book a virtual meeting Search Search
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

New cyber security rules on the way for China

08 February 2024
Daniel Jackson Kelly Dickson
Read Time 3 mins reading time

In yet another example of how privacy and data protection law is becoming increasingly prominent; the Cyberspace Administration of China (CAC) has recently released proposed new rules on reporting cyber security incidents under the Administrative Measures on Reporting of Cyber Security Incidents (Exposure Draft) (Draft Regulations).

The Draft Regulations are aimed at providing clarity on what an organisation’s obligations are and how they should deal with the reporting, managing and post-incident reporting of a cyber incident. The CAC claims that the new regulations could reduce loss and damage resulting from cyber-attacks and protect national internet safety.

For an overview of China’s privacy law, see our breakdown here.

What are the Draft Regulations?

The Draft Regulations introduce a classification scale for cyber incidents, which will be classified as follows:

  1. Extremely severe;
  2. Severe;
  3. Large incidents; and
  4. Ordinary incidents.

If an incident is considered ‘extremely severe’, ‘severe’ or ‘large’, under the Draft Regulations, the new business would be required to report it to the CAC. There is no specific timeline for reporting ordinary incidents.

Incidents that are in the ‘severe’ to ‘extremely severe’ category may range from cyber-attacks on Government department websites and the interruption of critical information infrastructure, to theft of national security data and the leakage of personal information of more than 1 million people.

The Draft Regulations also provide stringent procedures to report incidents, as well as after incident reporting. A new requirement proposed would be that internet operators would need to conduct a comprehensive analysis of the incident to determine its cause and rectification.

What is the importance of the proposed regulation?

For those doing business in China or looking to provide goods or services to the Chinese market in the future, these regulations may affect you.

These changes signal, once again, that privacy and data protection is becoming increasingly important. If your business is yet to consider how such information is protected, we strongly suggest you implement appropriate policies and procedures.

How MK can help

For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelley’s China Focus Group advises and assists Australian individuals or businesses doing business in China, as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state-owned and private enterprises, as well as foreign residents for significant transactions, investment and commercial structuring.

Click here for translated information on our China focus group.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.

stay up to date with our news & insights

New cyber security rules on the way for China

08 February 2024
Daniel Jackson Kelly Dickson

In yet another example of how privacy and data protection law is becoming increasingly prominent; the Cyberspace Administration of China (CAC) has recently released proposed new rules on reporting cyber security incidents under the Administrative Measures on Reporting of Cyber Security Incidents (Exposure Draft) (Draft Regulations).

The Draft Regulations are aimed at providing clarity on what an organisation’s obligations are and how they should deal with the reporting, managing and post-incident reporting of a cyber incident. The CAC claims that the new regulations could reduce loss and damage resulting from cyber-attacks and protect national internet safety.

For an overview of China’s privacy law, see our breakdown here.

What are the Draft Regulations?

The Draft Regulations introduce a classification scale for cyber incidents, which will be classified as follows:

  1. Extremely severe;
  2. Severe;
  3. Large incidents; and
  4. Ordinary incidents.

If an incident is considered ‘extremely severe’, ‘severe’ or ‘large’, under the Draft Regulations, the new business would be required to report it to the CAC. There is no specific timeline for reporting ordinary incidents.

Incidents that are in the ‘severe’ to ‘extremely severe’ category may range from cyber-attacks on Government department websites and the interruption of critical information infrastructure, to theft of national security data and the leakage of personal information of more than 1 million people.

The Draft Regulations also provide stringent procedures to report incidents, as well as after incident reporting. A new requirement proposed would be that internet operators would need to conduct a comprehensive analysis of the incident to determine its cause and rectification.

What is the importance of the proposed regulation?

For those doing business in China or looking to provide goods or services to the Chinese market in the future, these regulations may affect you.

These changes signal, once again, that privacy and data protection is becoming increasingly important. If your business is yet to consider how such information is protected, we strongly suggest you implement appropriate policies and procedures.

How MK can help

For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelley’s China Focus Group advises and assists Australian individuals or businesses doing business in China, as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state-owned and private enterprises, as well as foreign residents for significant transactions, investment and commercial structuring.

Click here for translated information on our China focus group.