June 1st, 2017 - The 'PRC Network Security Law', approved in November 2016, came into effect. The law emphasises the protection of 'critical information infrastructure' in several key industries, including a clause that obliges any information 'generated or collected' by said infrastructure to be stored within the PRC. The law also states that 'critical network equipment' and 'cybersecurity products' must be government-approved.



  • 1 harmful
  • 0 neutral
  • 0 liberalising


PRC National People's Congress, November 11th, 2016. (中华人民共和国网络安全法)

Inception date: 01 Jun 2017 | Removal date: open ended

Local operations

On June 1st, 2017, a new 'PRC Network Security Law' that was mooted in 2016 and approved that November, came into effect. The law is far-reaching; targeting the 'critical information infrastructure' of the following industries:

  • public communications and information services
  • energy
  • finance
  • transportation
  • water conservation
  • public services
  • e-governance

The law states, among other things, that any personal information 'generated or collected' by the information infrastructure in the abovementioned industries must be stored domestically. Any information that needs to be transferred overseas can only be done so with government approval.

Another clause in the text of the bill necessitates the use of PRC government-approved 'network equipment and cybersecurity products' when carrying out their business operations.

In effect, this means any firms deemed to be involved in one of the affected industries must conduct their data-related operations within the PRC and must do so with specific equipment.

This aspect of the law appears to derive from a 2015 law (see related measure) passed to combat 'terrorism' in the PRC. However, this differs in being more specific in which industries are targeted, not mentioning anything about the provision of encryption keys, and having more total clauses (which do not specifically affect international bodies, so are not detailed here).