PRC's 5 Cybersecurity And Data Laws Explained

By Charles Rollet, Published Aug 09, 2021, 08:07am EDT

China (PRC) has enacted 5 major laws in the past 6 years, including 2 this year, that define the legal cybersecurity obligations of PRC manufacturers to the PRC government.

PRC video surveillance manufacturers are legally obligated to cooperate with PRC police and intelligence, hand over relevant data, guard state secrets, and "not overturn the socialist system".

PRC authorities say these laws are aimed at "maintaining national security" and "public interest" and include human rights protections. Overseas critics say these "wide-ranging powers" can be used by the government "to build backdoors" and silence dissent.

IPVM Image

In this report, IPVM examines five PRC data laws and their impacts:

  • The National Security Law (2015)
  • The National Intelligence Law (2017)
  • The Cybersecurity Law (2017)
  • The Data Security Law (2021)
  • The Vulnerability Regulation (2021)
  • How these laws contrast to EU, US, and UK cybersecurity laws

For each law, we share the PRC government's rationale and concerns from critics.

Executive *******

** ******** ** *** EU, **, *** *** UK, *** *** *** enacted ******** ************* *** data **** ********* ************* to "*********, *******, *** assist" *** **********.

*** **** ******* *** firms "*********" **** *** police, ************, *** ********, leaving *** **** "*********" undefined:

  • *** ***** "***** *******, assist, *** ********* **** national ************" [******* *, Intelligence ***, ****]:

IPVM Image

  • *** ***** "*****" ******* intelligence ******** ****** *** "priority ***" ** ***** "communication *****", *********, *** any "******** *****" [******** 16-17, ************ ***, ****]
  • *** ********* "*****" ******* police, ********, *** ************ "organs" [********] **** "********* support *** **********" [******* 77, ******** ******** ***, 2015]

*** **** ******* ******* and *** *** *** firm **** ***** *** internet ** "******** *** socialist ******":

  • *** ***** "***** ******* national ************ **** *******" [Article *, ************ ***], "keep ***** ******* **** learn ** ************" [******* 77, ******** ******** ***, 2015], "***** ***** *******" [Article **, **** ******** Law, ****]
  • *** ***** ****** *** the ******** ** "******** the ********* ******" ** "endanger ******** *****" [******* 53, ************* ***, ****]

*** **** ****** ********** "national ******** *******" *** any ********** **** **** "might ****** ******** ********":

  • "******** ********" ****** *** any ** ******** *** services "**** ****** ** might ****** ******** ********" [Article **, ******** ******** Law, ****]
  • "******** ******** *******" *** any ********* ** ********** products ** "******** *********** infrastructure *********" **** "***** impact ******** ********" [******* 35, ************* ***, ****]

*** **** ******** ******** how *** **** ***** disclose ***************, ********* ***** be **** ** *** government ****** *** **** and ****** ******* ** certain *****:

  • *** ***** "*****" **** any ************* *********** ** the ********** "****** *** days"; *** ***** "*****" "promptly" ****** ***** ** security ********* [******* *, Vulnerability **********, ****]
  • *** ***** ****** ******** vulnerabilities "****** ***** ****** held ** *** *****" "without *************" **** *** police [******* *, ************* Regulation, ****]

*** **** **** **** limitations *** ***** ****** protections:

  • "******** ************ *******" ***** "respect *** ******* ***** rights" [******* *, ************ Law, ****]
  • ************* **** "*** ***** to ***** ********** *** recommendations" *** "*** ***** to **** **********, *******, accusations" [******* **, ******** Security ***, ****]

*** **** ****** ********** with *****, *********, *** work **** ***** **** potential *********** ******** ***********:

  • ***** ** ** ** ~$155,000, ********* ** ** to ** ****, **** 5 *****' *** ** working ** "************* ********** or *** ******* **********"; separately, "******** **************" *** be "*******" [******** ** & **, ************* ***, 2017]
  • ***** ** ** ** $1.5 ******* *** ******* cancellations [******** **-**, **** Security ***, ****]
  • ** ** ** **** detention *** ********* ******** prosecution [******** **-**, ************ Law, ****]

Comparison ** **/** ****

** *** **, ****-******** warrants/subpoenas *** ******** *** police ** ****** **** fromIPVM Image**********; ***** ** ** federal ** ***** ******* for ** ********* ** cooperate **** ******. *** US ********** ******* **** for ******* ************ ******** through ***************-********** (*** *********)**** ******.*********** ***** ************** ************ *********, ******* limits ** ************ ** US *******/*********, ***** ******** ***, ****** ** ****** to ****** **** ****** overseas **** * *******. The *** (********) **** surveillance ******* ******* ** Edward ******* - ***** collected ******** ** ** citizens' ***** - ******** ******* **** *********.

