环球律师事务所-《云计算（2024版）》之中国篇 Cloud Computing 2024

CHAMBERSGLOBALPRACTICEGUIDES

Cloud

Computing2024

Definitivegloballawguidesofferingcomparativeanalysisfromtop-rankedlawyers

China:Law&Practice

VincentWang,XinyaoZhaoandLewisChenGlobalLawOffice

CHINA

LawandPractice

Contributedby:

VincentWang,XinyaoZhaoandLewisChen

GlobalLawOffice

Contents

1.DataPrivacyRegulationsp.5

1.1DataPrivacyandCloudComputingp.5

1.2DataPrivacyandCross-BorderTransfersp.8

1.3PenaltiesforNon-complianceWithDataPrivacyRegulationsp.9

2.DataSecurityMeasuresp.10

2.1DataSecurityandtheCloudp.10

3.DataOwnershipandControlp.12

3.1DataOwnershipinCloudAgreementsp.12

3.2DataPortabilityp.13

3.3DataRetentionandDeletionp.13

4.VendorManagementp.14

4.1DueDiligencep.14

4.2DataProtectioninCloudServiceAgreementsp.14

4.3DataProcessingAgreementsandtheCloudp.15

4.4ExitStrategiesandDataMigrationp.15

5.DataBreachNotificationp.16

5.1RequirementstoReportDataBreachesp.16

5.2InvestigatingandRemedyingDataBreachesp.17

5.3NotifyingDataBreachesp.17

6.InternationalDataTransfersp.18

6.1Cross-BorderTransferRegulationp.18

6.2DataLocalisationp.18

6.3ConflictsofLawp.19

7.ComplianceandAuditsp.19

7.1CloudComputingandCompliance/Auditsp.19

2CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

GlobalLawOffice(GLO)datesbacktothees-tablishmentoftheLegalConsultantOfficeofChinaCouncilforthePromotionofInternationalTrade(CCPIT)in1979.WiththeapprovaloftheMinistryofJusticeofthePeople’sRepublicofChina,itwasrenamed“ChinaGlobalLawOf-fice”in1984,signallingitscommitmenttoaninternationalperspectiveandfullengagementwiththeglobalcommunity.Throughoverfourdecadesofdedicatedeffortandgrowth,GLO

hasemergedasaleading,full-servicelawfirmwithinChina’slegallandscape.Fromitsincep-tion,GLOhasembracedthemissionof“servingdomesticandforeignclientswithaglobalisedvision,globalisedteam,andglobalisedquality”.Thiscommitmenthasallowedittoconsistentlymaintainapositionattheforefrontoftheindus-try,evenamidstthedynamicandever-evolvingglobaleconomicenvironment.

Authors

VincentWangisapartnerat

GlobalLawOffice,workingin

theShanghaioffice.Hispracticeencompassesawiderangeof

industries,withparticular

expertiseinnavigatingnoveland

complexlegalchallengesintheTMTsector.

ExamplesoftheindustriesVincentcovers

includetelecommunication,ecommerce,

cybersecurityanddataprotection,electronicpayments,internet-relatedbusinesses,high

technologymanufactureandengineering,newandemergingtechnologies(suchasAI,

blockchain,crypto-currency,IoTS,e-mobility,cloudcomputing,etc),e-automotive,new

mediaandstreamingentertainment,foodandbeverage,agricultureandfarming,andcross-bordertradeandinvestment.

XinyaoZhaoisofcounselatGlobalLawOffice.XinyaoisbasedintheShanghaioffice,whichshejoinedin2018.Hermainpracticeareasinclude

cyberanddatasecurity,

personalinformationprotection,andcorporateregulatorycompliance.Shespecialisesin

advisingbothmultinationalanddomesticcompaniesinareasincludingtelecoms,

internet-relatedindustries,IoT,automotive,

ecommerce,fintechandhealthcare.Shehas

advisedwell-knowninternationalcompaniesincompletingtheirdatacomplianceprojects,

providingsupportthroughoutthe

implementationprocess.Additionally,Xinyaohasassisteddomesticcompanieswiththeir

overseasbusinessdevelopmentintheUSA,Europe,andSoutheastAsia,focusingondataprivacycompliance.

3CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

LewisChenisamid-level

associateatGlobalLawOffice,basedintheShanghaioffice.

