The objective of this standard is to define the China-compliant IT & digital architecture standard and practice based on China Security & Compliance Framework.
This standard is intended to provide an analysis of current China security and compliance-related laws and policies, and to provide compliance frameworks and procedures from the following aspects. This standard applies to all applications and services exposed to users in China.
Three basic China IT Compliance related laws:
- Cybersecurity Law of the People’s Republic of China (CSL)
- Data Security Law of the People’s Republic of China (DSL)
- Personal Information Protection Law of China (PIPL)
China Compliance related technical and architecture design:
- Application and Solutions
- Data and Process
The Chinese government has tightened the regulation of cybersecurity, data security, and personal information protection in recent years. In June 2017, China implemented the Cybersecurity Law. Initially approved in 2016, the law was created to provide guidelines for maintaining network security, protecting the rights and interests of individuals and organizations, and promoting the secure development of technology. The Cyber Administration of China (CAC) is the principal governmental authority supervising and administering the Cybersecurity Law.
In 2021, China continues to expand on the original China Cybersecurity Law (CSL) with introduction of legislation around data protection, including the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) to address concerns around data security and personal information.
Same as other multinational firms operating in China, the enterprise needs to comply with China’s three major cybersecurity and data regulation laws which have been implemented.
|Cybersecurity Law of the People’s Republic of China (CSL)
|Data Security Law of the People’s Republic of China (DSL)
|Personal Information Protection Law (PIPL)
Consisting of 79 articles in seven chapters, the CSL is exceptionally wide in scope, containing an overarching framework targeting the regulation of internet security, protection of personal information, and safeguards for national cyberspace sovereignty and security.
The CSL expressly applies to network operators and critical information infrastructure operators (CIIO), as the terms for these entities are repeatedly mentioned in the law. “Network operator,” as defined in the appendix to the CSL, could be applicable to all businesses in China that own or administer their networks. Therefore, any company (regardless of size and domestic or multinational extent) operating its network – including websites and internal and external networks – to conduct business, provide a service or collect data in China could be in scope.
Four out of the seven chapters in the CSL outline its major requirements:
|Monitor and Response
|Policies and procedures, network products and services, security assessment and information storage
|Protection of personal information and collection, usage and distribution of information
|Live monitoring, comprehensive incident response, incident drill and risk assessment
|Maximum fine RMB 1 million, plus suspension of business and revocation of licenses
Under the CSL Chapter 3, the company in China required to fulfill the obligations under Multi-Level Protection Scheme (MLPS), including MLPS level determination and MLPS assessment. As stipulated by the CSL, the CIIO shall store personal information and important data collected and generated during its operation within the territory of China. Prior approval is needed if the cross-border transfer of the above-mentioned data is necessary. The CSL also defined “personal information” relates to information which can be used independently, or combined with other information, to identify a natural person, including but not limited to the natural person’s name, date of birth, ID number, personal biometric information, address, telephone number, etc.
The DSL sets up a framework that classifies data collected and stored in China based on its potential impact on Chinese national security and regulates its storage and transfer depending on the data’s classification level. The DSL applies to all data processing activities conducted in China.
The data classified and graded system requires relevant authorities to classify and grade data based on its importance and the degree of harm that will be caused by leakage or illegal use. In November 2021, CAC released the draft Administrative Regulations on Network Data Security (Draft for Comment) (“Administrative Regulations”) for public commenting, which divides data into three categories, namely (i) ordinary data, (ii) important data, and (iii) core data. In December 2021, the Practice Guidelines for Cybersecurity Standards — Guidelines for Network Data Classification and Grading (“Data Classification and Grading Guidelines”) was released, dividing data into three categories and four levels:
The “Core data” under the DSL — broadly defined as any data that concerns Chinese national and economic security, Chinese citizens’ welfare and significant public interests — are afforded the highest degree of protection and regulation. While there will likely be further rules and regulations detailing the scope of national core data and guidelines for its protection, violations of the national core data management system may be subject to fines of up to 10 million RMB (~$1.56 million USD), revocation of business licenses, suspension of business, or possible criminal penalties. The law also imposes penalties on entities that fail to cooperate with data requests from Chinese authorities for law enforcement or national security matters.
China’s central government is required by the DSL to formulate a catalog of “important data” based on the data classified and graded system, while relevant authorities in different regions and industries are then required to identify important data and formulate detailed implementing catalogs for their respective regions and industries.
