TrustArc Blog

The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

April 24, 2019

While many of us were focused on the European Union’s GDPR and California’s Consumer Privacy Act (CCPA), the giant on the other side of the world implemented China’s Cybersecurity Law (CSL) in June 2017. While CSL laid out broad data protection principles, there were noticeable gaps related to implementation and overall scope. To operationalize and further clarify CSL scope, the Chinese government instituted six systems: the Internet Information Content Management System; the Cybersecurity Multi-Level Protection System (MLPS); the Critical Information Infrastructure Security Protection System; the Network Products and Services Management System; the Cybersecurity Incident Management System; and the Personal Information and Important Data Protection System.

While it is important for foreign businesses to review all aspects of CSL and the six systems, TrustArc has helped clients focus in on the implications of the Personal Information and Important Data Protection System. Specifically addressing the following regulations:

  1. What are the requirements to store certain information (including negative list) inside China and at what level of required security measures (e.g., Ministry of Public Security [MPS] Regulation)?
  2. What procedures and reviews are needed before transferring certain information out of China (e.g.,Cross-Border Data Transfer)?
  3. What are the required notice and consent requirements when collecting personal data?
  4. What are the MPS requirements in reporting a cyber incident within 24 hours?
  5. What does the Cyberspace Administration of China (CAC) require in the security assessment report annually?
  6. Data subjects have what individual rights under the PI Security Specification?

For more than 20 years, TrustArc has worked with the world’s largest and most successful brands to find innovative solutions to data privacy challenges. Headquartered in San Francisco, and backed by a global team, we help clients worldwide demonstrate compliance, minimize risk, and build trust. Using a combination of consulting expertise and powerful technology, TrustArc will help your team address privacy issues and meet global compliance requirements. Learn how TrustArc Privacy Consulting can help you build and manage your privacy program. Schedule a consultation today!