Recent Legal Developments in

Cybersecurity in China

Edward Epstein
Managing Partner, Troutman Sanders LLP
 Recent Legal Developments
in Cyber-security in China

ACFE
Hong Kong
September 19, 2017

Edward Epstein / 葉德華

Managing Partner, Shanghai Partner, Hong Kong

Troutman Sanders Troutman Sanders

Shanghai Office Hong Kong Office
25/F, 688 Square 34/F, Two Exchange Square
688 Nanjing West Road 8 Connaught Place
Shanghai 200041 Central Hong Kong
86.21.6133.8989 852.2533.7888

www.troutman.com
 ACFE

"The mission of the Association of Certified

Fraud Examiners is to reduce the incidence of
fraud and white-collar crime and to assist the
Membership in and deterrence."

3
 Legal Framework of Cybersecurity in China

2016 Cybersecurity Law

2017 SPC and SPP interpretations
2017 General Part of the Civil Law
2016 Anti-Terrorism Law
2015 National Security Law
2015 Criminal Law Amendment (IX)
Recent Chinese regulations and rules on
Internet/telecommunication crimes

4
 Cyber-security Law
中华人民共和国网络安全法
Article 76 […]

3. Network operators refer to owners, administrators of the network and network

service providers.
（三）网络运营者，是指网络的所有者、管理者和网络服务提供者

4. Network data refers to all kinds of electronic data collected, saved, transmitted,
processed and generated through the network.
（四）网络数据，是指通过网络收集、存储、传输、处理和产生的各种电子数据。

5. Personal data refers to all kinds of information recorded by electronic or otherwise that
can be used to independently identify or be combined with other information to identify
natural persons' personal identity including but not limited to: natural persons' names,
dates of birth, ID numbers, biometric personal information, addresses and telephone
numbers, etc.
（五）个人信息，是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人
个人身份的各种信息，包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识
别信息、住址、电话号码等。
Promulgated by Standing Committee of the National People’s Congress, effective on June 1, 2017

5
Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues on the
Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Data (2017)
最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释（法释[2017]10号）

Article 1 The term "personal data of a citizen" as mentioned in Article

253A of the Criminal Law refers to all kinds of information recorded by
electronic means or otherwise that can be used independently or together with
other information to identify a particular natural person's identity or reflect
particulars on his or her activities, including the natural person's name, ID
number, contact information about his or her e-mail address or phone
number, address, account name and password thereof, property
conditions, whereabouts and traces, etc.

第一条 刑法第二百五十三条之一规定的“公民个人信息”,是指以电子或者其他
方式记录的能够单独或者与其他信息结合识别特定自然人身份或者反映特定自然人
活动情况的各种信息，包括姓名、身份证件号码、通信通讯联系方式、住址、账
号密码、财产状况、行踪轨迹等。

Promulgated by Supreme People’s Court and Supreme People’s Procuratorate, effective on June 1, 2017

6
 Cyber-security Law
中华人民共和国网络安全法

Article 42 Network operators shall not divulge, tamper with or damage the personal
data they have collected, and shall not provide the personal data to others without the
consent of the persons whose data is collected. However, it is an exception where the
original information has been processed so it is impossible to match such information with
specific persons.

第四十二条 网络运营者不得泄露、篡改、毁损其收集的个人信息；未经被收集者同意，
不得向他人提供个人信息。但是，经过处理无法识别特定个人且不能复原的除外。

Network operators shall adopt technical measures and other necessary measures to
ensure the security of the personal data they have collected and prevent such information
from being divulged, damaged or lost. If personal data has been or may be divulged,
damaged or lost, it is necessary to take remedial measures immediately, inform users
promptly according to the provisions and report the same to the relevant competent
departments.

网络运营者应当采取技术措施和其他必要措施，确保其收集的个人信息安全，防止信息泄露、
毁损、丢失。在发生或者可能发生个人信息泄露、毁损、丢失的情况时，应当立即采取补救
措施，按照规定及时告知用户并向有关主管部门报告。

Promulgated by Standing Committee of the National People’s Congress, effective on June 1, 2017

7
 Cyber-security Law
中华人民共和国网络安全法

Article 41 To collect and use personal information, network operators shall follow
the principles of lawfulness, legitimacy and necessity, disclose their rules of data collection
and use, clearly express the purposes, means and scope of collecting and using the
information, and obtain the consent of the persons whose data is gathered.