Hismainpracticeareascoverprivacyanddataprotection,fintechandTMT.Hehas

participatedinlegalprojectsforwell-known

internationalcompaniesincludingByteDance,GE,PwC,etc,coveringfintech,automobile,

eCommerce,IoT,consultingandother

industries.Hehasalsoassistedclientswith

legalmattersrelatingtocompliance

investigationsandmitigation,riskassessment,andthepreparationoflegaldocuments.PriortojoiningGlobalLawOffice,LewisworkedforaleadinginternationallawfirminShanghai,

focusingondataprotectionandfintech.

GlobalLawOffice

36thFloor

ShanghaiOneICC

No.999MiddleHuaihaiRoad

XuhuiDistrict

Shanghai200031China

Tel:(8621)23108288Fax:(8621)23108299

Email:vincentwang@Web:

4CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

1.DataPrivacyRegulations

1.1DataPrivacyandCloudComputing

DataPrivacyRegulationsThatAreApplicabletoCloudComputinginChina

Intheareaofdataandprivacyregulation,PRClawcurrentlyhasthefollowingmajorsources:(i)nationallaws,(ii)administrativeregulationsandrules,and(iii)nationalstandards.

Atthelevelofnationallaws,theCyberSecurityLawofthePRC(CSL),theDataSecurityLawofthePRC(DSL),andthePersonalInforma-tionProtectionLawofthePRC(PIPL),arethreefundamentallawsregulatingdataandprivacyissues,whichareapplicabletocloudcomput-ingandrelevantdataprocessingactivitiesinthePRC.

Thosethreenationallawsareimplementedmainlybyadministrativeregulations,rulesandregulatorydocumentsissuedbythecompetentregulatorygovernmentalagencies.Forexam-ple,theMeasuresonAssessingtheSecurityofCloudComputingServicesspecifiesthesecu-rityrequirementsoftheCyberSecurityLawandtheDataSecurityLawinthescenariowherethecloudcomputingservicesareprovidedtotheadministrationagencies,theoperatorsofCriti-calInformationInfrastructure(CII)andthepartyoffices.

Inaddition,thenationalstandards,compulsoryandrecommended,alsoplayanimportantroleinimplementingthosethreelawsfromtheper-spectiveoftechnical,organisationalandlaw-fulfillingmeasures.Thecompulsorystandardsestablishtheminimumrequirementsforlegalcompliance,whiletherecommendedstandardsshowcasebestpractices.Forexample,theInfor-mationsecuritytechnology–Securityguidanceforcloudcomputingservice(GB/T31167-2023)

providesrecommendationsandguidanceonsecuritymanagementandtechnicalmeasurestoprotectdataonthecloudthroughitslifecycle.

AnotheruniquesecurityrequirementapplicabletothecloudserviceshostedinChinaistheMul-ti-LayerProtectionScheme(MLPS).MLPSisarequirementimposedinaccordancewithArticle21oftheCSLandfocusesontheinfrastructuresecurityofthecloudservicethatfacilitatestheprotectionofthedataandpersonalinformationprocessedinthecloudservice.

DefinitionofPersonalDataandSensitiveData

Notethatinthisguide,personaldataandper-sonalinformation,sensitivedataandsensitivepersonalinformationareusedinterchangeablywiththesamemeaning.

AccordingtoArticle4ofthePIPL,personaldatareferstoalltypesofinformationofidentifiedoridentifiableindividualsrecordedinelectronicorothermeans,excludinganonymousinformation.

AccordingtoArticle28ofthePIPL,sensitivepersonaldatareferstopersonaldata,theleak-ageorillegaluseofwhichcouldeasilyresultindamagetothedignityofanindividual,orharmtopersonalbodyandproperty,includingbiometricinformation,religion,specificidentities,medicalandhealthinformation,financialaccounts,loca-tiontrackingdata,aswellasthepersonaldataofminorsundertheageof14.

RequirementsforProcessingPersonalDataintheCloud

ThedataprocessorunderthePIPListhecoun-terpartofthedatacontrollerundertheGDPR,andtheprocessingcontractorofadatapro-cessoristhecounterpartofthedataprocessorundertheGDPR.Asitisinevitabletodistinguish

5CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

thedatacontrollerandthedataprocessorinthecloudenvironment,forconvenienceofnon-PRCreaders,weareusingtheterms“datacontrol-ler”and“dataprocessor”oftheGDPRinthisguideinourresponsestothequestionsaboutthePRClaw.

Therefore,inthisarticle,weareusing“datacontroller”torefertothe“personalinformationprocessor”thatcanautonomouslydecidethepurposeandmethodofprocessingdataunderthePRClaw;and“dataprocessor”torefertothe“processingcontractor”thatisprocessingdataupontherequestofthecontroller.

Chineselawsandregulationsdonotprovidespecialrequirementsforprocessingpersonaldatainthecloud.ProcessingpersonaldatainthecloudissubjecttothesamerequirementsprovidedinthePIPLforprocessingpersonaldataingeneral.

UnderthePIPL,theprimaryrequirementforprocessingpersonaldataisconsentorseparateconsent.Therearealsolegallydefinedexcep-tionalprocessingscenarioswherenoconsentorseparateconsentisrequired.

Consentandtherequirement

UnderArticle13ofthePIPL,processingperson-aldatashouldhaveaproperlegalbasis,includ-ingconsent,orotherlegalbasesthatmayallowforconsenttobewaivedasillustratedbelow.Toensureinformedconsentisobtained,beforeprocessingtheirpersonaldata,acontrollermustinformindividualstruthfully,accurately,andfullyofthefollowinginformationinaprominentwayandinclearandplainlanguage:

•thecontroller’snameandcontactdetails;

•processingpurposes,methods,informationtypesprocessedandstorageperiod(which

mustbetheshortesttimerequiredtofulfiltheprocessingpurpose);

•theoptionandprocedureforindividualstoexercisethestatutoryrightsregardingtheirpersonaldata;and

•othermattersrequiredbylawsandadminis-trativeregulations.

Separateconsentandtherequirement

UnderthePIPL,thereareseveralprocessingactivitiesthatrequireseparateconsents,includ-ingprocessingsensitivepersonaldata,cross-bordertransfersofpersonaldata,providingper-sonaldatatoathirdparty,publiclydisclosingpersonaldata,etc.WhilethePIPLitselflacksaprecisedefinitionof“separateconsent”,practi-calguidancecanbefoundintherecommendednationalstandardGB/T42574-2023(Informationsecuritytechnology–Implementationguidelinesfornoticesandconsentinpersonalinformationprocessing).Thisstandardclarifiesthatseparateconsentsignifiesaspecific,explicitagreementgivenbytheindividualsolelyforaparticularprocessingactivityconcerningtheirpersonaldata.Crucially,itdoesnotencompassblanketconsentgivenformultipleprocessingpurposessimultaneously.

Exceptionalconsent-waivingprocessing

Inadditiontoconsent,thePIPLallowsdatacontrollerstoprocesspersonaldatabasedonseveralalternativelegalgrounds:

•whereprocessingisnecessaryfor:

(a)enteringintoorperformingthecontracts

towhichtheindividualisaparty;

(b)managinghumanresourcesinaccord-

ancewithlabourrulesorpoliciesor

collectiveemploymentcontractsthatareformulatedorconcludedlawfully;

(c)fulfillingstatutorydutiesorresponsibili-ties;and/or

6CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

(d)respondingtopublichealthincidents,orprotectingthelife,healthandproperty

securityofindividualsinurgentsituations;

•processingpersonaldataforthepurposeofnewsreportingorpublicopinion-basedoversightforthepublicinterest,provideditremainswithinareasonablescope;and

•processingthepersonaldatadisclosedbyaninformationsubjectorotherwiselawfullydis-closed,provideditremainswithinareason-ablescopeinaccordancewiththePIPL.

Undertheseprocessingconditions,consentcanbewaived.

ObligationsforDataControllersandProcessorsintheCloudEnvironment

UnderPRClaw,datacontrollersshouldunder-takeprimarylegalresponsibilitiesregardingprocessingpersonaldata,anddataprocessorsshallprovidenecessaryassistanceforcompli-ance.Thatisbecause,incloudservices,datacontrollersarethecustomers(cloudtenantsorplatformusers),andtheirtechnicalcapabilitytocomplywiththelawwillbesubjecttothetechni-callimitprovidedbythecloudserviceproviders(asdataprocessor).

Datacontroller’sobligations

AccordingtothePIPL,datacontrollersusingthecloudservicesaresubjecttothefollowingkeyobligations:

•Lawfulnessandtransparency:AccordingtoArticle13andArticle17ofthePIPL,data

controllersmustensurethatpersonaldata

isprocessedonalawfulbasisanddisclosedataprocessingactivitiestransparentlyto

datasubjects.Thisincludesprovidingclearinformationaboutthepurpose,method,andscopeofdataprocessing.

