Final Passage of China's Cybersecurity Law
After much anticipation, the Chinese legislature finally passed the Cybersecurity Law (CSL) on 7 November 2016, and the CSL will come into legal effect on 1 June 2017. The CSL is the last of the trio of laws focusing on cybersecurity, after the National Security Law (which came into effect on 1 July 2015) and the Anti-Terrorism Law (which came into effect on 1 January 2016).
The CSL is significant because of its broad scope and potentially far reaching effect. While much still hinges on implementing regulations and standards to be issued by the State Council, the Cybersecurity Administration of China (CAC) and the Ministry of Industry and Information Technology, it has the potential to create significant disruption to business operators in China, in particular foreign business operators with significant online/digital presence and/or operations reliant on telecommunications network and/or the constant cross-border movement and sharing of business, employee and consumer data. In a worst-case scenario, many foreign business operators may be required to carve-out China from their global or regional technology, infrastructure/backbone, and/or become mired in time-consuming regulatory approvals for the export or sharing of data with entities outside China.
Businesses are advised to follow legal and regulatory developments in this area closely, and start internal/external discussions and analysis on their technology and data configurations to prepare for the possibility of stringent local data residency requirements.
Obligations on Network Operators
The CSL imposes broad cybersecurity-related obligations on all “network operators”, which is defined broadly to include “owners and administrators of computer information networks as well as network service providers”.
Whilst the application and enforcement of this definition may be elaborated in implementing legislation, there is widespread concern in the business community (in particular the foreign business community) that the term could be broadly defined to include anyone reliant on telecommunications network for the promotion or provision of products or services, perhaps even including corporate or informational websites that are hosted on Chinese servers merely to address latency issues.
The law provides that a Multi-level Network Security Protection Scheme shall be implemented, where network operators are required to formulate internal security management systems and implement responsibilities for cybersecurity protection, take technological measures to prevent computer viruses and network attacks and intrusions, take technological measures to monitor and record the network operation status and cybersecurity incidents, and take measures such as data classification and back-up and encryption of important data, based on the applicable security level classification. It remains to be seen if the Multi-level Network Security Protection Scheme will be an updated version of the existing information security level protection scheme that has been implemented by the Ministry of Public Security together with several central ministries since 2004 or yet another brand new tiered network security protection compliance scheme.
The CSL also imposes a relatively vague but broad obligation on network operators to provide “technical support and assistance to the public security authorities and state securities authorities for reasons of national security or criminal investigations”. Although the more controversial language regarding the provision of a technical interface or backdoor and decryption assistance for encrypted data (which was in an earlier draft of the Anti-Terrorism Law) is not included in the final version of the CSL, it remains to be seen whether CAC will attempt to introduce or enforce this requirement through the CSL’s implementing regulations.
Obligations on Operators of Critical Information Infrastructures (CII)
The CSL introduces the concept of “Critical Information Infrastructures” and operators of CII are specifically required to store personal information and other “important data” (undefined) collected and generated during operations within China. If it is “truly necessary” (also undefined) for a CII operator to store or provide such data overseas for business reasons, it must undergo a government security assessment/approval process.
The CII provision was one of the more controversial and hotly discussed provisions of the CSL. Each of the earlier drafts (1st, 2nd and 3rd) took slightly different approaches – the 1st and 3rd public consultation drafts included an explicit definition of CII with some broad catch-all language to permit implementing legislation to fill in the gaps; the 2nd draft deleted the specific definition of CII altogether; with the final version adopting the approach taken in the 1st and 3rd drafts.
CII is defined broadly as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest”, and specific reference is made to key sectors such as public communications and information services, energy, transportation, water conservancy, finance, public services and e-government.
The State Council will further delineate what is or is not CII, and the concern is how wide the net will be cast. The Guidelines for Network Security Inspection and Implementation issued by CAC in July 2016 , which seems to be the only written guidance on the definition of CII to date, provides that any “website, such as e-government websites, websites of enterprises and non-profit organizations, news sites, platform sites such as instantaneous communications, e-commerce, e-payment, search, email, blogs, mapping, music etc., which are service oriented sites; production type sites such as office or enterprise systems, industrial control systems, big data centers, cloud computing platforms and media/TV systems” are all considered to be CII. Whilst it is not entirely clear whether this particular guidance will be dispositive with respect to how the State Council will ultimately define CII, it is quite concerning as such a broad definition can effectively capture any sort of business operating in China that is reliant on the telecommunications network for its operation or delivery of services.
What is also not clear under the CSL is whether the data residency requirement or approval/assessment for data export requirement could be interpreted even more broadly to prevent or restrict the cross-border remote access of locally stored data. This could impact MNC operations or even domestic companies relying on cloud service providers whose servers may be outside or partially outside China. Perhaps the Chinese regulator will leave some space for companies to operate in an efficient and cost-effective manner (e.g., perhaps by enforcing some of these rules per the experience of the Russian Federation which permits access and even cross-border data transfers in practice).
Security Review/Assessment of Critical Network Products
The CSL could also have implications for foreign technology hardware/software suppliers, regardless of whether they have a presence in China or not. The CSL provides that “critical network equipment” and “specialized cybersecurity products” (Critical Network Products) must satisfy the national compulsory standard and must be inspected or certified by a qualified institution before such products are permitted to be sold or provided in China. A catalogue will be published by CAC listing out such Critical Network Products and implementing legislation is expected on the details of this certification process.
Even if a company operating in China is not considered a CII operator, if such company is a supplier to CII operators, or its products are included in the to be issued catalogue, it will still be subject to potentially stringent and intrusive certification regimes. The business community has concern that this may also portend a much more intrusive inspection regime that may require disclosure of decryption keys or inclusion of backdoors to such hardware/software products.
Privacy Protection and the Right to be Forgotten
The CSL contains a number of provisions devoted to personal data protection. While many of these provisions restate the personal data protection requirements already in place governing the telecommunications sector and consumer protection, the law will have a broader impact given its applicability to all network operators (as very broadly defined).
Furthermore, the CSL also echoes somewhat the approach taken by European regulators on the issue of privacy, by introducing the “right to be forgotten” and the right by users to ask for rectification of incorrect information.
Regulatory Penalties for Non-compliance
Violations of the personal data protection provisions may lead to confiscation of illegal gain and a fine of up to 10 times the illegal gain or RMB1 million (in case there is no illegal gain), and in serious cases, suspension of business or revocation of business license and fines of up to RMB 100,000 for responsible individuals. For CII operators, unauthorized cross-border provision of data may result in confiscation of illegal gain and a fine of up to RMB1 million as well as suspension of business or revocation of business license and a fine of up to RMB 100,000 for responsible individuals.
This client alert is the third client alert in a series covering China’s emerging cybersecurity regime, which has led to the final passage of the Cybersecurity Law. For a fuller picture and discussion, readers are encouraged to also review our prior two client alerts under Related Insights.