第四十一条 网络运营者收集、使用个人信息，应当遵循合法、正当、必要的原则，公开
收集、使用规则，明示收集、使用信息的目的、方式和范围，并经被收集者同意。

Network operators ,
nor gather or use personal data in violation of the provisions of laws and administrative
regulations or the agreements arrived at; and shall dispose of personal data they have
saved in accordance with the provisions of laws and administrative regulations and
agreements reached with users.

网络运营者不得收集与其提供的服务无关的个人信息，不得违反法律、行政法规的规定和双
方的约定收集、使用个人信息，并应当依照法律、行政法规的规定和与用户的约定，处理其
保存的个人信息。
Promulgated by Standing Committee of the National People’s Congress, effective on June 1, 2017

8
 Cyber-security Law
中华人民共和国网络安全法

Article 44 Any individual or organization may not acquire personal data by theft
or through other unlawful means, nor unlawfully sell or provide personal data to
others.

第四十四条 任何个人和组织不得窃取或者以其他非法方式获取个人信息，不得非法
出售或者非法向他人提供个人信息。

Article 45 The departments and their staff members responsible in

accordance with the law for the supervision and management of cyber security
shall strictly maintain the confidentiality of personal information, privacy and trade
secrets acquired in fulfilling their duties, and shall not divulge, sell or unlawfully
provide the same to others.

第四十五条 依法负有网络安全监督管理职责的部门及其工作人员，必须对在履行职
责中知悉的个人信息、隐私和商业秘密严格保密，不得泄露、出售或者非法向他人提供。

Promulgated by Standing Committee of the National People’s Congress, effective on June 1, 2017

9
 Criminal Law Amendment (IX)
中华人民共和国刑法修正案（九）

17. Article 253A of the Criminal Law is revised to read:

十七、将刑法第二百五十三条之一修改为：
"Whoever, in violation of the relevant provisions of the State, sells or provides others with the personal data of a citizen
in serious circumstances shall be sentenced to fixed-term imprisonment of not more than three years or criminal
detention and concurrently or separately sentenced to a fine; if the circumstances are especially serious, the person shall
be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and concurrently
sentenced to a fine.
“违反国家有关规定，向他人出售或者提供公民个人信息，情节严重的，处三年以下有期徒刑或者拘役，并处或者单处罚金；
情节特别严重的，处三年以上七年以下有期徒刑，并处罚金。

"Whoever, in violation of the relevant provisions of the State, sells or provides others with the citizens' personal data
obtained during the course of performing duties or providing services shall be given a heavier punishment in accordance
with the preceding paragraph.
“违反国家有关规定，将在履行职责或者提供服务过程中获得的公民个人信息，出售或者提供给他人的，依照前款的规定从
重处罚。

"Whoever unlawfully obtains the above-mentioned information by theft or otherwise shall be punished in
accordance with the provisions of Paragraph 1.
“窃取或者以其他方法非法获取公民个人信息的，依照第一款的规定处罚。

"Where an organization commits any of the crimes mentioned in the preceding three paragraphs, a fine shall be imposed
on the organization, and the persons directly in charge of the organization and other persons directly liable shall be
punished in accordance with the respective provisions of the preceding three paragraphs.“
“单位犯前三款罪的，对单位判处罚金，并对其直接负责的主管人员和其他直接责任人员，依照各该款的规定处罚。”
Promulgated by Standing Committee of the National People’s Congress, effective on November 1, 2015

10
Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues on the
Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Data (2017)
最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释（法释[2017]10号）

Article 4 The act of purchasing, receiving or exchanging any

citizen's personal data
, or collecting any citizen's personal data while performing duties
or providing services, which contravene the relevant provisions of the
State, shall be deemed as "one unlawfully obtaining citizens'
personal data by other means" as mentioned in Paragraph 3 of Article
253A of the Criminal Law.

第四条 违反国家有关规定，通过购买、收受、交换等方式获取公民
个人信息，或者在履行职责、提供服务过程中收集公民个人信息的，属于
刑法第二百五十三条之一第三款规定的“以其他方法非法获取公民个人信息
”。

Promulgated by Supreme People’s Court and Supreme People’s Procuratorate, effective on June 1, 2017

11
Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues on the
Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Data (2017)
最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释（法释[2017]10号）

Article 5 The act of unlawfully obtaining, selling or providing citizens' personal data shall be
deemed as "one resulting in a serious case" as mentioned in Article 253A of the Criminal Law, in
the case of any of the following circumstances,
第五条 非法获取、出售或者提供公民个人信息，具有下列情形之一的，应当认定为刑法第二百五
十三条之一规定的“情节严重”：

