2016 Cybersecurity Law

FCO Cathy Feig asked me to help her research China’s 2016 Cybersecurity Law. Specifically, she asked me to attack it in two fold: 1) What does it mean for you if you are a business? 2) What are the implications/under current meanings? S

I worked with the local translation staff and eventually, I was able to review the dense document in English. After thoroughly researching both business law and the document itself, I sent Cathy some notes. While I do not have access to the documents that would later become her talking points in a meeting surrounding this issue (they are on her government server), I do have my talking notes from the meeting in which I briefed her on the outcomes. See below.


Biggest Concerns:

• Article 12, in general, Article 58 and Article 6 perhaps show the true essence/ intent of

this law

• Important portions of the Cybersecurity Law are written such that the scope

of state authority, and the regulations that may be imposed upon an internet

company, are entirely ambiguous. See Article 21, 28, Article 51

• Concurringly, there is more ambiguity in terms of the future parameters that

will be implemented. Article 53, for example, empowers government

departments with jurisdiction over cyberspace issues to “establish sound

cybersecurity risk evaluations and emergency response efforts.” Article 29

similarly provides that “relevant industry organizations will establish sound

cybersecurity standards and mechanisms for collaboration.” Though

subsequent regulations may provide some additional clarity, it is difficult to

find concrete principles within the law that would limit the regulations that

could be promulgated in the name of the legislation’s vaguely worded


• Article 31 does not define CRITICAL INFORMATION


• The focus on critical sectors—telecommunications, transport, finance, IT is

very apparent

• Data (both business related and personal) must be store IN china (article 42

and article 66)

• Companies are now accountable for not only the information they publish,

but also that which they allow to spread online(article 47 and 46)

• Collection of personal data on all employees and users that is accessible by


• The right to “immediately initiate” shut down of operations and restrict


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s