China’s first ever cybersecurity law, which officially takes effect on June 1, vows to protect online users’ information by prohibiting abuse from online service providers.
Passed by China’s Parliament in November last year, the new law has banned ISPs from collecting and selling users’ personal information that is irrelevant to their services. Users also have the right to request their information to be deleted in cases of abuse, according to a Sina news report.
Cybersecurity management employees are also required to protect information obtained, and are prohibited from selling or leaking this information.
The Supreme Court and Supreme Procuratorate in China have further stipulated that those who illegally obtain, sell, or provide personal information of over 50 items will be deemed as “severe cases” and subject to imprisonment, the report added.
The new regulation has also tried to strengthen data surveillance and storage for firms working in the country.
Article 37 of the cybersecurity law stipulated that “citizens’ personal information and important business data collected and produced by critical information infrastructure operators during their activities within the territory of the People’s Republic of China, shall be stored within the territory”.
But the article failed to specifically define “critical information infrastructure operators”, only broadly referring to them as “those [that] could cause serious damage to national security, the national economy and public interest if destroyed, functionality is lost, or data is leaked”.
According to a Deloitte report on the website, critical information infrastructures can be categorized into “websites, platforms, and production businesses”.
Other than influential organizations that affect the national economy and people’s livelihood in China, “websites with more than 1 million daily average visits”, “infrastructures that can cause leakage of data of more than 1 million people in the event of a cybersecurity incident”, “infrastructures with more than 10 million registered users, or 1 million active users”, and “infrastructures with daily average transaction or trade amounts of more than 10 million yuan” would all fall into the categories of critical information infrastructures as stated in the new law, Deloitte said.
A Reuters report said earlier that overseas business groups were requesting Chinese regulators to delay implementation of the law, believing the new rules would hurt activities.