3. Where the party concerned unlawfully obtains, sells or provides

about citizens' whereabouts and traces, communication details, credit, and
property;
（三）非法获取、出售或者提供行踪轨迹信息、通信内容、征信信息、财产信息五十条以上的；

4. Where the party concerned unlawfully obtains, sells or provides

that are likely to affect citizens' personal security or property security,
such as information about accommodation, communication records, physical health, and
transactions;
（四）非法获取、出售或者提供住宿信息、通信记录、健康生理信息、交易信息等其他可能影响人
身、财产安全的公民个人信息五百条以上的；

7. Where the party concerned obtains unlawful gains of ;

（七）违法所得五千元以上的；

Promulgated by Supreme People’s Court and Supreme People’s Procuratorate, effective on June 1, 2017

12
Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues on the
Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Data (2017)
最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释（法释[2017]10号）

Article 3 The act of providing a particular individual with any citizen's personal data
by means of the information network or
otherwise shall be deemed as "one providing citizens' personal information" as
mentioned in Article 253A of the Criminal Law.

The act of providing any other individual with any citizen's personal data
whose personal data is collected shall be
deemed as "one providing citizens' personal data (excluding information that has been
processed and cannot be recovered to the extent that it is impossible to match such
information with specific persons)" as mentioned in Article 253A of the Criminal Law.

第三条 向特定人提供公民个人信息，以及通过信息网络或者其他途径发布公民个人信息
的，应当认定为刑法第二百五十三条之一规定的“提供公民个人信息”。
未经被收集者同意，将合法收集的公民个人信息向他人提供的，属于刑法第二百五十三条之
一规定的“提供公民个人信息”，但是经过处理无法识别特定个人且不能复原的除外。

Promulgated by Supreme People’s Court and Supreme People’s Procuratorate, effective on June 1, 2017

13
 The General Part of the Civil Law
中华人民共和国民法总则

Article 111 The personal data of a natural person is protected

by law. When it is necessary for any organization or individual
to obtain the personal data of others they shall do so lawfully and
ensure the safety of such personal information, and shall not
unlawfully collect, use, process or transmit the personal data
of others, or unlawfully buy or sell, provide or make public the
personal data of others.

第一百一十一条 自然人的个人信息受法律保护。任何组织和个人
需要获取他人个人信息的，应当依法取得并确保信息安全，不得非
法收集、使用、加工、传输他人个人信息，不得非法买卖、提供或
者公开他人个人信息

Promulgated by the Standing Committee of the National People’s Congress, will be effective on October 1, 2017

14
 National Security Law
中华人民共和国国家安全法

Article 25 The state shall build a network and information security safeguard
system, enhance network and information security protection capabilities, strengthen
innovative research, development and application of network and information
technology, achieve safe and controllable network and core information technology,
critical infrastructures and information systems and data in key areas, enhance
network management, prevent, deter and punish in accordance with the law cyber
attacks and intrusion, network theft, spread of unlawful and harmful information and
other network criminal acts,
.

第二十五条 国家建设网络与信息安全保障体系，提升网络与信息安全保护能力，加
强网络和信息技术的创新研究和开发应用，实现网络和信息核心技术、关键基础设施和
重要领域信息系统及数据的安全可控；加强网络管理，防范、制止和依法惩治网络攻击、
网络入侵、网络窃密、散布违法有害信息等网络违法犯罪行为，维护国家网络空间主权、
安全和发展利益。

Promulgated by Standing Committee of the National People’s Congress, effective on July 1, 2015

15
 National Security Law
中华人民共和国国家安全法

Article 59 The state shall establish systems and mechanisms for national
examination and supervision, carry out
, specific items, key technology, network information technology
products and services, construction projects related to state security, and other
significant matters and events, so as to prevent and neutralize state security risks
in an effective way.

第五十九条 国家建立国家安全审查和监管的制度和机制，对影响或者可能影响国
家安全的外商投资、特定物项和关键技术、网络信息技术产品和服务、涉及国家
安全事项的建设项目，以及其他重大事项和活动，进行国家安全审查，有效预防和
化解国家安全风险。

Promulgated by Standing Committee of the National People’s Congress, effective on July 1, 2015

16
 Anti-Terrorism Law
中华人民共和国反恐怖主义法

Article 18
such as technical interfaces and decryption for the
prevention of and investigation into terrorist activities conducted by public security organs and
national security organs according to the law.

