Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 12
12
Hogan Lovells
Individual Country Spotlights
Mainland China
China’s unique approach to data and
cybersecurity regulation is the most striking
feature of APAC region developments in recent
years. China’s vast population and the scale of
its markets mean that its policies impact the
entire region’s business environment, even as
the country currently faces significant
economic challenges.
Data and cybersecurity compliance in China is
now grounded in three laws: the Cybersecurity
Law (CSL), which took effect in June 2017, the
Data Security Law (DSL), which took effect in
September 2021 and the Personal Information
Protection Law (PIPL), which took effect in
November 2021.
The Cybersecurity Law
The CSL came into effect on June 1, 2017,
making it the cornerstone of China’s current
data protection and cybersecurity regulatory
regime. The focus under the CSL is not
specifically on data protection, although the
data protection measures found in the law
remain important, even as the CSL has been
largely supplanted by the PIPL in this regard.
Localisation
When the CSL was introduced in 2017, there
were widespread concerns that data
localization, long threatened, would at last
be formalized under Chinese law. Companies
across a range of sectors fear that the policy
direction under CSL could force them to
establish separate operating platforms in China
by making use of local technology if foreign
technology is considered to raise national
security concerns.
Comprehensive data localisation did not come
to pass with the introduction of the CSL.
Organisations considered to be operators of
“critical information infrastructure” (CIIO(s))
did face this prospect for important data and
personal data generated and collected during
CIIOs’ operation in China (which will be subject
to a security assessment with the competent
authority), but most foreign businesses
found themselves to be classified as “network
operators”, a lower risk grading unlikely to
be subject to data localisation required under
the CSL. While not imposing localisation, the
CSL does require network operators to meet
a number of obligations, including storing
internet logs for at least six months, blocking
the dissemination of illegal content, and
providing “technical support and assistance”
to the authorities in national security and
criminal investigations.
Multi-Level Protection Scheme
The most significant lasting impact of the
introduction of the CSL for multinational
businesses has been the reboot of China’s
cybersecurity grading system, the
Multi-Level Protection Scheme (MLPS),
which was revamped in 2019.
MLPS 1.0 (2007-2019) requires organizations to
self-assess their cyber risk against a
five-tier grading system. Organisations having
a risk rating of three are required to report their
status and self-assessment to the authorities,
procure information security products and
engage MLPS assessment institutions meeting
special conditions, implement cybersecurity
monitoring and detection, be subject to annual
inspections by the Ministry of Public Security
(MPS), among other requirements. More
broadly, MLPS 1.0 includes a series of graded
technical standards, addressing a wide range of
issues, from cybersecurity governance through
to specific technical requirements for ICT
