it.
When Did The Legislation Come Into Force
The cybersecurity legislation came into place in June 2017, with enforcement commencing across the following year. Deeper detail is available in the Information Security Technology - Personal Information Security Specification May 2018.
Who Regulates CCL?
Cyberspace Administration of China (CAC)
What Are The Implications of Non-Compliance?
There are significant fines for non-compliance with the law - potentially up to 1,000,000 RMB. Additionally businesses can be closed, or face forfeiting their licencing to trade.
Fortra Can Help You Comply with CCL
Fortra can support CCL compliance through the following features:
Data Localization Support
Implements measures as specified in CCL Article 21, including intelligent data classification, backup of important data, and encryption.
Applies visual markings and metadata across a wide range of applications to clearly identify personal information and important data.
Sets automated classification and handling rules to prevent unauthorized exfiltration of data originating in China without prior customer consent.
Supports downstream controls such as Access Control and Rights Management solutions.
Enables marking of information for expiry to meet retention requirements.
Data Localization and Security
Ensures sensitive data, including Critical Information Infrastructure (CII), is stored and processed within China in compliance with legal requirements.
Encrypts data both in transit and at rest, adding a robust layer of protection against cyber threats.
Compliance and Policy Enforcement
Automates enforcement of security policies, ensuring consistent compliance across all data handling and communication activities.
Provides comprehensive audit trails and reporting capabilities to demonstrate compliance and support regulatory audits.