第十八条 电信业务经营者、互联网服务提供者应当为公安机关、国家安全机关依法进行防
范、调查恐怖活动提供技术接口和解密等技术支持和协助。

Article 19 Telecommunications service operators and internet service providers shall, in

accordance with laws and administrative regulations, implement network security and
information content supervision systems, and safety and technical precautions,
; if such information is found,
its transmission shall be immediately halted; relevant records shall be saved; relevant information
shall be deleted, and reported to the public security organs or related departments….
第十九条 电信业务经营者、互联网服务提供者应当依照法律、行政法规规定，落实网络安
全、信息内容监督制度和安全技术防范措施，防止含有恐怖主义、极端主义内容的信息传播；发现
含有恐怖主义、极端主义内容的信息的，应当立即停止传输，保存相关记录，删除相关信息，并向
公安机关或者有关部门报告。...
Promulgated by Standing Committee of the National People’s Congress, effective on January 1, 2016

17
Circular of the Cyberspace Administration of China on Seeking Public Comments on the Measures
for Evaluating the Security of Transmitting Personal data and Important Data Overseas (Draft for
Comment) (2017)
国家互联网信息办公室关于《个人信息和重要数据出境安全评估办法（征求意见稿）》公开征求意见的通知

Article 2 Network Operators shall store personal data and important data gathered
and produced during operations within the territory of the People's Republic of China. If
it is of necessity to provide data to overseas parties indeed for business purposes, a
security evaluation shall be conducted in accordance with the Measures.
第二条 网络运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据，应
当在境内存储。因业务需要，确需向境外提供的，应当按照本办法进行安全评估。

Article 4 Where personal data is to be transmitted overseas, subjects relating to such

personal data shall be notified of the reason why their personal data is provided to
overseas parties, the scope of information to be provided, content of such
information, the parties receiving such information, countries or regions in which
the information recipients are located, and grant approval for such transmission;
transmitting minors' personal data overseas must be approved by their guardians.
第四条 个人信息出境，应向个人信息主体说明数据出境的目的、范围、内容、接收方及
接收方所在的国家或地区，并经其同意。未成年人个人信息出境须经其监护人同意。

Promulgated by Cyberspace Administration of China on April 11, 2017

18
Article 8 In the course of security evaluation for transmitting data overseas, special attention shall be paid to evaluating seven types
of content:

第八条 数据出境安全评估应重点评估以下内容：
[…]

2. content related to personal information, including the quantity, scope, type and sensitivity of personal information, as well as
whether or not the subjects concerned agree to transmit their personal data overseas, etc.;

（二）涉及个人信息情况，包括个人信息的数量、范围、类型、敏感程度，以及个人信息主体是否同意其个人信息出境等；

[…]

Article 9 Where the data to be transmitted overseas falls under any of the following circumstances, network operators shall inform
the competent authority or regulator of the industry in order for a security evaluation to be carried out:

第九条 出境数据存在以下情况之一的，网络运营者应报请行业主管或监管部门组织安全评估：

(1) where the data involves or totally involves personal data of over 500,000 individuals;

（一）含有或累计含有50万人以上的个人信息；

(2) where the data volume exceeds 1,000GB;

（二）数据量超过1,000GB；

[…]

(5) where key information infrastructure operators provide personal data and important data for overseas parties;

（五）关键信息基础设施运营者向境外提供个人信息和重要数据；...

Promulgated by Cyberspace Administration of China on April 11, 2017

19
Article 11 Data concerned shall not be transmitted overseas under any of following
circumstances:
第十一条 存在以下情况之一的，数据不得出境：

(1) where no approval has been obtained from the subjects concerned to transmit their
personal data overseas, or the personal data transmission may infringe their personal
interest;…
（一）个人信息出境未经个人信息主体同意，或可能侵害个人利益；...