** *** **, ******** intelligence ** ********* ** the ******* *****; ** data *********** ********** - the*** *********** *********(*** ******) *** *** GDPR (*** *********/***********)- **** ** *********** mandates **** ******/************. *****'* **** ********* ************ ******** **** obtain ******** **** *** different ********** ******** ****** being **** ** ****** contents ** *** *********** communications.

** *** *****, ***** PRC **** *** **** broadly-worded **** ***** **/****** counterparts. *** *** **** do ******* ***** ****** protections, ******** ***** ***** in *** ******* ** the *** ******* **** the ****** ** ****** indices ******* ******************* *******,**** *** ********* ** the *** ******* *************** ******** ************** * "***** ******* idea" *** *** ****** having ***.*% ********** ****.

National ******** *** (****)

******* ******** ******** ***(*******) *** ******* "** maintain ******** ********, ** defend *** ******'* ********** dictatorship *** *** ****** of ********* **** ******* characteristics".

IPVM Image

*** ******* **, ********* "shall" ******* ******, ********, and ************ "******" [********] with "********* ******* *** assistance" ***** "******* ***** secrets" ************:

IPVM Image

******* ** ****** ********* "assisting ******** ********" *** "protected ** ***":

IPVM Image

******* ** ******* "******** security ******" ****** *** any ** ******** *** services "**** ****** ** might ****** ******** ********":

IPVM Image

******* ** ***** *** government **** "*********** ********** sovereignty" *** ******* * "national ******* *** *********** security ********* ******":

IPVM Image

*** ***** ***** *** cyberspace *********** *****"** ********** *******'* ***** to ****** *** *** Internet ********** *****". *** PRC****** ********* ****** ***** ********* and **** ******** (********* ****).

******* ** ***** *** State **** "************" *** development ** "************ **********" - **** ********** ** "secure *** ************" - advanced ************:

IPVM Image

******** **-** ***** ************* "the ***** ** ***** criticisms *** ***************" *** "the ***** ** **** complaints, *******, ***********":

IPVM Image

National ******** *** ***************

*** ********** *********** ***** Shuna******* *** ***** **** the **************** "****************" *** "******** political ******** *** ****** stability":

********** ********, *** ******* must ****** *** ***********, as **** ** ******** and *********** *********, *** [...] ** **** ****maintain ********* ******** *** ****** ********* [...]

*****’*cybersovereignty ***** ** ********* *** ********** Raising the idea of ‘safeguarding national cybersovereignty’ in the National Security Law is a response to the needs of the development of the Chinese Internet. It provides the legal basis for managing cyberactivity on China’s soil and resisting activities which jeopardize China’s cybersecurity.”

******* ***** **** *** Guardian*********** *** "******** *******" over *** ******** **** "wide-ranging ****** *** *** exact *******".*** *** **** ***** reported**** ******** ***** ********** "secure *** ************" ********** led ** ***** **** companies ***** ** ****** to ***** *********:

IPVM Image

*** *** **** ***** for ********** **** ******** crucial ******* ** ** “secure *** ************,” * catchphrase **** ************** *** industry ****** *** ***** be **** **force ********* ** ***** **-****** **** ***** - which allow third-party access to systems - provide encryption keys or even hand over source code [emphasis added]

***** ****** ***** ******* International **** *** *** could "******" ** **** to "*******" *******,*******:

IPVM Image**** *** ****** *** challenge *** ********** ** raise ******** *** **easily ******* ***** ***** ****, and [the government can] imprison them or fine them or what[ever] they want to do to silence ***** ****** [emphasis added]

National ************ *** (****)

*********** ************ ******* **** ****** ** 2017 "** ********** *** protect ******** ************ ****, safeguarding ******** ******** *** interests" ** *** *** government.

IPVM Image

*** **** ****-***** ****** is ******* *, ***** mandates **** *** *** people *** ************* "*******, assist, *** *********" ************ agencies *** "******* ******** intelligence **** *******":

IPVM Image

******* * *** ** limitations *** ***** ** no ******* ** ******** or ************ ** * PRC ****** *******. ***** Articles ********* ******* ******, e.g. ******* ** ***** agencies *** ***** ** "establish *********** ************* **** relevant *********** *** *************":

IPVM Image

******* ** **** ****** intelligence "*** *******" *** "relevant [...] ************* *** citizens ******* ********* *******, assistance, *** ***********":

IPVM Image

******** **-** **** ************ workers *** ***** ** "enter ******** ********** ***** and ******", "******** ******** institutions", *** "**** ** collect ******** *****, ********* or *****" ***** **** giving ****** ** ****** "transportation ** ************** *****":

IPVM Image

*** *** *** *** sentence ******* **** "******** intelligence *******" ***** "******* and ******* ***** ******", but ******* ********** *** (Article *):

IPVM Image

******* ** ******** ************ staffers **** *** "****** or ***** ***** *********", nor "******* *** ****** rights" ** *** *******, nor "*** ***** ******** to ********** ******* ********" (i.e. **********):

IPVM Image

Intelligence *** ***************

*** ************ ***'* ******* to "*******, ******, *** cooperate" ************ ******** ******* strong ******* ** *** West, **** ***** *** ******* * Business *************** **** ***** *** PRC ********** *** ***** companies ** "****** *********" or "***** ******" ** US *******' ****:

IPVM Image

* *** ************ ******may ******* **** *** *** **** ** ****** ******** ***** ****** ** * *.*. ******** ** **********’* ****, or otherwise face penalties. In addition, the National Intelligence Law may ****** *** ***** ** ****** ********* and other security vulnerabilities in equipment and software sold abroad so that the PRC government can easily access data not controlled by PRC firms. [emphasis added]

** ********, *** ************** ***** ********* ************ *** "******** and ******** ***** ******", alluding ** ******** * and **:

IPVM Image

********* ** *****’* ******** Intelligence ***, ************* *** citizens **** *** ********** to *******, ****** *** cooperate **** ******** ************ work. ** *** **** time ** ****explicitly ********** **** ************ **** ****** ** ********* ********* ** *** *** ** * *** **** ******** *** ******** ***** ****** and the lawful rights of individuals and organization [emphasis added]

*** ****, ********* *** PRC************,******* ******* ***** ****** protections **** ******* ** speech *** ********, ******* the *** ********** **** ranks **** **** ** various ***** ****** ******** (***/*** ** ***** *******,"*** ****" ********* ******,***).

*** ***'****** ******* *** ***** Rights *******, ******* ** ****** governor ** ************ ******, ****** **** "***** ****** **** ******* Characteristics" ***** "****** ** the ********** ** *** Party" *** ********** **** "the ***** ** [********] development" ** ***** "*** the ***** ***** ******".

Cybersecurity *** (****)

** ****, *** *** enacted **************** ***(*******), ***** ** ******** to "****** *************" *** "safeguard ********** *********** *** national ********".

IPVM Image

******* ** ****** "*** person *** ************ ***** networks" "***** [...] ******* public *****, *** ******* social ********" *** "**** not *** *** ********" to ******** "******** ********, national *****" *** **** not *** ** ** "overturn *** ********* ******":

IPVM Image

***** ***** *.*. "******** honor" *** **** *********. Article ** ******** ******* operators "******* ********* ******* and ********** ** ****** security ****** *** ******** security ******":

IPVM Image

"********* ******* *** **********" is *** *********. ******* 22 ****** "******** ***** or ***************" ** "********" disclosed ** *****:

IPVM Image

******* ** ******** ******** "warnings ******** ** *** public ***** ** ******** published":

IPVM Image

******* ** ******* "******** security *******" *** *** purchases ** ********** ******** and ******** ** "******** information ************** *********" ** they "***** ****** ******** security":

IPVM Image

**** ** ******* ** the **** ******** ******** Law's ******* **, ***** creates "******** ******** *******" of *** ********** **** relevant ** ******** ********.

