PRC's 5 Cybersecurity And Data Laws Explained
China (PRC) has enacted 5 major laws in the past 6 years, including 2 this year, that define the legal cybersecurity obligations of PRC manufacturers to the PRC government.
PRC video surveillance manufacturers are legally obligated to cooperate with PRC police and intelligence, hand over relevant data, guard state secrets, and "not overturn the socialist system".
PRC authorities say these laws are aimed at "maintaining national security" and "public interest" and include human rights protections. Overseas critics say these "wide-ranging powers" can be used by the government "to build backdoors" and silence dissent.
In this report, IPVM examines five PRC data laws and their impacts:
- The National Security Law (2015)
- The National Intelligence Law (2017)
- The Cybersecurity Law (2017)
- The Data Security Law (2021)
- The Vulnerability Regulation (2021)
- How these laws contrast to EU, US, and UK cybersecurity laws
For each law, we share the PRC government's rationale and concerns from critics.
Executive *******
** ******** ** *** **, **, and *** **, *** *** *** enacted ******** ************* *** **** **** requiring ************* ** "*********, *******, *** assist" *** **********.
*** **** ******* *** ***** "*********" with *** ******, ************, *** ********, leaving *** **** "*********" *********:
- *** ***** "***** *******, ******, *** cooperate **** ******** ************" [******* *, Intelligence ***, ****]:
- *** ***** "*****" ******* ************ ******** access *** "******** ***" ** ***** "communication *****", *********, *** *** "******** files" [******** **-**, ************ ***, ****]
- *** ********* "*****" ******* ******, ********, and ************ "******" [********] **** "********* support *** **********" [******* **, ******** Security ***, ****]
*** **** ******* ******* *** *** any *** **** **** ***** *** internet ** "******** *** ********* ******":
- *** ***** "***** ******* ******** ************ work *******" [******* *, ************ ***], "keep ***** ******* **** ***** ** confidential" [******* **, ******** ******** ***, 2015], "***** ***** *******" [******* **, Data ******** ***, ****]
- *** ***** ****** *** *** ******** to "******** *** ********* ******" ** "endanger ******** *****" [******* **, ************* Law, ****]
*** **** ****** ********** "******** ******** reviews" *** *** ********** **** **** "might ****** ******** ********":
- "******** ********" ****** *** *** ** products *** ******** "**** ****** ** might ****** ******** ********" [******* **, National ******** ***, ****]
- "******** ******** *******" *** *** ********* of ********** ******** ** "******** *********** infrastructure *********" **** "***** ****** ******** security" [******* **, ************* ***, ****]
*** **** ******** ******** *** *** when ***** ******** ***************, ********* ***** be **** ** *** ********** ****** two **** *** ****** ******* ** certain *****:
- *** ***** "*****" **** *** ************* information ** *** ********** "****** *** days"; *** ***** "*****" "********" ****** users ** ******** ********* [******* *, Vulnerability **********, ****]
- *** ***** ****** ******** *************** "****** major ****** **** ** *** *****" "without *************" **** *** ****** [******* 9, ************* **********, ****]
*** **** **** **** *********** *** human ****** ***********:
- "******** ************ *******" ***** "******* *** protect ***** ******" [******* *, ************ Law, ****]
- ************* **** "*** ***** ** ***** criticisms *** ***************" *** "*** ***** to **** **********, *******, ***********" [******* 82, ******** ******** ***, ****]
*** **** ****** ********** **** *****, detention, *** **** **** ***** **** potential *********** ******** ***********:
- ***** ** ** ** ~$***,***, ********* of ** ** ** ****, **** 5 *****' *** ** ******* ** "cybersecurity ********** ** *** ******* **********"; separately, "******** **************" *** ** "*******" [Articles ** & **, ************* ***, 2017]
- ***** ** ** ** $*.* ******* and ******* ************* [******** **-**, **** Security ***, ****]
- ** ** ** **** ********* *** potential ******** *********** [******** **-**, ************ Law, ****]
Comparison ** **/** ****
** *** **, ****-******** ********/********* *** required *** ****** ** ****** **** from**********; ***** ** ** ******* ** state ******* *** ** ********* ** cooperate **** ******. *** ** ********** obtains **** *** ******* ************ ******** through ***************-********** (*** *********)**** ******.*********** ***** ************** ************ *********, ******* ****** ** surveillance ** ** *******/*********, ***** ******** ***, ****** ** ****** ** ****** data ****** ******** **** * *******. The *** (********) **** ************ ******* exposed ** ****** ******* - ***** collected ******** ** ** ********' ***** - ******** ******* **** *********.
