A controversial new cybersecurity law came into force today in China. The law, with important changes to critical data processing and personal information collection, brings uncertainty to companies, especially those foreign entities operating in China, according to digital forensics firm KrolLDiscovery.
The most significant, and controversial, change is that Chinese citizens’ “personal information” and “important data” must now be stored on servers within China. Any companies claiming an exception that is “truly necessary” must undergo a security assessment before information can be released.
“This will affect the majority of foreign companies that operate in China, in particular those which use their global infrastructure and IT resources to operate their business in China, as the original data collected, including business data and customer data within China will typically be stored directly in the data centers or servers physically located overseas,” said Han Lai, China Country Manager for KrolLDiscovery.
“For example many global companies are still using email servers located outside China for their China operations. Companies need to start thinking and planning ahead to restructure their infrastructure to be in line with the new law,” Lai added.
The new law reinforces the requirement for network operators to obtain their clients’ consent before collecting and disclosing personal information, including the reason for the disclosure, and take measures to ensure the security of personal information.
“This tightening is commensurate with other developed markets, but will take a while to get used to in China where data on individuals is collected on a mass scale for sales and marketing purposes without proper consent, and probably without awareness of what the risks might be,” remarked Lai.
From now on, all network providers must also pass a “network security examination.” This includes specific requirements that network operators must follow when purchasing new network systems.
What is not clear yet is what the consequences will be of noncompliance, but they are expected to be more severe than in the past, and more rigorously enforced. Cancellation of a business license was one penalty in the previous regulations.
“Mirroring what is happening all around the world, the Chinese government is becoming more involved with data protection and strengthening enforcement. Up until now, its rules have not been clearly defined or regularly enforced, but this new law is looking to change that,” said Lai.