Financial Crime World

Here is the converted markdown article:

China’s Cybersecurity Regulations: A Guide to Compliance

======================================================

As the world becomes increasingly digital, companies operating in China must ensure compliance with the country’s robust cybersecurity regulations. Two key laws that govern data protection and privacy are the Cybersecurity Law of the People’s Republic of China (CSL) and the Personal Information Protection Law of China (PIPL).

Article 21: Network Log Retention

The CSL stipulates that companies must take technical measures to monitor and record network operation status and network security events, retaining relevant logs for at least six months. This requirement is designed to help authorities respond quickly to cyber threats.

Article 31: Data Storage Period

The Electronic Commerce Law of the People’s Republic of China requires companies to store commodity and service information, as well as transaction data, for no less than three years from the date of completion of the transaction. This rule aims to facilitate law enforcement investigations and protect consumer interests.

National Standards: Retention Periods

According to national standards, the retention period of personal information should be the shortest time necessary to achieve its purpose. This means that companies cannot retain personal data for longer than necessary.

Cross-Border Data Transfer (CBDT)

Personal information must be stored within China’s borders unless a company can pass the security assessment organized by the State Cyberspace Administration. In such cases, data must be stored on the company’s standard IT infrastructure in China, either cloud-based or on-premises.

Data Localization

China does not permit foreign cloud service providers to operate independently without obtaining a value-added telecom permit. Companies like Amazon Web Services (AWS) and Microsoft Azure have established partnerships with local Chinese companies to comply with regulatory requirements.

Architecture Compliance for Infrastructure

Companies operating in China must ensure that their infrastructure complies with the country’s regulations. This includes data center and cloud localization, as well as network service compliance.

Data Center & Cloud Localization

The company has opted to use AWS as its main cloud service provider, deploying on the established Landing Zone on AWS China. The local Performance Hub undertakes bridging and data transmission of overseas connection lines.

Network Service Compliance

Companies operating outside of China must file for an Internet Content Provider (ICP) license when using CDN or “proxy” servers to speed up access to overseas sites. Without proper ICP filing, internet service providers may block access to the system or website.

China Compliance Strategy and Process

The company’s compliance strategy involves aligning with its overall technical and strategic goals, as well as complying with Chinese laws and standards. The company also conducts regular compliance reviews and audits involving its PIA/Legal team to ensure ongoing compliance.

Conclusion

Compliance with China’s cybersecurity regulations is essential for companies operating in the country. By understanding the requirements outlined in this article, companies can ensure they are meeting their obligations and protecting their customers’ data.