China is strengthening its legal framework for the digital economy

Following the adoption of the Cybersecurity Law of China (CSL) on 7 November 2016 by the National People’s Congress (NPC), the legal framework for data protection and cybersecurity continues to be enhanced at a significant pace.

In November 2016, the Ministry of Industry and Information Technology released for consultation a draft Notice on Regulating the Operation Behaviors in the Cloud Service Market. The National Information Security Standardization Technical Committee (TC260) also released a number of significant draft guidelines and standards, such as the Information Security Technology — Implementation Guide for Cybersecurity Classified Protection (MLPS), which should provide an interpretation of Article 21 of the CSL and a draft of the new e-commerce law, published for comment by the NPC at the end of 2016.

Similarly, with the CSL due to be enforced from 1 June 2017, we should expect to see a strengthened legal framework for China data protection and cybersecurity this year. The Information Security Techniques — Personal Information Security Specification guidelines, drafted by the TC260, will most likely be further discussed and implemented this year, delivering a set of national standards for interpreting personal information, along with an official English translation of China’s data protection legal terminology. It remains to be seen what this will mean in practice for China’s digital economy, as well as what to expect in terms of the economic and legal impact.

Fuelling growth through China’s Internet+ strategy

To fully understand China’s approach to updating its legal framework for data protection and cybersecurity, a little context is required. One of the cornerstones of China’s economic growth prospects is the integration of the internet within the traditional economy, together with the development of new sources of income that rely solely on the internet. To support this integration and development, China’s “Internet+” plan was set in motion and is regularly updated to guide legislators and stakeholders alike.

The Guiding Opinions of the State Council on Actively Propelling the Internet+ Action Plan (July 2015) provides some insight on the legal direction of data protection and cybersecurity in China. At point III.3.4 (“Strengthening the construction of laws and regulations”), for example, the State Council clearly sets out its intention to further develop and “accelerate the formulation of laws and regulations on network security, e-commerce, personal information protection, the internet information service management and so on.” This increased acceleration in the development of data protection and cybersecurity guidelines should help contribute to the growth of the digital economy that we are currently experiencing.

Now with a broader, stronger legal framework and more guidelines to follow, companies doing business in China will need to make sure that they comply with new government regulations enforcing data protection and cybersecurity provisions. China can certainly expect a completely enhanced data protection and cybersecurity framework, driven by new legislation and guidelines. In turn, it is likely that government agencies will take measures to enforce new data protection and cybersecurity requirements to help fuel the continued growth and development of the digital economy.

EY Legal Services Contacts:



Frank Chen – China Law Leader




Fabrice Naftalski – Global Data Privacy Leader




Peter Katko – Global Digital Law Leader