For cross-border transfers of “important data,” the DSL establishes a separate framework for CIIO and non-CIIOs. CIIOs MUST comply with rules under the CSL, which requires local storage for important data that is collected in China. If a CIIO MUST transfer data out of China for a necessary business purpose, a security assessment in accordance with the procedures of the Cyberspace Administration of China (CAC) is required. Non-compliant entities may face penalties including monetary fines of up to 10 million RMB (~$1.56 million USD) and/or revocation of business licenses or suspension of business. The CAC and other regulatory agencies have yet to formulate cross-border transfer rules for non-CIIOs.
Importantly for litigation and international legal proceedings, the DSL states that without approval from Chinese authorities, no organizations or individuals in China may transfer data stored within China to any foreign judicial or enforcement authorities. Neither the specific authorities nor the details of the approval processes are specified in the DSL, but entities that violate this requirement face fines of up to 5 million RMB (~$156,000 USD), with additional fines for responsible individuals.
China has approved the final Personal Information Protection Law (PIPL), and it comes into effect on November 1, 2021. Under PIPL, “personal information” refers to all kinds of information related to an identified or identifiable natural person stored in both electronic and non-electronic forms.
Sensitive personal information is defined under the PIPL as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).
Note that anonymized information is not deemed as personal information under the PIPL and “anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Articles 4 & 73).
The PIPL uses the term “personal information processing entity” to refer to “organization or individual that independently determines the purposes and means for processing of personal information” (Article 73). This appears to be the Chinese law equivalent of the “data controller” concept under the GDPR. Further, the PIPL uses “entrusted party” to refer to “data processor” as defined under the GDPR. Prior to the handling of personal information, the PIPL requires controllers to inform individuals truthfully, accurately, and fully of the following matters in clear and understandable language:
- The name and contact information of the controller;
- The purpose and manner of handling personal information, the type of personal information involved, and the retention period;
- The ways and procedures for individuals to exercise their rights under the PIPL;
- Other matters to be communicated under laws and administrative regulations.
Where a change occurs in the aforementioned matters, controllers are expected under the PIPL to inform the individual of such change. More generally, where the controller provides the required information by means of rules for the handling of personal information, such rules MUST be kept public and easily accessible.
While the PIPL mostly aligns with the GDPR with respect to personal information rights, it lacks more precise GDPR language addressing such rights, including where certain restrictions or exemptions may apply. The table below compares the key types of personal information rights under the GDPR and the PIPL.
|Rights under the GDPR
|Rights under the PIPL
|Right to information
|Right to access
|Right to correction/rectification
|Right to erasure
|Right to object to and restrict the processing of an individual’s data
|Right to data portability
(but needs to satisfy conditions stipulated by the Cyberspace Administration of China)
|Right not to be subject to automated decision-making
|Right to withdraw consent
|Right to lodge a complaint with the regulator
For Cross-border transfer of personal information, in general, a processing entity that plans to transfer personal information to entities outside of China is required to (i) provide individuals with certain specific information about the transfers and obtain separate consent (Article 39),(ii) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (Article 38) and (iii) carry out an personal information protection impact assessment (Article 55).
In addition, for CIIO or entities processing a large amount of personal information, they need to store personal information locally. If it is indeed necessary to transfer such personal information overseas, it shall pass a security assessment administered by the CAC (Article 40).
PIPL is very consent-heavy, including separate, specific consent for many processing activities such as sensitive data and moving data off-shore. Consent is also entirely revocable, in addition to the GDPR-style rights of correction, erasure, and view (or portability).
The PIPL also has broad and open-ended definitions of Sensitive data, including ALL data about children under age 14, which also request parental approval for processing. This will have clear impacts on any systems targeted at, or managing data for, children.
Further, automated processing using personal data comes under the PIPL, including the ability to opt-out of it. In addition, public facial recognition is limited to public safety unless consent is obtained, which SHOULD be limited in public spaces.
PIPL establishes a spectrum of materially significant penalties for businesses: correction orders issued by authorities, confiscation of illegal gains, a fine of up to RMB 50 million (approx. $7.8 million) or 5 percent of the previous year’s turnover, cancellation of business permits or licenses, and suspension of the business operations for rectification.
Moreover, up to RMB 1 million (approx. $0.16 million) shall be imposed on directly liable persons, who will be prohibited from serving as the board member, supervisor, senior management, or DPO for an enterprise during certain period.
Note that, on October 29, 2021, the Cyberspace Administration of China (“CAC”) released for public comment “Draft Measures on Security Assessment of Cross-border Data Transfer”. The Draft Measures are formulated based on the CSL, DSL, PIPL and related regulations. If made final, the Draft Measures would apply to cross-border transfers of personal information and “important data” collected and generated in China under certain circumstances. Data controller would be subject to mandatory security assessments by the CAC in the following circumstances:
- Transfer of personal information and important data collected and generated by CIIO;
- Transfer of important data;
- Transfer of personal information by data controller who process over 1 million individuals’ personal information;
- Cumulatively transferring personal information of more than 100,000 individuals. or “sensitive” personal information of more than 10,000 individuals; or
- Other conditions to be specified by the CAC.
Government authorities, such as the Cyberspace Administration of China (“CAC”), have issued various regulations to implement the three laws (CSL/DSL/PIPL). In addition, other governments, such as China’s National Information Security Standardization Technical Committee, have also released many national standards for more detailed guidance. The following lists more related and applicable national standards that have been published and enacted.
Application (websites, mobile app, Mini-Programs) development MUST follow the three basic laws and relevant regulations, and periodically perform proactive checks and new regulation updates.
A publicly accessible website MUST not collect and use the personal information of its visitors via cookie identifiers without consent.
For SDK, SHOULD update SDK list in the privacy statement, create sensitive personal data list by data type, only initialize after user consent on initialization checkbox.
Mobile app SHOULD NOT ask the user to grant permission unless needed, for example during App pop-up on initialization, Privacy Statement, Terms and Condition, and Cross-border data transmission. No personal data collection or SDK initialization SHOULD be done before user consent.
For API, internal data access MUST go through the Enterprise API gateway in China. 3rd-party APIs, SHOULD comply with third-party’s legal agreements, comply with data security laws and pass cross-border data transmission reviews if there are.
Country/region naming in the application MUST ensure the correct country/region name. For Android App Store submission, SHOULD use the same version for mainland China Android app stores and Google Play store and compliant with the distribution check requirements of these different app stores. Remain as is for Hong Kong, Macau, and Taiwan to get the app from Google Play (Note that some Google services such as Google.com, Google Play, k8s.gcr.io cannot be accessed in mainland China).
The 3rd-party SaaS-based solutions SHOULD recommend vendors with localized operational qualifications and service capability, such as the website domain name have been ICP-registered, and in line with Geo-Partitioned based data storage within China. China has cross-border network supervision, the network in and out of China is not as smooth as in other countries, therefore this helps significantly to improve performance also.
For company in China, an Internet Content Provider (ICP) filing is a MUST for all websites, applications or services for public users access in mainland China, operated by the company in China, and deployed on an on-premises server or cloud server within mainland China, whether for internal or external use. Without proper ICP filing, the internet service providers (ISPs) will block access to the system or website. ICP-registered domain names owned by the company in China MUST only be used on applications or systems owned by the company. The actions for ICP filing SHOULD be:
- Purchase the domain through a Ministry of Industry and Information Technology (MIIT) authorized domain registrar and obtain the domain certificate.
- Engage with cloud service provider (CSP) and build the website (if selecting cloud option which is more common compared to the on-premises server option).
- Start ICP filing process with the information provided to the CSP (or ISP if using own on-premises server).
- Add ICP filing number at the bottom of start page as evidence once obtaining the approval from MIIT.
During the ICP process, the authority in charge will ask the applicants to provide information, such as IP address, ISP name, domain certificate, etc. which can only be obtained after the relevant website has been built and put into operation. Meanwhile, the supervising authority will access the website and review its content for judgement before the approval of ICP filing. ICP filing is supervised by the MIIT and the actual filing process is usually managed by the ISP or cloud service provider (CSP). It takes around one month to finish the entire process.
In addition to an ICP filing, the Ministry of Public Security (MPS) requires a company to also go through a filing process with the local Public Security Bureau (PSB). This SHOULD usually be done within 30 days after an ICP filing has been made. Without prompt filing, the PSB could again ask the ISP to shut down access to a system or a website, in addition to imposing a penalty on the company and / or technical staff who oversee the system. The requirements and filing process are like an ICP filing. The entire process takes around one to two weeks.
The Multi-level Protection Scheme (MLPS) applies to all organizations in China and is important for cybersecurity compliance for domestic and international companies operating in China. MPLS 2.0 with five-level specification security. Level 1 is the least sensitive, while level 5 is the most sensitive.
