China's cybersecurity regulators are now taking their first steps to verify organisations' (including foreign businesses') compliance with China's cybersecurity laws. As anticipated, the focus is on businesses that have an online presence in China. The PSB (the Public Security Bureaus, who have taken on the enforcement role under the Cybersecurity Law) are proactively conducting systematic checks on whether organisations with a website, or other online services delivered via a domain, have the required PSB filling in place (which is separate, and in addition, to an ICP recordal/filing), and issuing warnings to businesses who have failed to do so.
At the same time, these organisations are being asked to complete a comprehensive cybersecurity compliance questionnaire to confirm whether various security, data protection, record retention and content control measures have been implemented. We are aware the questionnaire is being distributed by the PSB collectively to multiple organisations via different channels, including using social media and instant messaging platforms and applications. This enforcement campaign started in various Shanghai districts and is anticipated to be expanded to other regions and provinces soon.
Next steps for organisations:
- Check whether you have in place the requisite ICP recordals/filings (bei’an) and PSB fillings (bei’an) for your websites and domains in China (an application should be made to the PSB within 30 days of any website/domain going live).
- Prepare and brief your business teams now, as completion of the questionnaire will require input from IT/technology, compliance and legal teams.
- Gather information on your cybersecurity policies, procedures and practices to aid completion of the questionnaire.
- Manage and support your on-the-ground China teams to handle effectively communications and dialogue with the PSB/government officials.
This is the first large-scale enforcement step by the PSB to ensure compliance with China cybersecurity laws, and we anticipate more activities to follow in the near future. Notably, this marks a significant shift in the PSB's approach, from targeted investigations to widespread compliance checks on all businesses on a regional basis. Organisations must continue to monitor developments closely, and be prepared to address any audit requests or investigations as regards its cybersecurity compliance status.