•Datasecurity:AsstipulatedinArticle51of

thePIPL,andArticles6and7oftheInfor-

mationSecurityTechnology–Personal

InformationSecuritySpecification(GB/T

35273-2020),datacontrollersmustimple-

mentadequatetechnicalandorganisationalmeasurestoensurethesecurity,integrity,

andconfidentialityofdata.Thisincludes

usingsecuritymeasuressuchasencryption,anonymisation,accesscontrols,andaudit

logging.

•Respondingtodatasubjectrequests:UnderArticles45,46,and47ofthePIPL,data

controllersarerequiredtoestablisheffectivemechanismstoensurethatdatasubjectscaneasilyexercisetheirlegalrights,includingforexample,therightofaccess,correction,dele-tion,andtherighttoobjecttoprocessing.

•Databreachnotification:Intheeventofa

databreach,Article57ofthePIPLmandatesthatdatacontrollersmusttakeimmediate

remedialactionsandnotifyboththedatapro-tectionauthoritiesandaffecteddatasubjects.

Inthecloudenvironment,datacontrollersmayexpectdataprocessorstoprovidedatacom-pliancemeasuresorofferthetechnicalmecha-nismsorflexibilitytoallowthemtoimplementsuchmeasuresindependently.Therefore,cloudserviceproviders,asdataprocessors,mayneedtounderstandandanticipatesuchpotentialrequirementsinadvance.

Dataprocessor’sobligations

Dataprocessors,usuallythecloudservicepro-viders,areresponsibleforprocessingpersonaldataonbehalfofdatacontrollers.Theirobliga-tionsshouldbegearedtowardsupportingthecontroller’scomplianceeffortsandensuringdataprotectionstandardsareupheld,including:

7CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

•Processinginaccordancewithinstructions:PerArticles21and59ofthePIPL,datapro-cessorsmuststrictlyfollowthedatacontrol-ler’sinstructionsandmustnotprocessdatabeyondthescopeauthorisedbythecontrol-ler.

•Co-operationobligations:UnderArticle59

ofthePIPL,dataprocessorsareobligatedtoassistdatacontrollersinfulfillingtheirlegal

responsibilities,suchasprovidingnecessarydatafordatasubjectrequests.

•Sub-processormanagement:UnderArticles

21and59ofthePIPL,ifdataprocessing

tasksaresubcontractedtootherservice

providers,dataprocessorsmustobtainpriorwrittenconsentfromthedatacontrollerandensuresub-processorscomplywithapplica-bledataprotectionrequirements.

•Datadeletionorreturn:UnderArticles21

and47ofthePIPL,uponterminationofthe

processingcontractorconclusionofservices,dataprocessorsmustdeleteorreturnallper-sonaldataasinstructedbythedatacontrollerandensurenocopiesareretained.

1.2DataPrivacyandCross-BorderTransfers

CSL,DSL,andPIPLprovideageneralframe-workforcross-borderdatatransfers.Inadditiontothosethreefundamentallaws,arecentregula-tion,theProvisionsonPromotingandRegulat-ingCross-borderDataFlows,hasbeenineffectsinceMarch2024,furtherfacilitatingthecross-bordertransferofpersonaldataandothertypesofdataoutsideofChina.Theselawsapplytocross-borderdatatransfersinthecloudenviron-mentaswell.

Accordingtotheabovelaws,datacontrollersshouldundertakethelegalobligationconcern-ingcross-borderdatatransfersinthecloud,anddataprocessorsshouldcomplywithdatacon-

trollers’instructionsconcerningcross-bordertransfers(forexample,theinstructionofnottransferringpersonaldataoutsideofChina).

BelowisasummaryofthekeyPRClawswithrespecttocross-borderdatatransfers:

•Regulatorymechanismregardingcross-

bordertransfersofpersonaldata:Data

controllerstransferringpersonaldataoutsideofChinashouldchooseapropercompli-

ancemechanism.UnderArticle38ofthe

PIPL,suchmechanismsincludeapplyingforasecurityassessment,signingtheChinesestandardcontractualclauseswiththeforeigndatarecipients,obtainingpersonalinforma-tionprotectioncertification,ormeetingotherconditionsprescribedbytherelevantlaws

andregulationsortheCyberspaceAdminis-trationofChina(CAC).Undertheregulatoryframework,theProvisionsonPromotingandRegulatingCross-borderDataFlowsprovideexemptions,inthehopeofmakingcross-

borderdatatransferseasierforinternationalbusinessesrelatingtoChina.

