On Nov. 7, 2016, the Standing Committee of the National People’s Congress (NPC) passed China’s first Cyber Security Law (CLS). The legislation is intended to safeguard China’s “cyberspace sovereignty” and applies to activities of construction, operation, maintenance, and use of network within China. The law will take effect June 1, 2017.

China’s preparation and promulgation of CLS received worldwide attention, with concerns from multinational enterprises and foreign governments that CLS may inhibit cross-border information exchange and even compromise consumer privacy. NPC responded to this concern during a press conference on Nov. 7 by assuring that the law was not intended to create trade barriers or restrict the import of foreign technology or products.

CLS sets up a series of new legal regimes regarding cyber activities:

> CLS creates the concept of “critical information infrastructure” and defines it as “infrastructure in certain important industries and sectors like telecommunications, information service, energy, transportation, hydropower, finance, public service, and electronic government service, which, once compromised, may seriously endanger national security, national economy or public interests.” CLS authorizes the State Council to promulgate the specific scope of such infrastructure. Notably, CLS has set forth obligations of the operators of such critical information infrastructure: (i) the operators’ purchase of network product and service, if likely to affect national security, shall pass review of the State Council; (ii) the operator shall store in China the personal information and key data that are collected and generated within China; (iii) the operator shall conduct an annual assessment regarding the safety and potential risk of the infrastructure and report the result to the government.

> CLS requires that all network operators shall comply with a cyber security classified protection scheme (the CCPS), requiring network operators to take protective measures including keeping a record of all network activity for at least six months. In 2007, the Ministry of Public Security, together with other government agencies, implemented a multi-level protection scheme for information technology systems. This scheme classified all information systems into five categories (with class V as the most critical, that if compromised, national security will be seriously damaged), and setting forth specific duties for system operators to safeguard information and to report incidents of threats and attacks. The CCPS is considered an enhanced version of the existing multi-level protection scheme.

> CLS imposes a mandatory certification regime for all critical network equipment and network security products. CLS authorizes the national network security department to publish a catalogue of such products, and requires that all such products must pass a security check and get certified by licensed vendors before being sold on the market.

> CLS sets up stricter obligations on network operators regarding protection of personal information. In addition to requiring all network operators to obtain consent from individuals before collection of any personal information, the law prohibits operators from collecting information not relevant to the services provided, or providing such information to others except when consent from the individual is obtained or when such information has been processed such that no certain individual will be identified. In addition, CLS grants individuals a right to require network operators to erase his or her personal information if any misuse is discovered. 

Before CLS takes effect June 2017, China is expected to publish a series of new implementing regulations and industry standards regarding the new regimes mentioned above. The real impact of CLS can be more effectively assessed at that time.

- Cyber Security Law

- 网络安全法

- Issuing authority: National People’s Congress

- Date of issuance: Nov. 7, 2016

- Effective date: June 1, 2017