Recent headlines around the world have been preoccupied with news from mainland China. The yuan has risen to a six-month high, Moody’s has downgraded the country’s credit rating, Beijing has vowed to continue working with the EU and others to uphold the Paris climate deal and a new Cybersecurity Law came into effect on June 1st.
The new law was introduced amid heightened concerns in China and globally over the potential for cyber issues, such as the WannaCry ransomware attack, to impact governments, public services, businesses and individuals.
The Cybersecurity Law applies to all organisations and individuals and it:
1. Imposes significant security and privacy obligations on ”network operators” and suppliers of “network products and services”
2. Controls the collection and processing of “personal and important” information of Chinese citizens through “critical information infrastructure”. These must remain inside China unless there are business needs requiring the data to be exported outside of the country; and
3. Reinforces the obligations imposed on organisations and individuals to protect personal information and business secrets from unauthorised access and disclosure.
While this sounds reasonable and broadly in line with overseas regulatory trends on cyber security, foreign organisations are increasingly concerned that the new law singles them out, and restricts their ability to do business in China.