PRC Cybersecurity Law

A complete data protection framework in China’s history, PRC Cybersecurity Law/ China Internet Security Law was espoused in the National People’s Congress (NPC) in 2016 and took effect on June 1st, 2017 (Yam, & Xu, 2017). The law focusses on the protection of personal data and the privacy of an individual in the cyberspace. It imposes various standards that have shifted data privacy requirements, for instance, data localization to enhance economic and social development (Liu, 2019).

The law provides numerous cybersecurity obligations on network operators, network products and services providers, and Critical Information Infrastructure (CII) operators. It describes network operators as administrators and owners of network services providers and networks. A network according to the law is a system made of computers and other-related information terminals that are used to collect, transmit, exchange, store and process data information (Zhao & Xia, 2018). A network operator, on the other hand, comprises any entity that utilizes a network to do business in the Chinese territory.  

It describes CII as any entity that offers services that if destroyed or lost will expose the national security, endanger economic and social development (Crowell & Moring, 2017). Examples of CII as listed in the law are water conservation, e-government, communication and information services, transportation and financial services, and public services. Network operators and CII are bound by the law to create internal security management systems and processes, draft effective measures to combat cyber-attacks in form of viruses, among others, observe and record all network and security functions for a minimum of six months, and device efficacious measures for data classification, encryption and back-up. Network products and services providers are indicated to comply with industry and national standards and ensure the production of safe products and services. The law note that products and services that are deemed to be critical in network security must first be tested by accredited institutions before being sold in China. Network operators are also bound to store all local data within the borders of China.  

The Ministry of Foreign Affairs and Trade, and New Zealand Trade and Enterprise (2017) indicate that the law further prohibits the cross-border transfer of local data (data information of Chinese citizens, and data of importance to national security, economic and social development), and indicates that a network operator will only transfer local data outside the country for business needs, subject to security approval. This includes explaining to the data subject the scope, purpose, type and the region of the recipient. Consequently, the network operator must receive consent from the data subject before transferring the data except in emergency cases like when property or life of the data subject is endangered.

Various regulatory departments have been highlighted to impose penalties on both individuals and organizations for violation of PRC Cybersecurity Law. These penalties include revocation of licenses, suspensions, warnings, criminal penalties, and fines of up to $145,000 (RMB 1,000,000), which are prescribed in a range based on the nature of the offence (Qi, 2017). Attack to Critical Information Infrastructure operators leads to sanctions and asset freezing of business entities.

From a personal assessment, there will be numerous cases of discovery and disclosure due to cross-border litigations or investigations. For instance, a U.K subsidiary entity based in China will need to produce documentation when the mother company based in the U.K is ordered by the court through a subpoena for those data. Similarly, a Chinese firm may be subject to such conditions outside China. The process will be tricky and challenging as state secrecy and personal information issues will arise as the process has to comply with PRC law. The process will thus have to involve consultation from various governmental bodies (both UK and Chinese) to ensure data transfer. Pursuant to this, it is of great significance to review the cross-border transfer requirements of the law to allow for multi-national companies to securely transfer data outside China without affecting the core principles of the PRC Cybersecurity Law of data privacy.

The law does not provide an effective explanation of what makes up individual data privacy and the circumstances that are viewed as an infringement of individual privacy rights (Dong, 2018). Based on the various lawsuits that have been ruled since the inception of the law, the local courts have issued controversial views on the matter of privacy infringement and thus they cannot be viewed as legally binding. As such, it is important for the law to be updated, providing a clear explanation of what constitutes information privacy and the circumstances that are viewed as privacy infringement.

Many sections of PRC Cybersecurity Law have been criticized, both locally and overseas, like on cross-border data transfer (Huifeng, 2018). Various entities have re-evaluated their data transfer policies to coincide with the requirements of China Internet Security Law. Despite the challenges companies have encountered in their bid to adhere to the requirements of the law, I believe that this law is an important step taken in securing Chinese cyberspace just like other nations like the U.S and U.K. 


Crowell & Moring. (2017). Summary of the PRC Cybersecurity Law. Retrieved from

Qi, D. (2017). The Changing Legal Landscape for Network Security under the PRC Cybersecurity Law. Competition L. Int'l, 13, 55.

Liu, J. (2019). China’s data localization. Chinese Journal of Communication, 1-20.

Dong, M. (2018). China - The Privacy, Data Protection and Cybersecurity Law Review - Edition 5 - TLR. Retrieved from

Ministry of Foreign Affairs and Trade, and New Zealand Trade and Enterprise. (2017). Retrieved from

Yam, R., & Xu, X. (2017, June). Risks of China’s Rapidly Developing Internet Finance. In European Conference on Cyber Warfare and Security (pp. 544-549). Academic Conferences International Limited.

Huifeng, H. (2018, March 1). Chinese cybersecurity law causing 'mass concerns? among foreign firms. Retrieved from

Zhao, L., & Xia, L. (2018, October 11). China's Cybersecurity Law: An Intro for Foreign Businesses. Retrieved from