The Cyber Security Law of the People’s Republic of China (网络安全法; the CSL), which came into effect on June 1, 2017, imposes far-reaching restrictions on how computer networks in China are operated. It also sets forth provisions governing data privacy and security that, among other things, require data localization and government-led security reviews and restrict cross-border transfers. The CSL is part of a developing legislative framework for cyber governance in China that seeks to protect China’s cyber sovereignty and preserve its cyber security for national security reasons. However, many of the CSL’s key provisions are broadly drafted and omit critical details, making it difficult for companies to determine whether the provisions apply to them and, if so, how to comply.
The government has published additional regulations to help clarify some aspects of the CSL, but significant work still needs to be done. Addressing the remaining issues will likely take several months while government agencies with responsibility for network security and government agencies with sector-specific responsibilities work together to develop further relevant regulations and standards. As a result, enforcement of some provisions of the CSL may be limited; however, pilot enforcement campaigns in particular industries or in relation to particular network operators are expected.
The following discussion provides an overview of the key elements of the CSL, identifies where ambiguity still remains, and offers suggested steps that companies can take until the various rule-making and standard-setting work currently underway is completed.
Read our client alert.