** *** **, ******** ************ ** regulated ** *** ******* *****; ** data *********** ********** - ****** *********** *********(*** ******) *** *** **** (*** *********/***********)- **** ** *********** ******** **** police/intelligence. *****'* **** ********* ************ ******** **** ****** ******** from *** ********* ********** ******** ****** being **** ** ****** ******** ** any *********** **************.
** *** *****, ***** *** **** are **** *******-****** **** ***** **/****** counterparts. *** *** **** ** ******* human ****** ***********, ******** ***** ***** in *** ******* ** *** *** ranking **** *** ****** ** ****** indices ******* ******************* *******,**** *** ********* ** *** *** Supreme *************** ******** ************** * "***** ******* ****" *** PRC ****** ****** ***.*% ********** ****.
National ******** *** (****)
******* ******** ******** ***(*******) *** ******* "** ******** ******** security, ** ****** *** ******'* ********** dictatorship *** *** ****** ** ********* with ******* ***************".
*** ******* **, ********* "*****" ******* police, ********, *** ************ "******" [********] with "********* ******* *** **********" ***** "keeping ***** *******" ************:
******* ** ****** ********* "********* ******** security" *** "********* ** ***":
******* ** ******* "******** ******** ******" checks *** *** ** ******** *** services "**** ****** ** ***** ****** national ********":
******* ** ***** *** ********** **** "maintaining ********** ***********" *** ******* * "national ******* *** *********** ******** ********* system":
*** ***** ***** *** ********** *********** means"** ********** *******'* ***** ** ****** its *** ******** ********** *****". *** PRC****** ********* ****** ***** ********* *** **** websites (********* ****).
******* ** ***** *** ***** **** "accelerating" *** *********** ** "************ **********" - **** ********** ** "****** *** controllable" - ******** ************:
******** **-** ***** ************* "*** ***** to ***** ********** *** ***************" *** "the ***** ** **** **********, *******, accusations":
National ******** *** ***************
*** ********** *********** ***** ************ *** ***** **** *** **************** "****************" *** "******** ********* ******** and ****** *********":
********** ********, *** ******* **** ****** its ***********, ** **** ** ******** and *********** *********, *** [...] ** must ****maintain ********* ******** *** ****** ********* [...]
*****’*cybersovereignty ***** ** ********* *** ********** Raising the idea of ‘safeguarding national cybersovereignty’ in the National Security Law is a response to the needs of the development of the Chinese Internet. It provides the legal basis for managing cyberactivity on China’s soil and resisting activities which jeopardize China’s cybersecurity.”
******* ***** **** *** ******************* *** "******** *******" **** *** internet **** "****-******* ****** *** *** exact *******".*** *** **** ***** ************ ******** ***** ********** "****** *** controllable" ********** *** ** ***** **** companies ***** ** ****** ** ***** backdoors:
*** *** **** ***** *** ********** that ******** ******* ******* ** ** “secure *** ************,” * *********** **** multinationals *** ******** ****** *** ***** be **** **force ********* ** ***** **-****** **** ***** - which allow third-party access to systems - provide encryption keys or even hand over source code [emphasis added]
***** ****** ***** ******* ************* **** the *** ***** "******" ** **** to "*******" *******,*******:
**** *** ****** *** ********* *** government ** ***** ******** *** **easily ******* ***** ***** ****, and [the government can] imprison them or fine them or what[ever] they want to do to silence ***** ****** [emphasis added]
National ************ *** (****)
*********** ************ ******* **** ****** ** **** "** strengthen *** ******* ******** ************ ****, safeguarding ******** ******** *** *********" ** the *** **********.