*** ************* ***'* ******* 37 ******** **** *** data ******* ** *** operations "***** ***** ** within ******** *****":

IPVM Image

Cybersecurity *** ***************

* ***** ****** *** DC ****** ******** **************** ****"*** ********* ****** ** the *** ****** *** government **** ***** ** request *** ******* ***********". International *** ************ ****** ******* ***'* ********** ** "cooperate" **** *********** "*** expose" *********' ******** ** PRC ***********, ************ "**** is ******** **********":

IPVM Image

*** *** *** **** imposes **obligation ** ********* with public and State security authorities to investigate suspicious crimes, which may ****** **************' *** ******* ********* ************' ******* ******* ** *** ***********. It is advisable therefore for a multinational to consider measures to ensure data is properly ********** to avoid inadvertent disclosure to the PRC authorities. [emphasis added]

*** *** ******** *********, the ********** ************** ** China,**** *** *********** *** "*******, **** flow ** ****" *** "is ******** ** ********* sovereignty ** **********, ******** security, *** ****** ********, as **** ** *** rights *** ********* ** citizens".

** **** *** ******** foreign ********* ** ***** technology *** ******** **** entering *** ******* ******, nor **** ** ***** theorderly, **** **** ** ****. China is entitled to make laws and rules to regulate its cyberspace sovereignty following international practice

*** *** ** ******** tosafeguard *********** ** **********, national security, the public interest, as well as therights *** ********* ** ********, legal persons and other organizations [emphasis added]

IPVM Image

Data ******** *** (****)

******* ******** ***(*******)**** **** ****** ********* 1, **** *** ********* the "******** ** ****" within *** *** ** order ** "******* ********' and *************' ****** ******" and "******** ***** ***********" and ********.

IPVM Image

**** ***'* ***** ** global, **** ******* * punishing **** ******** ********** "carried *** ******* *** territory ** *** ***" if **** *** "******* the ******** ******** ** the ***":

IPVM Image

******* ** ******** *** firms "*********" **** ****** and "***** ******** ******" who *** "********** ****" to "******** ******** ******** or *********** ******":

IPVM Image

*** "**** ******** ********** that ******* ***** *******" will ** ******* ********* to ***** *** *********** *** *** ******** to "***** ***** *******":

IPVM Image

IPVM Image

******* ** ****** *** "data ******** **********" **** "might ****** ******** ********" are ******* ** "******** security *******" ***** ********* are "*****":

IPVM Image

*** ******** ****** "******** security *******" ******* *** National ******** ***'* ******* 59 *** *** ************* Law's ******* **, ***** both ******* **** ****** for **********/********** *******.

******* ** ****** ***** "are ** ** ******** notified" ** "**** ******** incidents". **** ** ******* to *** ************* ***'* Article ** ********* **** cyber ******** "******** ******** to *** ****** ***** be ******** *********".

IPVM Image

*** **** ******** *** also ***** *** *** the ***** ** *** "equal ********" ******* *** nation **** ****** "**************" or "***********" ******* ******* the ***:

IPVM Image

**** ******** ******* ******'* ********-****** ****-********* ******** ****** *** *** to ******** ****** *** "participates" ** ****-*** *********, including ******'* ********.

Data ******** *** ***************

*** ***** ******** ******** ********** **** *** "********** an **** ******* *****" in *** ***'* ********* toward "********** **** ** an ********* ***", ** reference ** *** ***'* global ***** ** ******* 2:

IPVM Image

*** ********* ******** ** the ******** ***** ********* represents ** **** ******* shift ** *** ***’* attitude **** **** ********** Chinese **** ******* ** a ********* *********, ***toward ********** **** ** ** ********* ***. The Data Security Law defines 'Data Activities' broadly and with a large scope—to include both activities conducted in China and data-related activities undertaken by organizations and individuals outside of China [emphasis added]

***** ***** ************ ***** ******* *** ******** "****** legal ******* *** ********** privacy" *** ****** * PRC ************* ********* ******** the *** *** ******* "unregulated ******* *** ********* of ****":

IPVM Image

***** **** *****'* ***** system **** ******** ** be ******** ** ***** of ******* *** *********** security, ********* ****** *****support *** ********** ******* as well as the safe and healthy development of the digital economy [...] "[the law is] a timely move to curb *********** ******* and spreading of data that is closely linked to national key information and people's livelihoods" [emphasis added]

Vulnerability ********** (****)

************** ** *** ********** of ******* ******* ******** Vulnerabilities(*******) ** **** ****** September *. *** *********** apply ** *** "********* and ******* *********" ** the *** *** *** researchers ******** ** ******* their ***************.