•Notificationandseparateconsents:Before

carryingoutanycross-bordertransferofper-sonaldata,thedatacontrollermustnotifythedatasubjectsaboutthedetailsofthecross-borderdatatransfer,andobtainseparate

consentsfromthedatasubjects,unlessthedatacontrollercanrelyonalegalbasisotherthanconsentofadatasubject,asoutlinedinArticle13ofthePIPL.

Cloudprovidersasdataprocessorsmustcol-laboratewithdatacontrollerstoensurethatthedatatransferarrangementsmeetChineseregu-latoryrequirements.ThisinvolvesaligningcloudsecurityprotocolswithChinesestandardsandprovidingsupportforassessmentsthatshouldbecompletedbythedatacontrollerunderthe

8CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

regulatorymechanism.Datacontrollersareadvisedtoincludespecificclausesintheircon-tractswithcloudserviceproviderstoaddresscross-borderdatatransferobligations.Pleaseseedetailsin3.DataOwnershipandControl.

1.3PenaltiesforNon-complianceWithDataPrivacyRegulations

Chinesedataprivacylawsdonotimposepen-altiesspecificallyfordatacontrollersanddataprocessorsinthecloudenvironment.Inpractice,thepenaltiesvarydependingontheroleofthelegalentities.BelowarepenaltiesapplicabletoeachroleunderChineselawsandregulations.

PenaltiesforDataControllers

Datacontrollersbearprimaryresponsibilityforensuringthelegality,security,andtransparencyofpersonaldataprocessingactivities.Thepen-altiesfornon-complianceincludeadministrativepenalties,civilliabilities,andcriminalliabilitiesinseverecases.

•Administrativepenalties:AccordingtoArti-

cle66ofthePIPL,datacontrollerscanface

warningsorsubstantialfines,uptoRMB50

millionor5%ofthepreviousyear’sannual

turnoverforsevereinfractions.Regulatory

authoritiesmayissuecorrectiveordersrequir-ingdatacontrollerstoimmediatelyrectifyanyidentifiedviolations.Inseriouscases,authori-tiesmayordersuspensionorterminationof

specificdataprocessingactivities,potentiallyleadingtosignificantbusinessdisruption.

Profitsderivedfromnon-compliantdataprac-ticesmayalsobeconfiscated.

•Civilliabilityandcriminalliability:Datasub-

jectswhoserightshavebeenharmedcansuedatacontrollersforcompensation.Incase

ofsevereviolations,datacontrollersmay

facecriminalcharges.Penaltiesmayinclude

imprisonmentofresponsibleindividuals,

criminalfines,andotherlegalconsequences.

PenaltiesforDataProcessors

Dataprocessors,usuallycloudserviceprovid-ers,areresponsibleforprocessingpersonaldataaccordingtotheinstructionsofthedatacontrol-lers.Processorscanalsofacesignificantpenal-tiesfornon-compliance.

•Administrativepenalties:Asisthecasewithdatacontrollers,authoritiescanrequiredataprocessorstorectifynon-compliantbehav-

iours.Althoughdataprocessorsgenerally

facelowerfinescomparedtothoseofdata

controllers,repeated,multipleorserious

non-compliancecanstillleadtosubstantial

penalties,includingfines,warnings,orevensuspensionofservicesunderthePIPLand

otherapplicablelaws.Forsevereviolations,regulatorsmayorderdataprocessorstosus-pendorceaseprocessingactivitiesorconfis-cateanyillegalprofits.

•Civilliabilityandcriminalliability:Insome

cases,dataprocessorsmaybeheldliable

withdatacontrollersorindependentlyfor

damagessufferedbydatasubjectsorother

legalentitiesandindividualsconcerned.Thismayhappenwhenprocessorsfailtofollow

controllers’instructionsorneglecttheirown

securityresponsibilities.Forexample,ifapro-cessor’snegligenceleadstodatabreaches,

affectedindividualsmayfileclaimsforcom-pensationagainstboththedatacontroller

andtheprocessor.Dataprocessorsinvolvedinillegalactivities,suchasunauthorisedsaleormisuseofpersonaldatabythedatapro-cessordeliberately,mayfacecriminalpros-ecution.Thisincludesfines,imprisonment,

andothercriminalsanctions.

9CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

2.DataSecurityMeasures

2.1DataSecurityandtheCloud

SecurityMeasuresRequiredbythePRCLawforDataStoredintheCloud

Thesecurityofthecloudcomputingenvironmentisjointlysafeguardedbycloudserviceprovidersandtheircustomers.TheCSLrequiresoperatorstotakesecuritymeasurestoprotectthesecurityofthecloudandservicesderivedfromithostedinChinaandthedatastoredinthecloud:

•AccordingtoArticle10ofCSL,operators

shouldcomplywithlawsandregulations

andcompulsorynationalstandardstoadopttechnicalmeasuresandothernecessary

measures,inordertoensurethesecurity

andavailabilityofcloudservicesandother

servicesderivedfromit,andtoensurethe

integrity,confidentialityandavailabilityofthedataprocessedinthecloudandtheservicesderivedfromit.

•Article21oftheCSLimposesageneral

requirementregardingdatasecuritymeas-

urestoprotectthesecurityofnetworksand

theintegrity,confidentialityandavailabilityofdataprocessedinthecloudandtheser-

vicesderivedfromit,including:(i)measurestopreventcomputerviruses,cyber-attacks,

networkintrusionsandotheractivitiesthat

endangercybersecurity;(ii)measuresto

monitorandrecordnetworkoperationand

cybersecurityevents,andmaintainthecyber-relatedlogsfornolessthansixmonths;and(iii)measuressuchasdataclassification,andback-upandencryptionofimportantdata,

etc.

ThePIPLrequirespersonaldatacontrollerstotaketechnicalmeasurestoensurethesecuri-tyofpersonaldata.LegalrequirementsinthePIPLapplytoprocessingactivitiesofpersonal

datastoredinthecloud,whicharesummarisedbelow:

•Article51ofthePIPLrequiresthatpersonal

datacontrollersshall,subjecttothepurposeandthemethodofprocessingpersonaldata,typesofpersonaldata,impactsonpersonalrightsandinterestsandpossiblesecurity

risks,takethefollowingmeasurestoensure

thecomplianceofpersonaldataprocessing

activitieswithprovisionsoflawsandadminis-trativeregulations,andpreventunauthorisedaccessto,anddisclosure,falsificationand

lossof,personaldata:

(a)formulatinginternalmanagementsystemsandoperatingprocedures;

(b)implementingcategory-basedmanage-mentofpersonaldata;

(c)takingcorrespondingtechnicalsecuritymeasuressuchasencryptionandde-identification;

(d)reasonablydeterminingthepermissionstoprocesspersonaldataandconductingsecurityeducationandtrainingforrel-

evantemployeesonaregularbasis;

(e)formulatingandorganisingtheimplemen-tationofemergencyresponseplansfor

personaldatasecurityincidents;and

(f)othermeasuresstipulatedbylawsandadministrativeregulations.

TheMeasuresonAssessingtheSecurityofCloudComputingServicesstipulatesmeasuresthatcloudserviceprovidersshouldcomplywithwhentheyareprovidingservicestothegovern-mentandpartyoffices,andtheoperatorsofCII.Article3oftheMeasuresprovidesthatthesecu-rityassessmentofsuchcloudservicesshouldconcentrateon,interalia:(i)thesecurityofthecloudplatformtechnology,productsandsupplychain;(ii)theabilitytomanagesecurityeffec-tivelyandthestrengthofthecloudplatform’s

10CHAMBERS.COM

CHINALawandPractice

Contributedby:VincentWang,XinyaoZhaoandLewisChen,GlobalLawOffice

securityprotectionmeasures;(iii)thefeasibil-ityandeasewithwhichcustomerscantransfertheirdata;and(iv)thebusinesscontinuityofthecloudserviceprovider.

Inaddition,thereareafewrecommendednationalstandardsconcerningcloudcomput-ingservicesthatspecifysecuritymeasuresforcloudservices.Forexample,thestandardInformationSecurityTechnology–SecurityCapabilityRequirementsforCloudComput-ingServices(GB/T31168-2023)highlightsthesecuritytechnicalmeasuresthatcloudserviceprovidersneedtodeploy.Thereareeleventypesofsecuritymeasuresintotal,includingsystemdevelopmentandsupplychain,systemandcommunicationprotection,accesscontrol,dataprotection,managementofconfiguration,operationalmaintenance,emergencyresponse,audit,riskassessmentandcontinuousmonitor-ing,securitymanagementandpersonnel,andphysicalandenvironmentalsecurity.Thegoalofthosemeasuresistoensuretheconfidential-ity,integrity,andavailabilityofdatastoredinthecloud.

EncryptionStandardsforDatainTransitandatRestintheCloud

•AccordingtotheabovestandardGB/T

31168-2023,cloudserviceprovidersshouldimplementencryptionmeasurestoensure

thesecurityofdataintransitandatrestin

thecloud.Thestandardrec