Data Breach Obligations Under Chinese Law
Data breaches pose serious risks for businesses operating in China. American companies must understand Chinese rules on breach notification. This article explains key obligations under China’s Cybersecurity Law and Personal Information Protection Law. You will learn notification deadlines, content requirements, record keeping and penalties.
Key Laws Governing Data Breaches
China’s Cybersecurity Law (2017) introduced general breach reporting rules. The Personal Information Protection Law (PIPL, 2021) added detailed requirements. Together they set out when and how you must notify authorities and affected individuals. Compliance is vital for foreign entities processing data in China.
Notification Requirements
Under PIPL and the Cybersecurity Law, organizations must report certain breaches to regulators and inform individuals. The deadlines are strict. Below is a summary of notification timelines and recipients.
| Recipient | Deadline |
|---|---|
| Cyberspace Administration of China (CAC) | Within 72 hours |
| Provincial cybersecurity authority | Within 72 hours |
| Affected individuals | As soon as possible |
You must start a risk assessment immediately. If the risk is minor, you still document it but may not need public notice. High-risk cases always require disclosure.
Content of Notification
Your notice to authorities must include incident time, scope, and cause. It should list compromised data categories and estimated affected users. You must describe remedial measures taken and planned steps to prevent recurrence. Notices to individuals need a clear description of possible losses and guidance on self-protection.
Record Keeping and Reporting
Chinese law demands you keep a breach record for at least three years. The file should contain internal investigation reports, notification materials and risk assessments. On request, regulators may ask for detailed documentation. Foreign companies should store records in China or ensure immediate access offline.
Penalties and Enforcement
Violations can trigger fines, business suspensions or criminal charges. Enforcement is increasingly strict. Below is an overview of possible consequences.
| Violation | Possible Penalty |
|---|---|
| Failure to notify authorities | Up to RMB 1 million fine |
| False notification | Business suspension up to 30 days |
| Serious negligence | Fines up to RMB 50 million or 5% of revenue |
| Criminal misconduct | Detention or criminal prosecution |
Your compliance program must include staff training, breach drills and regular audits. Early detection and prompt reporting reduce legal risk.
FAQs
Q: Does every breach require public announcement?
A: Only high-risk breaches that could harm personal rights need public notice. Low-risk cases stay internal.
Q: Can U.S. companies use notifications sent under GDPR for China?
A: No. Chinese rules differ in format, content and timelines. You must prepare separate reports.
Q: What if a breach happens outside China but affects Chinese citizens?
A: PIPL applies if personal data of Chinese individuals is processed anywhere. You must still notify Chinese authorities.
Conclusion
Understanding China’s breach obligations is essential for U.S. companies. You must follow strict timelines, notify the CAC and affected individuals, keep detailed records and prepare for enforcement. A proactive compliance program will minimize risk and strengthen trust with Chinese regulators and customers.