IPVM Image

******* * ****** **** "vulnerability ***********" ** **** "within *** ****" ** a ******** *** ** the ******** ** ******** and *********** ********** ********* key ********* ******* (******** affected, *****, ***):

IPVM Image

*** ******** ** *** public, ******* **** ******** September *, *** *** government **** **** *** own ******** ** ***** vulnerability ***** ** *********, Dahua, *** ***** *** manufacturers. ******* * **** says ***** ****** ** "promptly ********" ** *****, as ** ******* *** case ** *** ************* and **** ******** ****:

IPVM Image

******* * ******** ******** vulnerability **********, *********** ***** from ********** "******* ** security *********" *** "************ exaggerating ******* *** *****":

IPVM Image

******* * **** ********* sharing *********** ******* ******** vulnerability *********** ** "******** organizations" ***** **** "******* product *********":

IPVM Image

******* * ********* *** firms **** ********** ******** vulnerabilities "****** ***** ****** held ** *** *****" without ********** **** *** PRC's *** *********** ********:

IPVM Image

*** ** ********** ***** be ******* ** ******* providers ** *** ********** from *** *** ** inform ***** ** * hack ** ** ******** on **** *.

Vulnerability ********** ***************

******* *** ***, ******** have ******** ** *** government ************* ******** ******* in ******* *, **** the *** ** ************* firm *********** **** *************** ******** ******* *** ********** **** "almost *********" *** ** for ********* ********:

*** ********** **** ****** certainly ****** ***** *************** to ******* ********** ****** actors

******** **** **** ****** Joseph ******, **** ** cloud ******** **** ****************, that **** ********** ***** "limit ******* ***********" **** PRC *****:

**** *** **** **** tighten *** ***** *********** security *********** *** *** will ***** **** **** sharing ******** ******** **** the ******* ********** *** limit ******* ***********.

**** ***** **** ** state ***** ******** ** the ************* **********.*** ******** ***** *** cited**** ********** (***** ***** recent *******) ** ******* "a ****** ******" **** "the ****** ** ******* security ** ******** ******** will ** ******* ***********. It ** ****** ** increase *** *********** ** data *** ****** ******* security."

Comments (5)

** *** ******* *** product ** * **** to ***, *** **.

Agree: 3
Disagree: 1
Informative
Unhelpful
Funny: 1

********...**** **** *** *********** to **** **** *** company ******* *****, *** having ***** ******** ******** and ********** ****** ***** by ******* *****, *** obliged ** ****** *** stated ****? *****, *****, etc.?

Agree
Disagree
Informative
Unhelpful
Funny

******* ******** ********* **** follow ***** ****. ******* companies **** * ***** operation **** ****** *** law ** **** ********* there. ** **** ** or ***** ******* ******* subcontracts ** *****, *** subcontractor **** ****** *** above ***. * ***** the **** ******* ** people ******* ***** ***** China **** ** **** their **** ******** "***** home" *** ******** ******* and **** ********, *** the *****-***** ******* ** the ***** *** ** duty-bound ** ***** ******** and ** ******** *** the ***. ******* ******* is *** **** * job *** ******* ********* are ***** ** *********** off ***** ***** ********* from ***** ****-**-***-***** ***, because *** ***'* ***** access ** *** ***** operation ***** **** **** access ** *****-***** ***.

Agree
Disagree
Informative
Unhelpful
Funny

* ***** *** **** concern ** ****** ******* China ***** ***** **** is **** ***** **** products "***** ****" *** internet ******* *** **** transfer, *** *** *****-***** company ** *** ***** end ** ****-***** ** share ******** *** ** anything *** *** ***.

******* ** **** ** the ******* **** *** manufacturers **** **** ***** Western ********'* **** ****** Western *********, *.*. ** AWS. *** ********* **** I *** *** *** manufacturer's ********* ** **** just ******* *** **** storage ** ******* ********* provides ** ********* **** the ************ *** ****** that **** **** ***** countries (******* ** ** a *** ******* ********* data ****** *** *** or * *** ******* accessing **** ****** *** USA). **'* **** ********* to ***** ** ***** companies **** ***** **** even ** **** ********** assure *** **** *** data ** ***** **** locally.

Agree: 2
Disagree
Informative
Unhelpful
Funny

** *** **** ** writing * ****** ** law **** ****** *** to ****** **** ******* (in ***** *** ****) that *** ** *** past ******** ***************.

******** **** "*****" = someone ****'* ******. *** do *** *****?

**? ** ***.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,270 reports and 968 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports