Generic placeholder image

China's 2017 Cyber Security Law

[ above banner: free background downloaded from ]

Miami - March 19, 2021

The China's 2017 Cyber Security Law ( available in English at: ) was enacted by the Standing Committee of the National People's Congress [ also known as NPCSC and which possesses constitutional authority to exercise legislative power in line with the Constitution and the Organic Laws of the National People's Congress' ] to increase data protection/localization and cybersecurity in the interest of national security.

This Law has been in force since June 2017 and applies to ALL Chinese and Foreign (but China-based) 'Network Operators' and 'Operators of Critical Information Infrastructure'. The concept of Critical Information Infrastructure which is also called "CII" includes without limitation public communication and information services (e.g. radio and TV), energy/power, transport/traffic, water resources, finance, public service, and e-government.

The Chinese Central State considers the protection of such Critical Information Infrastructures an absolute top priority because Article 31 of this 2017 Cyber Security Law provides that any destruction of, function loss within or data leakage from any Critical Information Infrastructure would cause a serious damage to state security, national economy and people’s livelihood and public interest.

The 2017 Cyber Security Law places Data Localization Obligations on CII Operators. Indeed, all "Personal Information" and "Important Data" collected/generated by CII Operators in China MUST BE STORED IN CHINA.

Moreover, the transfer of data overseas by Network Operators is subject to Chinese authorities’ authorization possibly granted only after a security assessment was performed (by such Authorities) including “remote testing” and “on-site inspection”.


All Chinese and Foreign Network Operators and Operators of CII must:

a) with regard to Network Security:
- designate network security staff;
- establish and implement security protocols;
- adopt appropriate technologies to investigate, prevent and combat cyberattacks; and
- establish complaint-reporting procedure.

b) with regard to Personal Data Protection:
- obtain consent before collecting personal data;
- explicitly state the purpose, means and scope of collection and use of personal data;
- in case of data breach (1) notify the affected individuals, (2) report such breach to the competent government authority, and (3) take remedial actions; and
- delete or amend personal data upon users’ request.

c) with regard to Content Monitoring:
- monitor content published by users;
- remove unlawful user content; and
- report unlawful content to competent government authorities and keep records.

Under Article 35, CII Operators shall ensure that network products and services, which might affect National Security, undergo security review organized by the Sector Regulator namely the "State cybersecurity and informatization departments and relevant departments of the State Council" [which assess supply chain security risks associated with all stages of the life cycle of such products/services and their key components] in order to make sure they are SECURE, CONTROLLABLE and TRANSPARENT.

Lastly, Chapter VI (Legal Responsibility) of the China's 2017 Cyber Security Law provides that if CII Operators and Network Operators violate or fail to comply with that Law, such operators run the risk of:

- being fined (for up to 1,000,000 RMB which is approximately equal to $150,000.00), and/or

- having their executives/owners/managers placed into detention for up to 15 days (Articles 63 and 67).

Dr. Ariel Humphrey