Article 16 The Measures shall apply mutatis mutandis to the safety evaluation of the
transmission of personal data and important data to overseas parties, which are gathered
and produced during operations within the territory of the People's Republic of China by
other individuals and entities.
第十六条 其他个人和组织在中华人民共和国境内收集和产生的个人信息和重要数据出境的安
全评估工作参照本办法执行。

Promulgated by Cyberspace Administration of China on April 11, 2017

20
Circular of the Ministry of Industry and Information Technology on Clearing up and Regulating the
Internet Access Service Market (2017)
工业和信息化部关于清理规范互联网网络接入服务市场的通知（工信部信管函[2017]32号）

2. (4) unlawful engagement in cross-border business: without the approval of

the competent telecom department, no party may carry out cross-border
business operations by setting up on its own or leasing private leased
circuits (including virtual private networks (VPNs)) and other information
channels. Basic telecom enterprises shall establish users' files in a concentrated
manner with regard to international private leased circuits rented out to users,
and specify that such circuits can only be used by users to handle their internal
official business exclusively and shall not be used to connect with domestic and
foreign data centers or business platforms for carrying out telecom business
operations.

（二）4.违规开展跨境业务问题。未经电信主管部门批准，不得自行建立或租用专
线（含虚拟专用网络VPN）等其他信道开展跨境经营活动。基础电信企业向用户
出租的国际专线，应集中建立用户档案，向用户明确使用用途仅供其内部办公专用，
不得用于连接境内外的数据中心或业务平台开展电信业务经营活动。
Promulgated by Ministry of Industry and Information Technology, effective on January 17, 2017

21
22
Real Property Ownership Information

Basic real property registration

information (including property
ownership and mortgage
particulars) is now closed to
public inspection and is only
available to interested parties,
government agencies and parties
to litigation or arbitration cases.

The registration authority and its

staff are prohibited from
disclosing the registration
information except as stipulated
by the relevant regulations.

23
Household/Hukou Registration Information

No national law or regulation

governing the protection of
household/hukou information.

There are local regulations in

place restricting access to
hukou information to
government agencies and
practicing lawyers in need of
hukou information in order to
handle cases, and citizens
accessing their own household
information.

24
Vehicle Registration Information

Regulations on the
Registration of Motor
Vehicles (2012)
《机动车登记规定》

Article 25 The dates of

registration and
discharge of a pledge of
a motor vehicle may be
provided for public
search.

25
Immigration Records

The PRC Border Exit

and Entry Law
imposes
administrative
penalties on staff
members in charge of
border exit and entry
affairs who disclose
personal information
obtained in the course
of duty.

26
AIC Registration Records

Two categories of enterprise

registration records:
(i) registration information and
(ii) original copies of book archives
(书式档案).
Only registration information is
public.

Access to original copies of

registration files is restricted to
public security, public prosecutors,
judicial and national security organs
and practicing lawyers with respect
to the relevant cases they are
handling.

27
Telecommunications Data

Without the consent of the users,

telecommunication business
operators and internet information
service providers may not collect or
use the personal information of users.

Telecommunications business
operators and internet service
providers and their working personnel
shall keep strictly confidential
personal data collected and used in
the course of providing services and
shall not disclose, tamper with or
destroy and shall not sell or unlawfully
provide it to other parties.

28
 Recent reported cases in China:

29
Checklist for ACFE Investigating Fraud in China

• Does the data relate to an individual?

• If so, has the personal data been obtained from a public source? (e.g., the Internet)

• If not, has the personal data been obtained from a database or registry maintained by a
government authority or institution?

• Was the information sourced from government records? Were such records public or
closed to the public subject to special conditions? Were the special conditions satisfied?

• Was the personal data obtained by a third party for valuable consideration?

• Was there an engagement letter with the third party? Did it contain a “no confidential
personal data” clause? (See next slide for a sample clause.)

30
“No Confidential Personal Data Clause” for Third
Party Services Contracts in China

“During the performance of the services under

this Agreement, Party B shall not provide Party
A any personal data the confidentially of which
is protected by laws and regulations and has
not been obtained by lawful means.”

31
 THANK YOU
Troutman Sanders LLP
Edward Epstein / 葉德華
Managing Partner, Shanghai
Managing Partner, Shanghai Partner, Hong Kong

Shanghai Office Hong Kong Office

25/F, 688 Square 34/F, Two Exchange Square
688 Nanjing West Road 8 Connaught Place
Shanghai 200041 Central Hong Kong
86.21.6133.8989 852.2533.7888

ATLANTA • BEIJING • CHARLOTTE • CHICAGO • HONG KONG • NEW YORK • ORANGE COUNTY • PORTLAND • RALEIGH
RICHMOND • SAN DIEGO • SAN FRANCISCO • SHANGHAI • TYSONS CORNER • VIRGINIA BEACH • WASHINGTON, D.C.

32
 Recent Legal Developments in
Cybersecurity in China

Edward Epstein
Managing Partner, Troutman Sanders LLP

18041425v2