China’s top legislature adopted the country’s Cyber Security Law on Nov 7th 2016. After a third reading by the Standing Committee of the National People’s Congress, the law took effect on June 1st 2017. In addition to defining a wide scope of critical infrastructure, it lays the foundations for enforcing penalties on overseas organisations and individuals who attack, breach or insufficiently protect critical infrastructure and/or personal data. Reto Haeni, Leader Cybersecurity & Privacy at PwC Switzerland, explains what companies should consider as the topic has more impact than usually discussed.
China’s new Cyber Security Law focuses to a greater degree on several key topics: keeping personal information secure, combating cybercrime, ensuring network products and services are secure, clarifying the obligations network operators face and addressing sovereignty issues in cyberspace. There are two main aspects to responding to the law, and the second is often overlooked. First, companies operating in China must implement the law’s requirements if they want to remain compliant. Second, organisations with information or systems not located in China must also review their technology architecture, data protection efforts and business processes if they want to minimise the potential risks stemming from the new law.
China’s Cyber Security Law is the next step in the country’s wider effort to tighten rules and regulations governing information security and data privacy. Regulations have previously existed, for example the Administrative Measures for Prevention and Treatment of Computer Viruses and the Administrative Measures for Hierarchical Protection of Information Security. The new law enforces the rights and obligations the government, network operators and users all have in the area of cyber security and data protection. While the law has already come into effect, its concrete implementation is not yet known and a fair amount of interpretation is still needed to apply the law in practice to operations in China. Complying with the law entails several new challenges for both government and business, such as ensuring appropriate network operations, identifying security risks and encouraging network innovation. Each of these steps must be addressed if the rights of all stakeholders are to be protected.
Partner and Leader Cybersecurity and Privacy
+41 58 792 75 12