User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million pieces of person
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Data must stay in China to get classified protection under Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
▪ Civil Fraud v. Criminal Fraud: Criminal Proceedings Not a Silver Bullet to Resolve
▪ Corrupt Chinese drug administrators jailed or executed, whose family members ended
▪ Tone from the middle cannot be ignored
▪ Is bribing a Chinese doctor bribing an FCPA governmental official?
▪ Criminal and Administrative Liability under China's Competition Laws
▪ Model Standards for Trade Association Compliance with China's AML
▪ Double Exposure to Legal Risk Under China's Competition Laws: Comments Upon the Ex
▪ New Privacy Standards for New Data
▪ Chinese Police Are Foxhunting Corrupt Officials
▪ Transfer of Personal Data Overseas from Singapore: Recent Enhanced Provisions
▪ New Guidance on Antitrust Notifications in China
▪ China Issued the Standards on the Quality Management of Using Medical Devices (Dra
▪ China Imposes Harsher Liabilities for Environmental Non-Compliance
▪ GSK Faces Two Corruption Fights in East and West
▪ European Court of Justice Abrogates Data Retention and Allows Data Detention
▪ China Is to Adopt Risk-based Supervisory Rules on Medical Devices
▪ China to Set Food & Drug Police
▪ Don't Put All Medical Eggs into One Blacklisted Basket
Home > CyberSecurity
Data must stay in China to get classified protection under Cyber Security Law

Under China’s Cyber Security Law (“CSL”), there are compliance obligations or privileges. Obligation means the basic requirements to meet, any short of which will subject you to punishment.  Privilege means the extra benefits nice to have, any short of which could make you less competitive.  

Classified protection (“CP”) is a mechanism that is both obligation and privilege.  To be certified under CP, you would have prima facie evidence that your network system meets the basic safety requirements under the CSL. You can even use the CP certification to fend off some possible investigation or punishment.  On the other hand, CP can help check out the vulnerabilities of a network system to the effect that loopholes can be effectively plugged up. However, CP does not go without “shortcomings”, one of which is that you must not store your data outside China – it could be a problem for many MNCs.

How is CP conducted?

Under the CP, computer info systems are categorized from Level 1 to Level 5.  The higher the level, the more requirements in compliance.  The government-appointed inspection entities (which need a license) do inspection and decide which level a network system is at, and advise where is vulnerability.  Then consultation entities would help take remedial actions to tackle vulnerabilities in IT and internal control.  Although a consultation entity does not need a license as the inspection entity does, the consultation entity has to have capacity in both IT and risk management.

We might be the first (and/or only) bunch of lawyers in providing CP related consultation services.

A live report that Dentons Shanghai Office provided consultation services on CP under CSL

Why is CP important?

Why is CP important?  Simply, CP can help plug loopholes and tackle vulnerabilities.  We may learn the importance of CP from the opposite cases below.

In February of 2018, Code repository GitHub was hit by a distributed denial of service (DDoS) attack which peaked at 1.35Tbps via 126.9 million packets per second.

According to a statement the incident occurred on February 28 and persisted for around nine minutes and originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.  

“The first portion of the attack peaked at 1.35Tbps [between 17:21 and 17:30 UTC] and there was a second 400Gbps spike a little after 18:00 UTC,” said Sam Kottler, manager of Site Reliability Engineering.

This attack registered even larger than the peak of the attack on Dyn in 2016, according to Wired.

By the end of February of 2018, there were 25,000 Memcached servers in China exposed on the Internet.  A practical solution against mass-infiltration of Memcached servers would be nothing but CP under CSL.


In 2015, Fiat Chrysler issued a safety recall affecting 1.4 million vehicles in the US, after security researchers showed that one of its cars could be hacked.  The hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system.  As a result, Chrysler issued a voluntary recall to update the software in affected vehicles.

From the cases above, you may realize that TP is not just something nice to have.  It is an insurance or a golden shield to manage risks and fend off liabilities.  

In addition, CP is just threshold for network safety.  Different network systems may have some peculiar features.  CP for a code repository like GitHub should be different from CP for autonomous driving in many dimensions such as how to determine levels and how to deal with vulnerabilities.  For the next step, it might be necessary to develop some CP guidance for some special sectors such as autonomous driving. 

Is CP compulsory?

The answer is yes for a critical information infrastructure (“CII”).  CSL provides for a compulsory CP inspection for CII once a year.

CSL defines CII as the network system in the sectors of public telecommunication and information service, energy, communication, water resource, finance, public service and electronic public service. Once a CII is sabotaged, great and irreparable damages could be caused.  China is drafting implementation rules for CSL which will provides a detailed description of what a CII is.

CP is not compulsory for non-CII – some non-CII takes CP as the privilege for extra protection especially for those which rely on the Internet in delivery of products and services, which could be then punished for not doing well under CP.  For example, the network system of an information technology company was assessed at Level 3 in 2015 and then put into use thereafter.  A Level 3 system (and above) must be inspected every year. However, the information technology company did not go through a fresh inspection in 2016 and thus got punished (with an official reprimand and the order to take remedial action).

Where is the place to store data?

According to CSL, CII must store its personal identifiable information (“PII”) and important data in nowhere but China.  CSL does not provide such requests to non-CII. However, in order to get certified under CSL for CP, a company (CII or not) will have to move back its data from outside China into China.  Otherwise, the company could not get certified under the CSL for CP.  

This practice has made non-CII not distinguishable from CII in relation to where to store PII or important data.  What is more important, a company (especially an MNC) having data move in and outside of China must plan well between business and compliance with CSL.

- Henry Chen, licensed to practice law in China and New York, is a senior partner of Dentons Shanghai Office.  Before joining Dentons, Henry was AP Compliance Director of Ford.  Henry is the legal counsel of one of the biggest Internet search engine companies for its autonomous driving projects covering data integrity and security, protection of commercial secrets under the context of cyber security, compliance with Cyber Security Law, autonomous survey and mapping, privacy, risk management on autonomous driving accidents and car call-back, risk management on network penetration and safety.  In addition to TMT areas, Henry also handles traditional compliance issues on FCPA, anti-fraud investigation, compliance management system, corporate matters and dispute resolutions.

Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Email:    (optional)
URL:    (optional)
Code: *
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8