National security laws

China's Network Security Law Comes Into Effect: What It Means For Your Company

For most companies with operations in China, the relevant focuses of the law are for two specific categories of entities: critical information infrastructure operators (CII Operators) and owners and managers of networks and the network service providers (Network Operators). Both categories have significant obligations and related liability under the law, but the scope of focus for Network Operators mostly falls to security measures that are likely already implemented at many multinationals that follow any of the leading data security frameworks. CII Operators, however, have more significant obligations, notably including the requirement to store within China any personal information and important business data that has been "collected and generated in the operation" of the CII Operator within China.

Under the law, the concept of Network Operators falls within a very broad definition of any "owner or manager" of any networks or the network service providers in China, where a "network" is defined as systems of computers and relevant equipment that collect, store, transmit, exchange and process information. CII Operators is a more narrowly defined term in this law, and is primarily given an effects-based test for key industries in which there may be harm to national security, people's livelihood or public interests if there is damage, function loss or data leakage in the network. The specific definition and scope of a CII Operator will be further defined and clarified by the government.