As a fast-developing economy in Asia, China maintains its advantage in adopting advanced technologies and encourages innovation to drive the development of the economy and improve the life quality of the citizens. An innovation-friendly regulatory environment drives the growing number of organizations in adopting advanced technologies, which is changing the consumer markets and people's lifestyles. Companies across China leverage the new technologies, such as cloud platforms, big data, and IoT, in their digital transformation, to benefit their customers and employees.

Security:
To adapt to the fast-changing cyber landscape and protect the infrastructure from security incidents, the China Cybersecurity Law (CSL) has been in effect since June 2017. The CSL deeply impacted the cybersecurity regulatory environment in China. All network operators must comply with the CSL. To facilitate the implementation of the CSL, the Classified Protection of Cybersecurity Scheme (Multi-Level Protection Scheme (MLPS) was updated to version 2.0 in December 2019. China Data Security Law (DSL) was further introduced in September 2021 to stipulate the security of data related activities in mainland China such as collection, storage, processing, usage, provision, trading and publishing, etc.

China Cybersecurity Law
The introduction of the Cybersecurity Law raised the bar for companies doing business in China in terms of cybersecurity, data protection, and privacy. There are several major obligations stipulated in this Law, including the network security operation, protection of important data and personal information, security monitoring, contingency management, content security, and real-identity verification. All network operators in China are required to adopt the classified protection in cybersecurity protection.

Classified Protection of Cybersecurity Scheme
The Classified Protection of Cybersecurity Scheme (Multi-Level Protection Scheme (MLPS) is a regulatory scheme designed to protect the cybersecurity of networks and systems in China. Under China Cybersecurity Law, network operators in China must protect the network and the system components from interruption, damage, unauthorized access with a tiered concept to avoid any data leakage, manipulation, and eavesdropping. It is compulsory for all companies and individuals that own, operate, or provide services relating to network and corresponding system components in China to follow the national standards under the MLPS scheme. MLPS was first introduced in 2008 and updated to MLPS 2.0 in 2019.

As the cloud provider with the most significant market share in China, Alibaba Cloud is well-positioned to assist customers in navigating the regulatory environment in China efficiently and economically. For more information, please refer to Alibaba Cloud Information Security Solution and Alibaba Cloud MLPS 2.0 Solution page.

Privacy:

China Personal Information Protection Law (PIPL) was into effect on 1 November 2021, which regulates the data related activities pertaining to personal data. It is the first law framework over personal data protection in mainland China to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information. Other than PIPL, the data protection requirements can also be found in various regulations, including:
-The Decision on Strengthening Online Information Protection, effective from 28 December 2012, is to protect online information security and safeguard the citizen’s personal information and privacy.
-Cyber Security Law (CSL), effective from 1 June 2017, has established essential concepts of personal information protection.
-The Civil Law, effective from 28 May 2020, clarifies the boundary between privacy and personal information, and stipulates the requirements that personal information processors should comply with when processing personal information

In addition to the PIPL and CSL, there are also some guidelines serving as best practices on data protection, including:
-Personal Information Security Specification (replacing the 2017 version), effective from 1 October 2020
-Guidelines on Internet Personal Information Security Protection, effective from 19 April 2019
-The Draft Version of Guidelines on Personal Information Security Impact Assessment, released on 13 June 2018

Other laws and regulations will also apply, including general provisions in the Tort Liability Law, PRC Criminal Law, and PRC Consumer Rights Protection Law, as well as specific regulations on personal information obtained by financial institutions, telecom, internet service, healthcare, and mailing services.