In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data. In determining what is allowed and not allowed for handling personal information in China, it is important to examine The Decision on Strengthening Information Protection on Networks (2012), The Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (2013), and The Provisions on Protecting the Personal Information of Telecommunications and InternetUsers (2013). There are also many industry-specific rules, including such rules for banking and credit information services. China’s new Cybersecurity Law adopts and modifies existing regulations and codifies them.
Under the new Cybersecurity Law, collecting any user’s personal information requires the user’s consent and network operators must keep collected information strictly confidential. Personal information is defined as information that can be used on its own or with other information to determine the identity of a natural person, including the person’s name, date of birth, ID card number, biological identification information (e.g. fingerprints and irises), address, and telephone number. Once such information has been de-identified, it is no longer subject to the requirement for personal information under the law.
Who are the network operators to which the new law will apply? Owners of networks, administrators of networks, and network service providers. Telecom and Internet service providers, clearly, but “network” is broad enough to go well beyond that.
Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures (Article 76 of the new Cybersecurity Law). If you have a couple of computers at home that can share files, and perhaps a printer connected to them, you technically have a network. The law is not likely to go that far, but the generic definitions of network and network operators leave a lot of room for interpretation, which is exactly how the Chinese government wants it.
The new Cybersecurity Law also requires critical information infrastructure operators (CIIOs) store within China personal information and important data gathered and generated within China and conduct annual security risk assessments regarding their data. Though the definition of CIIO is yet to be clarified, we already know China’s yet to be finalized Measures for Security Assessment of Personal Information and Important Data Leaving the Country will likely require foreign companies doing business in China make big changes in how they handle data. The Cyberspace Administration of China (CAC) published a draft of Measures for Security Assessment of Personal Information and Important Data Leaving the Country back in April, raising many concerns for foreign businesses operating in China.
Source: China Law Blog