*** **** ****-***** ****** ** ******* 7, ***** ******** **** *** *** people *** ************* "*******, ******, *** cooperate" ************ ******** *** "******* ******** intelligence **** *******":
******* * *** ** *********** *** there ** ** ******* ** ******** or ************ ** * *** ****** refuses. ***** ******** ********* ******* ******, e.g. ******* ** ***** ******** *** right ** "********* *********** ************* **** relevant *********** *** *************":
******* ** **** ****** ************ "*** request" *** "******** [...] ************* *** citizens ******* ********* *******, **********, *** cooperation":
******** **-** **** ************ ******* *** right ** "***** ******** ********** ***** and ******", "******** ******** ************", *** "read ** ******* ******** *****, ********* or *****" ***** **** ****** ****** to ****** "************** ** ************** *****":
*** *** *** *** ******** ******* that "******** ************ *******" ***** "******* and ******* ***** ******", *** ******* explaining *** (******* *):
******* ** ******** ************ ******** **** not "****** ** ***** ***** *********", nor "******* *** ****** ******" ** PRC *******, *** "*** ***** ******** to ********** ******* ********" (*.*. **********):
Intelligence *** ***************
*** ************ ***'* ******* ** "*******, assist, *** *********" ************ ******** ******* strong ******* ** *** ****, **** the** *** ******* * ******** *************** **** ***** *** *** ********** can ***** ********* ** "****** *********" or "***** ******" ** ** *******' data:
* *** ************ ******may ******* **** *** *** **** ** ****** ******** ***** ****** ** * *.*. ******** ** **********’* ****, or otherwise face penalties. In addition, the National Intelligence Law may ****** *** ***** ** ****** ********* and other security vulnerabilities in equipment and software sold abroad so that the PRC government can easily access data not controlled by PRC firms. [emphasis added]
** ********, *** ************** ***** ********* ************ *** "******** *** ******** human ******", ******** ** ******** * and **:
********* ** *****’* ******** ************ ***, organizations *** ******** **** *** ********** to *******, ****** *** ********* **** national ************ ****. ** *** **** time ** ****explicitly ********** **** ************ **** ****** ** ********* ********* ** *** *** ** * *** **** ******** *** ******** ***** ****** and the lawful rights of individuals and organization [emphasis added]
*** ****, ********* *** ***************,******* ******* ***** ****** *********** **** freedom ** ****** *** ********, ******* the *** ********** **** ***** **** last ** ******* ***** ****** ******** (***/*** ** ***** *******,"*** ****" ********* ******,***).
*** ***'****** ******* *** ***** ****** *******, ******* ** ****** ******** ** Tibet******* ******, ****** **** "***** ****** **** ******* ***************" ***** "****** ** *** ********** of *** *****" *** ********** **** "the ***** ** [********] ***********" ** above "*** *** ***** ***** ******".
Cybersecurity *** (****)
** ****, *** *** ******* **************** ***(*******), ***** ** ******** ** "****** cybersecurity" *** "********* ********** *********** *** national ********".
******* ** ****** "*** ****** *** organization ***** ********" "***** [...] ******* public *****, *** ******* ****** ********" and "**** *** *** *** ********" to ******** "******** ********, ******** *****" and **** *** *** ** ** "overturn *** ********* ******":
***** ***** *.*. "******** *****" *** left *********. ******* ** ******** ******* operators "******* ********* ******* *** ********** to ****** ******** ****** *** ******** security ******":
"********* ******* *** **********" ** *** specified. ******* ** ****** "******** ***** or ***************" ** "********" ********* ** users:
******* ** ******** ******** "******** ******** to *** ****** ***** ** ******** published":
******* ** ******* "******** ******** *******" for *** ********* ** ********** ******** and ******** ** "******** *********** ************** operators" ** **** "***** ****** ******** security":
**** ** ******* ** *** **** National ******** ***'* ******* **, ***** creates "******** ******** *******" ** *** networking **** ******** ** ******** ********.
