Are China’s New Data and Cybersecurity Regulations a Wolf in Sheep’s Clothing?


Are China’s New Data and Cybersecurity Regulations a Wolf in Sheep’s Clothing?As the Year of the Sheep gets underway, it is already apparent that the Chinese government will not be living up to the meek reputation of its zodiac representative—at least not as far as data and cybersecurity are concerned.

In January, the State Administration for Industry and Commerce of the People’s Republic of China published a new law, the Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers, which will become effective on March 15. The Measures reflect several provisions of 2014’s Law on the Protection of Consumer Rights and Interests, which requires businesses to obtain consumer consent before collecting their personal information and adopting measures to keep it secure.

However, the Measures go beyond that law, defining what constitutes personal information for the first time in Chinese law: “a consumer’s name, gender, occupation, date of birth, identification card number, address, contact information, status of income and assets, health status, and consumption habits.” Previously, various Chinese regulations broadly defined personal information as any identifying information.

Companies that fail to comply with the Measures may be subject to civil liability as well as stiff penalties, including imposing fines of up to $80,000, forcing an organization to close for remediation, or revoking a company’s business license. Although the Measures are directed at consumer transactions, they likely will serve as a touchstone among the patchwork of other Chinese regulations that govern the collection and use of personal information.

In addition, China has proposed some troubling cybersecurity rules. Last week, the government published a second draft of anti-terror legislation that would require companies to keep their servers and user data inside the country. The law would also compel technology firms to share their encryption keys with the government and install security “backdoors,” jeopardizing the security of their data. The draft is expected to become law in two shakes of a lamb’s tail (within the next few weeks or months).

To avoid being led like lambs to the slaughter, companies should monitor these developments and ensure their policies governing the collection and use of personally identifiable information comply with the law. They should also investigate what, if any, data they currently store in China and consider whether they should transfer it to another jurisdiction.

If transferring data isn’t feasible, companies and their counsel should explore creative technology approaches to processing and reviewing data on-site.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Conduent | Attorney Advertising

Written by:


Conduent on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.