China Cybersecurity Law - 6 key points to help minimise risks and localise policies and procedures

The new China Cybersecurity Law (CSL) is set to take effect on 1 June 2017, putting more emphasis on personal information security, cybercrime, network product and service security, obligations of network operators and sovereignty rights.

There have been various draft regulations and papers published over the past year and organisations have had to deal with complex realities from multiple regulators, jurisdiction discrepancies, multi-layered rules, broad definitions and interpretation of various related legislations.

Although the law is set, detailed guidelines are still evolving and yet to be published.  However, the consequences of non-compliance are very real including both corporate and personal liabilities such as suspension of business, civil liabilities, criminal liabilities, revocation of licenses, cease and desist. For example, in 2016, local enforcement shut down 51 websites and 423 online programmes in Guangdong.  In Zhejiang, 113 websites were shut down, imposed criminal liabilities on 224 persons and 158 persons for administrative liabilities.

In response to the new legislation, PwC Hong Kong hosted a China Cybersecurity Law seminar on 21 March 2017 in Hong Kong, presented by Cybersecurity Partners of PwC Hong Kong Chun Yin Cheung and Kok-Tin Gan, Risk Assurance Partner of PwC Hong Kong Kenneth Wong, and David Tiang Partner of Tiang & Co.  

The seminar covered various topics with CY and David giving an overview of the legislation journey, its goals, the regulatory bodies involved, consequences and real examples of non-compliance as well as a deeper dive into the definitions of “important business data” and scope of jurisdiction impacting most industries. After, there was a panel discussion which included the addition of Kenneth and Kok-Tin. It was an interactive discussion with audience mostly interested in the business critical impact of the law and determining the best way to operationalise the strategy to comply with the new law.

Furthermore, the team also provided some practical considerations and came up with 6 key points to help organisations minimise risks and localise policies and procedures to meet the requirements. 6 key points include:

  1. conduct an assessment on the applicability of the law to your business operations in China and in the region;
  2. run a health check on the organisation’s compliance and risk management status;
  3. determine which jurisdiction does our organisation fall under and develop a data and privacy protection mechanism. This also extends and applies to the organisation’s supply chain;
  4. identify the impact when there is a breach- people’s livelihood, public interest and national security and welfare and prepare an incident response mechanism;
  5. equip your employees with frequent communications and workshops;
  6. improve corporate governance by continuous monitoring, analysis and assessment and remedial measures.


The seminar was held successfully. Around 50 companies and over 70 clients from a range of industries attended the seminar.