book a virtual meeting Search Search
why mk
find out more
corporate social responsibility
find out more
macpherson kelley foundation
find out more
why choose mk?
find out more
are you a graduate?
find out more
work with us
view vacancies
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400
get directions find a lawyer
dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600
get directions find a lawyer
melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900
get directions find a lawyer
sydney

level 21, 20 bond st,
sydney nsw 2000
+61 2 8298 9533
get directions find a lawyer

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Home > News & Insights > New cyber security rules on the way for China

New cyber security rules on the way for China

08 February 2024
Daniel Jackson Kelly Dickson
Read Time 3 mins reading time
Kelly Dickson managing principal lawyer - dandenong, commercial

In yet another example of how privacy and data protection law is becoming increasingly prominent; the Cyberspace Administration of China (CAC) has recently released proposed new rules on reporting cyber security incidents under the Administrative Measures on Reporting of Cyber Security Incidents (Exposure Draft) (Draft Regulations).

The Draft Regulations are aimed at providing clarity on what an organisation’s obligations are and how they should deal with the reporting, managing and post-incident reporting of a cyber incident. The CAC claims that the new regulations could reduce loss and damage resulting from cyber-attacks and protect national internet safety.

For an overview of China’s privacy law, see our breakdown here.

What are the Draft Regulations?

The Draft Regulations introduce a classification scale for cyber incidents, which will be classified as follows:

  1. Extremely severe;
  2. Severe;
  3. Large incidents; and
  4. Ordinary incidents.

If an incident is considered ‘extremely severe’, ‘severe’ or ‘large’, under the Draft Regulations, the new business would be required to report it to the CAC. There is no specific timeline for reporting ordinary incidents.

Incidents that are in the ‘severe’ to ‘extremely severe’ category may range from cyber-attacks on Government department websites and the interruption of critical information infrastructure, to theft of national security data and the leakage of personal information of more than 1 million people.

The Draft Regulations also provide stringent procedures to report incidents, as well as after incident reporting. A new requirement proposed would be that internet operators would need to conduct a comprehensive analysis of the incident to determine its cause and rectification.

What is the importance of the proposed regulation?

For those doing business in China or looking to provide goods or services to the Chinese market in the future, these regulations may affect you.

These changes signal, once again, that privacy and data protection is becoming increasingly important. If your business is yet to consider how such information is protected, we strongly suggest you implement appropriate policies and procedures.

How MK can help

For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelley’s China Focus Group advises and assists Australian individuals or businesses doing business in China, as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state-owned and private enterprises, as well as foreign residents for significant transactions, investment and commercial structuring.

Click here for translated information on our China focus group.

Kelly Dickson managing principal lawyer - dandenong, commercial

more
insights
26 April 2024

Delicia admits to breaching the Franchising Code

read more
26 April 2024

Warning to franchisors – remove unfair contract terms!

read more
26 April 2024

The Franchising Code of Conduct Review – What’s Next?

read more

stay up to date with our news & insights

New cyber security rules on the way for China

08 February 2024
Daniel Jackson Kelly Dickson

In yet another example of how privacy and data protection law is becoming increasingly prominent; the Cyberspace Administration of China (CAC) has recently released proposed new rules on reporting cyber security incidents under the Administrative Measures on Reporting of Cyber Security Incidents (Exposure Draft) (Draft Regulations).

The Draft Regulations are aimed at providing clarity on what an organisation’s obligations are and how they should deal with the reporting, managing and post-incident reporting of a cyber incident. The CAC claims that the new regulations could reduce loss and damage resulting from cyber-attacks and protect national internet safety.

For an overview of China’s privacy law, see our breakdown here.

What are the Draft Regulations?

The Draft Regulations introduce a classification scale for cyber incidents, which will be classified as follows:

  1. Extremely severe;
  2. Severe;
  3. Large incidents; and
  4. Ordinary incidents.

If an incident is considered ‘extremely severe’, ‘severe’ or ‘large’, under the Draft Regulations, the new business would be required to report it to the CAC. There is no specific timeline for reporting ordinary incidents.

Incidents that are in the ‘severe’ to ‘extremely severe’ category may range from cyber-attacks on Government department websites and the interruption of critical information infrastructure, to theft of national security data and the leakage of personal information of more than 1 million people.

The Draft Regulations also provide stringent procedures to report incidents, as well as after incident reporting. A new requirement proposed would be that internet operators would need to conduct a comprehensive analysis of the incident to determine its cause and rectification.

What is the importance of the proposed regulation?

For those doing business in China or looking to provide goods or services to the Chinese market in the future, these regulations may affect you.

These changes signal, once again, that privacy and data protection is becoming increasingly important. If your business is yet to consider how such information is protected, we strongly suggest you implement appropriate policies and procedures.

How MK can help

For further information or a review of your compliance with Chinese Privacy laws, please contact one of our experts.

Macpherson Kelley is the only Australian law firm member of PrivacyRules, a global alliance of law firms and cyber experts able to advise on all aspects of privacy issues and risk. For an introduction to our PrivacyRules colleagues in other jurisdictions around the world, please contact Kelly Dickson.

Macpherson Kelley’s China Focus Group advises and assists Australian individuals or businesses doing business in China, as well as Chinese individuals or businesses doing business in Australia. We have a track record of performance partnering with Chinese state-owned and private enterprises, as well as foreign residents for significant transactions, investment and commercial structuring.

Click here for translated information on our China focus group.