*** ************* ***'* ******* ** ******** that *** **** ******* ** *** operations "***** ***** ** ****** ******** China":
Cybersecurity *** ***************
* ***** ****** *** ** ****** research **************** ****"*** ********* ****** ** *** *** allows *** ********** **** ***** ** request *** ******* ***********". ************* *** firm******** ****** ******* ***'* ********** ** "*********" **** authorities "*** ******" *********' ******** ** PRC ***********, ************ "**** ** ******** segregated":
*** *** *** **** ******* **obligation ** ********* with public and State security authorities to investigate suspicious crimes, which may ****** **************' *** ******* ********* ************' ******* ******* ** *** ***********. It is advisable therefore for a multinational to consider measures to ensure data is properly ********** to avoid inadvertent disclosure to the PRC authorities. [emphasis added]
*** *** ******** *********, *** ********** Administration ** *****,**** *** *********** *** "*******, **** **** ** data" *** "** ******** ** ********* sovereignty ** **********, ******** ********, *** public ********, ** **** ** *** rights *** ********* ** ********".
** **** *** ******** ******* ********* or ***** ********** *** ******** **** entering *** ******* ******, *** **** it ***** ***orderly, **** **** ** ****. China is entitled to make laws and rules to regulate its cyberspace sovereignty following international practice
*** *** ** ******** **safeguard *********** ** **********, national security, the public interest, as well as therights *** ********* ** ********, legal persons and other organizations [emphasis added]
Data ******** *** (****)
******* ******** ***(*******)**** **** ****** ********* *, **** and ********* *** "******** ** ****" within *** *** ** ***** ** "protect ********' *** *************' ****** ******" and "******** ***** ***********" *** ********.
**** ***'* ***** ** ******, **** Article * ********* **** ******** ********** "carried *** ******* *** ********* ** the ***" ** **** *** "******* the ******** ******** ** *** ***":
******* ** ******** *** ***** "*********" with ****** *** "***** ******** ******" who *** "********** ****" ** "******** national ******** ** *********** ******":
*** "**** ******** ********** **** ******* state *******" **** ** ******* ********* to ***** *** *********** *** *** ******** ** "***** state *******":
******* ** ****** *** "**** ******** activities" **** "***** ****** ******** ********" are ******* ** "******** ******** *******" whose ********* *** "*****":
*** ******** ****** "******** ******** *******" mirrors *** ******** ******** ***'* ******* 59 *** *** ************* ***'* ******* 35, ***** **** ******* **** ****** for **********/********** *******.
******* ** ****** ***** "*** ** be ******** ********" ** "**** ******** incidents". **** ** ******* ** *** Cybersecurity ***'* ******* ** ********* **** cyber ******** "******** ******** ** *** public ***** ** ******** *********".
*** **** ******** *** **** ***** the *** *** ***** ** *** "equal ********" ******* *** ****** **** deploy "**************" ** "***********" ******* ******* the ***:
**** ******** ******* ******'* ********-****** ****-********* ******** ****** *** *** ** ******** anyone *** "************" ** ****-*** *********, including ******'* ********.
Data ******** *** ***************
*** ***** ******** ******** ********** **** *** "********** ** **** greater *****" ** *** ***'* ********* toward "********** **** ** ** ********* act", ** ********* ** *** ***'* global ***** ** ******* *:
*** ********* ******** ** *** ******** legal ********* ********** ** **** ******* shift ** *** ***’* ******** **** from ********** ******* **** ******* ** a ********* *********, ***toward ********** **** ** ** ********* ***. The Data Security Law defines 'Data Activities' broadly and with a large scope—to include both activities conducted in China and data-related activities undertaken by organizations and individuals outside of China [emphasis added]
***** ***** ************ ***** ******* *** ******** "****** ***** ******* for ********** *******" *** ****** * PRC ************* ********* ******** *** *** for ******* "*********** ******* *** ********* of ****":
***** **** *****'* ***** ****** **** continue ** ** ******** ** ***** of ******* *** *********** ********, ********* strong *****support *** ********** ******* as well as the safe and healthy development of the digital economy [...] "[the law is] a timely move to curb *********** ******* and spreading of data that is closely linked to national key information and people's livelihoods" [emphasis added]
Vulnerability ********** (****)
************** ** *** ********** ** ******* Product ******** ***************(*******) ** **** ****** ********* *. The *********** ***** ** *** "********* and ******* *********" ** *** *** and *** *********** ******** ** ******* their ***************.
