You are here


Survey Answer:

Data protection is an area that is currently under development following the promulgation of the Cybersecurity Law. The regulatory framework for comprehensive data protection could be described as under development—many of the relevant implementing rules and standards remain in proposed form. We note some particular highlights:
• Personal information
The Cybersecurity Law builds on a number of earlier data protection legislation and provides the protection of personal information that is in line with international framework agreements, including the APEC Privacy Framework. There are certain principles observed in the Cybersecurity Law at Arts. 40-50, such as the requirement to keep confidential personal information that is acquired, the minimization principle of collection, etc.
The Information Security Technology – Personal Information Security Specification (effective 2018) interprets the requirements of the Cybersecurity Law with respect to personal information protection.
• Important data
The Cybersecurity Law introduces the concept of “important data”, which is a new legal concept for certain forms of sensitive or economically strategic data. These data are considered to be less significant than “state secrets” data, but are now subject to legal protection. The Cybersecurity Law and other proposed regulations and rules describe a data classification mechanism whereby entities classify and monitor data based on its attributes. An annex to the proposed Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (Draft for Comment) provides a listing of “important data” which may be instructive as to how the regulatory authorities will proceed in this area. The legal requirements with respect to handling important data remain relatively unrefined, much like the definition itself.
1. Laws
1.1. Cybersecurity Law of the People’s Republic of China, supra.
2. Administrative Regulations
2.1. [Proposed] Regulations on Classified Protection of Cybersecurity (Draft for Comment), supra.
3. Ministerial Rules
3.1. [Proposed]《个人信息和重要数据出境安全评估办法(征求意见稿)》[Measures on Security Assessments of Personal Information and Important Data to be Transmitted Abroad (for Public Comment)] (Cyberspace Admin. of China, issued Apr. 11, 2017, for comment until May 11, 2017)
4. National Standards and Other Regulatory Documents
4.1. 《信息安全技术 个人信息安全规范》[Information Security Technology – Personal Information Security Specification] (Standard. Admin. P.R.C. et al. (GB/T 35273-2017); promulgated Dec. 29, 2017, effective May 1, 2018)
4.2. [Proposed]《信息安全技术 数据出境安全评估指南(征求意见稿)》[Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (Draft for Comment)] (Nat’l Info. Sec. Standard. Tech. Comm. (GB/T XXXX-XXXX) (vol. nat’l std.); issued Aug. 30, 2017, for comment until Oct. 13, 2017), available at hyperlink.
4.3. [Proposed]《信息安全技术 数据处境安全评估指南》[Guidelines for Personal Information Security Impact Assessments] (Info. Sec. Stand. Tech. Comm.; issued June 11, 2018, for public comment until July 25, 2018), available at

Provided By:
David Tang, Han Kun Law Offices