China's New Cybersecurity Law – Also a Data Privacy Law?

(2016) 144 Privacy Laws & Business International Report 1-7

UNSW Law Research Paper No. 17-19

11 Pages Posted: 27 Apr 2017 Last revised: 13 Jul 2018

See all articles by Graham Greenleaf

Graham Greenleaf

Independent Scholar

Scott Livingston

Simone IP Services (SIPS)

Date Written: December 1, 2016


In November 2016, China’s Standing Committee of the National People’s Congress (SC-NPC) promulgated the PRC Cybersecurity Law, which will take effect on 1 June 2017. Although the law is mainly devoted to provisions concerning the security of information networks and, in particular, to mandating security procedures and requirements for ‘critical information infrastructure’ and ‘critical information infrastructure operators’ the Cybersecurity Law’s provisions relating to data privacy articulate what are China’s most comprehensive and broadly applicable set of data privacy principles to date.

These data privacy provisions reiterate many of the basic principles and requirements found in other laws and regulations, but the Law also includes new or more explicit requirements with respect to data correction rights, deletion, re-use and disclosure, breach notification to users and data localization. Still missing, however, are several common elements of other jurisdictions’ data privacy laws, such as explicit user access rights, requirements on data quality and special provisions for sensitive data. The Law also does not establish a national data protection authority. There are also uncertain questions of scope, particularly in relation to public sector bodies.

While China has long lacked a broadly applicable national data privacy law, the scope and strengthened principles of this new legislation means that it can probably now be considered to be “China’s Data Privacy Law,” with which other lower-level laws and regulations must be consistent.

This article analyses the privacy-related aspects of the Cybersecurity Law, and in particular asks what (if anything) it adds to China’s previous set of data privacy laws. Comparisons are made with China’s existing data privacy laws.

Keywords: Privacy, Data Protection, Secruity, Cybersecurity, China

Suggested Citation

Greenleaf, Graham and Livingston, Scott, China's New Cybersecurity Law – Also a Data Privacy Law? (December 1, 2016). (2016) 144 Privacy Laws & Business International Report 1-7, UNSW Law Research Paper No. 17-19, Available at SSRN:

Graham Greenleaf (Contact Author)

Independent Scholar ( email )



Scott Livingston

Simone IP Services (SIPS) ( email )

25th Floor, 3 Lockhart Road
Hong Kong
Hong Kong

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics