1) Prior to the press conference, there was speculation in the media that there would be a delay in the launch of the Cybersecurity Law, including speculation that there would be a grace period of up to the end of December 2018 for critical information infrastructure operators to comply with the data localization requirements. The official position is that all provisions of the Cybersecurity Law are effective from 1 June 2017.
2) Please refer to our OnPoint of 31 May 2017 on China Cybersecurity Law – Seven Key Points to Ensure You are Compliance Ready for further details.
3) The precise scope of what a critical information infrastructure operator encompasses is still to be clarified by the CAC and other relevant authorities by way of further guidance documents and standards.
4) Please refer to our OnPoint of 24 May 2017 on Potential Implications of the Cybersecurity Law on Foreign Network Products and Services for further details.
5) Note that the CAC did not clarify what constitutes “public dissemination”, in particular whether it covers emails and/or chats involving more than two persons, and if so, whether network operators are required to monitor such emails and chats and to cease transmission of the same on discovery of illegal information “disseminated” in these emails and/or chats.