Reed Smith Client Alerts

Pressure continues to increase on businesses operating in China to comply with an increasingly comprehensive and strictly enforced data privacy regulatory regime. Those companies that fail to bring their practices into compliance face ever-growing legal exposure, and the risk will only escalate after 1 December 2019, when the Chinese government implements the latest legislative update to its multi-level protection scheme (MLPS) for data security.

Overview of MLPS 2.0

As part of the ever-expanding data and cybersecurity regulatory regime in China – with the 2017 Cybersecurity Law of the People's Republic of China (CSL) as a key legal basis – the Chinese government has updated its pre-existing requirement that individual 'network operators' in China must implement and maintain an MLPS with respect to their networks. The statutory foundation for this update, which builds upon previously existing requirements dating to 1994 and 2007 (known as the MLPS 1.0 series of regulations), is found in Article 21 of the CSL, which provides in part:

Network operators shall, according to the requirements of the multi-level protection system, fulfill [their security obligations] so as to ensure that the network is free from interference, damage or unauthorized access, and prevent network data from being divulged, stolen or falsified.

In June 2018, the Chinese Ministry of Public Security (MPS) released the draft Regulation on the Cybersecurity Multi-level Protection Scheme, which contains specific details regarding the updated MLPS requirements (draft New Regulation). In addition, on 13 May 2019, the State Administration for Market Regulation (SAMR) released three new national standards regarding MLPS. These three new national standards, together with the draft New Regulation and other regulations and national standards that will be released, constitute what is referred to as MLPS 2.0, for they impose heightened regulatory requirements compared to MLPS 1.0.