Chinese Cybersecurity Law (CCL)

What is Chinese Cybersecurity Law (CSL)


The Chinese Cybersecurity Law (CCL) provides a legislative framework to regulate the Chinese digital landscape, including the appropriate handling of personal information and important data.

This wide-reaching legislation mandates that data originating in China must be stored there, unless specific criteria are met. Should the data need to be transferred overseas for processing, the processor or ‘Network Operator’ must first conduct a security self-assessment. If the data contains personal information, individual consent is required from the data subject first; they must also be notified of who the data recipient is, the purpose, scope, content, and country the recipient resides in.

Where transfers meet the set criteria, the CCL requires network operators to entrust a government agency to conduct the security assessment and review.

Though the CCL legislation does not preclude the ability of non-domestic companies to manage Chinese data, it is vital that companies who do so ensure that they comply with, and are able to demonstrate, their adherence to these comprehensive regulations. Fortra's Classifier Suite is an important component on an organization’s broad information governance program and is a key component in addressing CCL requirements today, and as they mature over time.

There are significant fines for non-compliance with the law – potentially up to 1,000,000 RMB. Additionally, businesses can be closed, or face forfeiting their licensing to trade.

CCL At A Glance

What Is The Chinese Cybersecurity Law (CCL)?

The CCL regulates Chinese data deemed to be personal or important, as well as the organizations which collect, store, transmit, exchange and process it. 

When Did The Legislation Come Into Force

The cybersecurity legislation came into place in June 2017, with enforcement commencing across the following year. Deeper detail is available in the Information Security Technology - Personal Information Security Specification May 2018.

Who Regulates CCL? 

Cyberspace Administration of China (CAC)

What Are The Implications of Non-Compliance? 

There are significant fines for non-compliance with the law - potentially up to 1,000,000 RMB. Additionally businesses can be closed, or face forfeiting their licencing to trade.

Fortra's Data Classification Suite Suite can help you comply with CCL

How can DCS help?

DCS, the market leading data classification product, supports compliance with Chinese Cybersecurity Law by: 
  • Meeting the need as specified in CCL article 21 to 'Adopt measures such as data classification, back-up of important data, and encryption'
  • Apply visual markings and metadata to documents over a market-leading range of applications to clearly demarcate 'personal information' and 'important data'. 
  • Set intelligent classification and handling rules to ensure that data originating in China is not exfiltrated without previously obtaining customer consent. 
  • Mark information for expiry, to adhere to retention requirements. 
  • Supporting downstream 3rd party controls such as Access Control and Rights Management Solutions. 
  • Demonstrating compliance through a comprehensive reporting capability. 

How protected is your data?

Meet with one of our experts to assess your needs, and we'll walk you through our solution

Request a Demo