******* * ****** **** "************* ***********" be **** "****** *** ****" ** a ******** *** ** *** ******** of ******** *** *********** ********** ********* key ********* ******* (******** ********, *****, etc):
*** ******** ** *** ******, ******* that ******** ********* *, *** *** government **** **** *** *** ******** of ***** ************* ***** ** *********, Dahua, *** ***** *** *************. ******* 7 **** **** ***** ****** ** "promptly ********" ** *****, ** ** already *** **** ** *** ************* and **** ******** ****:
******* * ******** ******** ************* **********, prohibiting ***** **** ********** "******* ** security *********" *** "************ ************ ******* and *****":
******* * **** ********* ******* *********** product ******** ************* *********** ** "******** organizations" ***** **** "******* ******* *********":
******* * ********* *** ***** **** disclosing ******** *************** "****** ***** ****** held ** *** *****" ******* ********** from *** ***'* *** *********** ********:
*** ** ********** ***** ** ******* US ******* ********* ** *** ********** from *** *** ** ****** ***** of * **** ** ** ******** on **** *.
Vulnerability ********** ***************
******* *** ***, ******** **** ******** on *** ********** ************* ******** ******* in ******* *, **** *** *** of ************* **** *********** **** *************** ******** ******* *** ********** **** "****** *********" use ** *** ********* ********:
*** ********** **** ****** ********* ****** these *************** ** ******* ********** ****** actors
******** **** **** ****** ****** ******, CISO ** ***** ******** **** ****************, that **** ********** ***** "***** ******* disclosures" **** *** *****:
**** *** **** **** ******* *** prior *********** ******** *********** *** *** will ***** **** **** ******* ******** research **** *** ******* ********** *** limit ******* ***********.
**** ***** **** ** ***** ***** coverage ** *** ************* **********.*** ******** ***** *** ********* ********** (***** ***** ****** *******) as ******* "* ****** ******" **** "the ****** ** ******* ******** ** national ******** **** ** ******* ***********. It ** ****** ** ******** *** supervision ** **** *** ****** ******* security."
********...**** **** *** *********** ** **** that *** ******* ******* *****, *** having ***** ******** ******** *** ********** inside ***** ** ******* *****, *** obliged ** ****** *** ****** ****? CISCO, *****, ***.?
******* ******** ********* **** ****** ***** laws. ******* ********* **** * ***** operation **** ****** *** *** ** that ********* *****. ** **** ** or ***** ******* ******* ************ ** China, *** ************* **** ****** *** above ***. * ***** *** **** concern ** ****** ******* ***** ***** China **** ** **** ***** **** products "***** ****" *** ******** ******* and **** ********, *** *** *****-***** company ** *** ***** *** ** duty-bound ** ***** ******** *** ** anything *** *** ***. ******* ******* is *** **** * *** *** foreign ********* *** ***** ** *********** off ***** ***** ********* **** ***** rest-of-the-world ***, ******* *** ***'* ***** access ** *** ***** ********* ***** give **** ****** ** *****-***** ***.
* ***** *** **** ******* ** people ******* ***** ***** ***** **** is **** ***** **** ******** "***** home" *** ******** ******* *** **** transfer, *** *** *****-***** ******* ** the ***** *** ** ****-***** ** share ******** *** ** ******** *** the ***.
******* ** **** ** *** ******* from *** ************* **** **** ***** Western ********'* **** ****** ******* *********, e.g. ** ***. *** ********* **** I *** *** *** ************'* ********* is **** **** ******* *** **** storage ** ******* ********* ******** ** guarantee **** *** ************ *** ****** that **** **** ***** ********* (******* it ** * *** ******* ********* data ****** *** *** ** * PRC ******* ********* **** ****** *** USA). **'* **** ********* ** ***** or ***** ********* **** ***** **** even ** **** ********** ****** *** that *** **** ** ***** **** locally.
** *** **** ** ******* * policy ** *** **** ****** *** to ****** **** ******* (** ***** own ****) **** *** ** *** past ******** ***************.
******** **** "*****" = ******* ****'* server. *** ** *** *****?
**? ** ***.
** *** ******* *** ******* ** a **** ** ***, *** **.