2. 2016 Cybersecurity Law If any one of these describes your company
the Cybersecurity Law applies to you:
My company has a website that customers can access in China. ☐
My company stores personal information (names, addresses, telephone numbers, birthdates, geographic location, or other identifying information), on anybody who is a Chinese citizen.
We have used customer data to improve our user experience or to measure the success of marketing campaigns.
My company provides network services or conducts some transactions online.
1. Article 76 of the law stipulates that administrators and owners of networks, which may include websites, must comply with all the regulations of “network operators.”
2. Storing personal information for Chinese citizens makes a company liable for the information’s security.
3. The uses of personal information, even electronic data like user behavior, is tightly controlled under the new law. Companies that collect and use electronic data to improve their services must carefully comply with the law.
4. Providing network services and conducting online transaction services likely will classify a company under a more stringent “network operator” definition with attendant risks and responsibilities.
5. If a company is determined to be part of the “Critical Information Infrastructure,” they face very strict requirements under the new law. Data localization, IP risks, and administrative oversight could potentially impose huge burdens on operations in China.
Read the ‘Notes’ section of this slide for more information.

3. Compliance responsibilities
User Protection: Your company is required to protect individual information from compromise by establishing “user information protection systems.”
Cybersecurity Responsibility: Companies that retain personal information must also maintain a a plan to react to threats and have a designated person responsible for cybersecurity.
Information Storage: You must ensure that individuals using your services are informed of how their personal data will be collected and used, and must obtain user consent.
User Rights: You must provide users the ability to correct or delete the information collected about them, and the means to withdraw their consent or cancel their account.
Information Control: Your company must only collect information for a specific purpose and must delete the information after it has been used for that purpose. You cannot sell the information, and must ensure its accuracy. Data controllers are liable for any information they collect, regardless of how it is collected.
Privacy and Intellectual Property: If requested by Chinese security authorities, you must provide “technical assistance” as needed. This assistance may include turning over intellectual property or proprietary business information, and some experts believe collusion with domestic competitors is a possible outcome.
“Personal information” includes:
Biological identification data, as well as electronic information such as geographic location, online behavior data, and financial data
“Technical assistance” may include:
Passwords, encryption, files stored in China, intellectual property or business information
Private business information or research about users, customers, processes, plans, etc.
In addition, companies with products, services, or networks that are labeled “Critical Information Infrastructure” will face additional compliance demands far above what is described here. Go to our website:
Read the ‘Notes’ section of this slide for more information.