On November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law. Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information. It also establishes a regulation regime in respect of critical information infrastructure and imposes data localization requirements for certain industries.
In this briefing, we outline the key changes it will bring about and discuss the implications for businesses in China.
Key aspects of the Cyber Security Law
1 | Network operators
The Cyber Security Law requires that network operators must comply with stringent cyber security obligations. These include having to comply with: (1) a graded protection system for network security; and (2) security protection obligations so as to protect networks from disturbance, damage or unauthorised access and to prevent network data from being divulged.
In particular, network operators are required to adopt technical measures for monitoring and recording network operation status and network security incidents, and to keep network logs for at least six months. In addition, network operators are obliged to provide technical support and assistance to public security authorities and national security authorities for security and crime investigation.
Under the Cyber Security Law, it is compulsory for network operators to verify the identity of users when providing services (such as landline and mobile subscription, Internet access and domain name registration), and not to provide such services until users have sufficiently disclosed their identity.
If there is a cyber intrusion or breach, network operators are obliged to delete personal information illegally collected or make corrections to it at the request of the person to whom the personal data relates.
2 | Key network equipment and specialised network security products
Products and services providers shall comply with the compulsory requirements of relevant national standards. It is provided in the Cyber Security Law that “Key Network Equipment” and “Specialised Network Security Products” must be either certified or tested by a licensed security certification institution in order to ensure compliance with relevant national and industry standards. Products or services which fall within the scope of “Key Network Equipment” and “Specialised Network Security Products” are not allowed to be released into the China market unless they have passed the certification or testing process. The government will formulate and promulgate the catalogue of Key Network Equipment and Specialised Network Security Products.
3 | Critical information infrastructure facilities
An important aspect of the Cyber Security Law is that it introduces the concept of Critical Information Infrastructure Facilities. According to the Cyber Security Law, Critical Information Infrastructure Facilities are broadly defined to cover a wide range of sectors including energy, transportation, electricity, water, gas, financial institutions, medical/healthcare, and social security.
The Cyber Security Law requires that procurement of network products and services for the Critical Information Infrastructure Facilities shall pass a security assessment conducted by China Administration of Network together with other relevant governmental agencies under the State Council if the network products and services involved may affect the national security. The products/services providers are also required to sign a confidentiality agreement to specify the responsibilities for network security and confidentiality undertaking. It is also important to note that personal data and important business data generated or collected in China by the operators of Critical Information Infrastructure Facilities must be stored in China and transfer of such data abroad is allowed if (i) there is a business need; and (ii) security assessment is passed according to the rules issued by CAC and other relevant governmental agencies.
4 | Protection of Personal Data
The Cyber Security Law is the first legislation at the national law level which establishes the legal principles for protection of personal data. In the past, data privacy is regulated by administrative rules, judicial interpretations, government policies and non-binding industry guidelines.
The Cyber Security Law provides that network operators must safeguard the secrecy of personal data collected and the collection and use of personal data must follow the principles of legality, propriety and necessity and data collectors must follow the legal requirements in terms of giving the notice and obtaining the consent. In case of a data breach incident, the data collectors shall report to the authority and affected users should also be contacted. Companies and individuals who are directly in charge can be fined up to RMB 100,000 for failure to comply.
5 | Fighting against Cyber Crime
Compared with the previous drafts, the final version of the Cyber Security Law reinforces the provisions in relation to crackdown against cyber fraud and cyber crime. The Cyber Security Law takes a strong stance against cyber fraud and cyber crime by imposing criminal, administrative and legal penalties against individuals and entities that commit cyber fraud and cyber crime.
Implications for businesses
The issuance of the Cyber Security Law appears to be in line with recent regulatory movements in China, following the promulgation of the National Security Law, the Measures for Administration of Mobile Apps, and the Regulations for Administration of Online Publishing Services. It demonstrates Chinese government’s intention to strengthen the regulation of Internet activities and safeguard the security of cyber space.
The Cyber Security Law contains provisions which could have significant implications for companies doing business in China and companies are advised to understand the requirements in the Cyber Security Law to ensure that their business operations in China will comply with the Cyber Security Law when the Law takes effect from June 1, 2017.
For example, business entities which collect personal information from China will need to abide by the rules under the Cyber Security Law in handling personal information. If the business is relation to the Critical Information Infrastructure Facilities, special care must be taken in relation to data localization requirement and the security assessment procedure. Data residence requirements may be challenging for multinational enterprises, if they need to transfer data cross-border in their business operations.
Another issue is that some language used in the Cyber Security Law is fairly generic and vague and further implementing rules are yet to be issued. This could create ambiguity and uncertainty as to how the Law will be interpreted and implemented in practice. For example, it is not known at present what equipment would fall into the category of “Key Network Equipment” and “Specialised Network Security Products” and it is not clear according to what criteria or procedures the security assessment will be conducted for the Critical Information Infrastructure Facilities. We expect that clarifications and guidance will be formulated by the Chinese authorities and we will continue to monitor and provide updates.
The original press release can be found here on the Norton Rose Fulbright website