China released a draft regulation governing data breaches

China released a draft regulation governing data breaches

On December 8, 2023, the Cyberspace Administration of China (“CAC”) released a Draft Administrative Measures on Reporting Cybersecurity Incidents (“Draft”), seeking public comments.

Below are key takeaways from the proposed regulations in the Draft:

Who should report

The Draft requires all “network operators” to report their “cybersecurity incidents” (mostly data breaches in practice) to the regulatory agencies. In the context of the PRC law, “network operators” cover a wide scope of organizations so long as they provide services through the Internet. As a result, companies, government agencies, and organizations in almost every industry would be required to report their data breaches (or other kinds of cybersecurity incidents) to the designated government authorities.

The Draft particularly provided that government agencies are also obligated to report their data breach incidents.

Whom to be reported

CAC and its subsidiary local (provincial and municipal) offices are set to be the authorities receiving data breach reports.

Further to CAC and its subsidiaries, police stations (when the case relates to criminal investigation) and other government departments may also need to be copied, subject to the nature of the cases.

When to report

  • For minor data breaches or similar cybersecurity incidents, the Draft did not specify an exact time frame within which the data breach shall be reported.
  • However, for “major”, “severe” or “extremely severe” data breach incidents, the Draft proposed a “1-hour” reporting requirement by default (and a 24-hour supplemental submission for certain circumstances), which may raise concerns about its practicality.
  • The “major”, severe” and “extremely severe” incidents are defined (with examples) in a Schedule to the Draft.
  • The Draft also requires organizations to further report their actions taken to eliminate or mitigate the impact of data breach or other cybersecurity incidents

Vendors’ obligations

The Draft proposed that “individuals or entities providing services to the breached organizations” are obligated to “alert” the breached organizations when they are aware of a data/cybersecurity incident.


  • Organizations failing compliance with the Draft may face administrative penalties, such as suspending business, imposing fines up to RMB50 million (or 5 percent of the violator’s turnover during the past year).
  • The Draft also allows CAC to impose fines and other penalties on individuals who are responsible for the data breach.

*          *          *          *          *

AuthorDonnie Hao DONG is a partner of Hylands Law Firm heading its practice relevant to the data and the internet industry.  A Certified Information Privacy Manager (IAPP/CIPM) and an expert in the areas of IP and IT law, Dr. Dong regularly advises MNCs on cross-border intellectual property, data privacy, related investment, and contentious matters.