New cyber security rules on the way for China
In yet another example of how privacy and data protection law is becoming increasingly prominent; the Cyberspace Administration of China (CAC) has recently released proposed new rules on reporting cyber security incidents under the Administrative Measures on Reporting of Cyber Security Incidents (Exposure Draft) (Draft Regulations).
The Draft Regulations are aimed at providing clarity on what an organisation’s obligations are and how they should deal with the reporting, managing and post-incident reporting of a cyber incident. The CAC claims that the new regulations could reduce loss and damage resulting from cyber-attacks and protect national internet safety.
For an overview of China’s privacy law, see our breakdown here.
What are the Draft Regulations?
The Draft Regulations introduce a classification scale for cyber incidents, which will be classified as follows:
- Extremely severe;
- Severe;
- Large incidents; and
- Ordinary incidents.
If an incident is considered ‘extremely severe’, ‘severe’ or ‘large’, under the Draft Regulations, the new business would be required to report it to the CAC. There is no specific timeline for reporting ordinary incidents.
Incidents that are in the ‘severe’ to ‘extremely severe’ category may range from cyber-attacks on Government department websites and the interruption of critical information infrastructure, to theft of national security data and the leakage of personal information of more than 1 million people.
The Draft Regulations also provide stringent procedures to report incidents, as well as after incident reporting. A new requirement proposed would be that internet operators would need to conduct a comprehensive analysis of the incident to determine its cause and rectification.
What is the importance of the proposed regulation?
For those doing business in China or looking to provide goods or services to the Chinese market in the future, these regulations may affect you.
These changes signal, once again, that privacy and data protection is becoming increasingly important. If your business is yet to consider how such information is protected, we strongly suggest you implement appropriate policies and procedures.
How MK can help
For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.
Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.
Macpherson Kelley’s China Focus Group advises and assists Australian individuals or businesses doing business in China, as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state-owned and private enterprises, as well as foreign residents for significant transactions, investment and commercial structuring.
Click here for translated information on our China focus group.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
Spotlight on Real Estate: Anti-Money Laundering and Counter-Terrorism Financing Regime
Professional Services face extra compliance requirements as Anti-Money Laundering and Counter-Terrorism Financing Regime gets green light
AI adoption in business: Unveiling the Senate’s blueprint for regulation
stay up to date with our news & insights
New cyber security rules on the way for China
In yet another example of how privacy and data protection law is becoming increasingly prominent; the Cyberspace Administration of China (CAC) has recently released proposed new rules on reporting cyber security incidents under the Administrative Measures on Reporting of Cyber Security Incidents (Exposure Draft) (Draft Regulations).
The Draft Regulations are aimed at providing clarity on what an organisation’s obligations are and how they should deal with the reporting, managing and post-incident reporting of a cyber incident. The CAC claims that the new regulations could reduce loss and damage resulting from cyber-attacks and protect national internet safety.
For an overview of China’s privacy law, see our breakdown here.
What are the Draft Regulations?
The Draft Regulations introduce a classification scale for cyber incidents, which will be classified as follows:
- Extremely severe;
- Severe;
- Large incidents; and
- Ordinary incidents.
If an incident is considered ‘extremely severe’, ‘severe’ or ‘large’, under the Draft Regulations, the new business would be required to report it to the CAC. There is no specific timeline for reporting ordinary incidents.
Incidents that are in the ‘severe’ to ‘extremely severe’ category may range from cyber-attacks on Government department websites and the interruption of critical information infrastructure, to theft of national security data and the leakage of personal information of more than 1 million people.
The Draft Regulations also provide stringent procedures to report incidents, as well as after incident reporting. A new requirement proposed would be that internet operators would need to conduct a comprehensive analysis of the incident to determine its cause and rectification.
What is the importance of the proposed regulation?
For those doing business in China or looking to provide goods or services to the Chinese market in the future, these regulations may affect you.
These changes signal, once again, that privacy and data protection is becoming increasingly important. If your business is yet to consider how such information is protected, we strongly suggest you implement appropriate policies and procedures.
How MK can help
For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.
Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.
Macpherson Kelley’s China Focus Group advises and assists Australian individuals or businesses doing business in China, as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state-owned and private enterprises, as well as foreign residents for significant transactions, investment and commercial structuring.
Click here for translated information on our China focus group.