The first comprehensive data protection framework in China’s history, the PRC Cybersecurity Law, takes effect today, June 1, 2017, despite concerns from businesses around the world about the law’s stringency and scope. The law will carry with it the authority to impose fines up to approximately $145,000.00 per violation in addition to various administrative and criminal penalties.
The PRC Cybersecurity Law requires the implementation of administrative and technical security safeguards, restricts the cross-border transfer of personal information and “important data” collected through operations in China, and mandates the protection of personal information.
While much of the law remains murky, the PRC Cybersecurity Law will likely impact companies of all sizes that do business in China, including those that do not have a physical presence there. Companies should carefully review their practices to determine how the new requirements – particularly those relating to data localization and the PRC’s potential access to that data – impact their operations in China.