For enterprise self-owned systems, project owners SHOULD consult with security and legal teams to validate the systems to understand which tier SHOULD fall into and what appropriate security controls they SHOULD adhere to. For security controls at Level 2 or above, an on-site assessment MUST be conducted by a government-designated “security audit” firm. For applications that need to be MLPS certified, usually, the third-party audit firm will conduct relevant tests according to the submitted application architecture. If the application architecture is based on pure serverless mode (such as AWS Lambda) and the OS/Runtime layer testing cannot be performed, then the audit firm may require the cloud provider’s PaaS (Platform as a Service) MLPS certification. Because the different MLPS audit firms’ requirements and PaaS/IaaS definitions may be different, the enterprise SHOULD align the architecture and the scenarios that need to be tested with potential audit firms in advance.
For third-party systems or solutions in China, the company SHOULD also require eligible partners to provide relevant MLPS certification.
All data exchanged through the API and SDK SHOULD contain the minimum required data. Any exposure of personally identifiable information (PII) MUST be reviewed and approved by the Privacy Team.
Applications, websites, and programs MUST comply with China’s PIPL and data privacy compliance standards during development. Any serious and high-level data privacy breaches MUST be fixed prior to each release. Systems, Applications and Programs that collect and store user privacy data during operation MUST comply with China’s Personal Information Protection Law and Information Security Technology – Personal Information Security Specification (GB/T 35273-2020).
About Data retention, article 21 of the Cybersecurity Law of the People’s Republic of China stipulates, “Take technical measures to monitor and record network operation status and network security events and keep relevant network logs for no less than six months in accordance with regulations.” Article 31 of the Electronic Commerce Law of the People’s Republic of China, stipulates that “the storage period of commodity and service information and transaction information SHOULD not be less than three years from the date of completion of the transaction.” From the perspective of national standards, the retention period of personal information SHOULD be the shortest time necessary to achieve the purpose, that is, the retention period of personal information cannot exceed the minimum time required to achieve the purpose.
All personal information is in principle required to be saved within the territory of China unless the system can pass the security assessment organized by the State cyberspace administration. And the data MUST be stored in the company’s standard IT infrastructure in China, either cloud-based or on-premises.
According to the PIPL, if the system needs to transfer personal information out of China or needs to keep using the IT systems outside of China, the system owner SHOULD work with the legal team to develop a contract that meets all related requirements provided in the PIPL.
Note that data cross-board transfer may still happen if remote access tools are provided to staff overseas for accessing the data saved in China. The system SHOULD only provide generalized information, such as the summary report, rather than detailed personal information.
China does not allow foreign cloud service providers to operate independently in China unless they obtain a value-added telecom permit. Amazon Web Services (AWS) and Microsoft Azure are present in the Chinese cloud market. However, both are operated by local service providers by collaborations with Chinese companies according to China’s regulatory and legal requirements.
According to the company’s Cloud strategy and the Cloud Workload Placement Standard, China’s local IT systems or services SHOULD use AWS as the main cloud service provider and deploy in the established Landing Zone on AWS China. For the company in China, we also have a local Performance Hub, which undertakes bridging and data transmission of overseas connection lines. In addition, it can be used as a complement to cloud and on-premises hybrid deployments based on the architecture design.
Note: AWS China has two regions: Beijing and Ningxia. Both regions are operated by two separate service providers. Due to the separate infrastructures, the user accounts of AWS China are completely different from AWS global. There is no direct connection between AWS global and AWS China. AWS China has no direct access and connectivity with other AWS regions outside of China. We need to understand all the differences between AWS global and AWS China when we design the solution, and following the company’s AWS Standard, implement development and deployment on China AWS cloud.
For company’s systems or websites locate outside if China, an Internet Content Provider (ICP) filing is a mandatory requirement when CDN or other “proxy” servers are used to speed up the access to overseas sites. Without proper ICP filing, the internet service providers (ISPs) may block access to the system or website. and the selected CDN service provider SHOULD have a legal operating license in China.
According to CSL, VPN/MPLS/SDWAN services are subject to licensing in China and cannot lawfully deliver unfiltered internet content, the company selected VPN/MPLS/SDWAN service provider SHOULD have a legal operating license in China.
From a strategic point of view, in addition to compliance with the company’s overall technical and strategic, Geo-Partitioned based architecture SHOULD be the target in the future, The system MUST run in China location and the data SHOULD be stored in China is subject to compliance policy. A combination of Localized and Geo-Partitioned strategies may be utilized if there is no Geo-Partition based solution ready.
In addition to complying with the company’s enterprise standards and compliance, China relevant IT projects, systems, applications, and solutions MUST comply with China compliance standards and participate in a compliance review and audit by involving the company’s PIA/Legal team, because Chinese laws and standards are still evolving and changing.