China adopts new cybersecurity law


On November 7, 2016, China adopted a new cyber-security law that will come into force in June 2017.

The new legislation has received some criticism.

According to James Zimmerman, Chairman of the American Chamber of Commerce in China, “this is a step backwards for innovation in China that won’t do much to improve security.”The law sets “broad restrictions on cross-border data flows” and cybernationalism will not provide “security benefits but will create barriers to Chinese as well as foreign companies operating in industries where data needs to be shared internationally. Moreover, some of the requirements for national security reviews and data sharing will unnecessarily weaken security and potentially expose personal information”, says Zimmerman.

According to this interesting post, the law has five characteristics of particular note:

  • imposes vague requirements on internet companies;
  • subjects “critical information infrastructure” to particularly restrictive regulations including for example the duty to store on servers physically located within mainland China “personal information and other important data” collected in China;
  • provides a legal basis for existing internet regulations;
  • creates wide-ranging punishments for non-compliance. “Fines are the most common punishment and can range from roughly 7,400 to 148,000 USD for companies and 740 to 15,000 USD for personally responsible individuals”;
  • limits collection transfer and storage of personal information.

The new Chinese cybersecutity law is available at…

James Zimmerman’s press release is available at…

Chris Mirasola, Understanding China’s Cybersecurity Law is available at…


For more information, Federica Romanelii.

Follow us on& Like us on