The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.
What this means for China’s internet users
Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017. Key requirements of the new law are set out below:
- The new law applies to all “operators” (i.e., owners, administrators and service providers) of networks in China. While it appears that the Network Security Law would primarily govern activities occurring on networks that are physically within the territory of the PRC, Article 5 authorizes PRC authorities to monitor and take preventive/defensive actions to defend against certain network activities that occur outside of the PRC, but create negative consequences in the PRC (such as security risks and threats, internet crimes and telecommunication fraud).
- More onerous rules have been introduced for Critical Information Infrastructure (CII) and Operators of CII (CIIOs). Tightening security requirements of such infrastructure is regarded as critical for the PRC’s national security or public interests.
- Personal information and critical data of CIIOs must be stored in China. Under the new requirements, cross-border transmission of personal data will need to be supported by business necessity, and will require a security assessment by government authorities. To comply with new data storage and transmission requirements under the Network Security Law, domestic and multinational corporations that qualify as CIIOs will need to reevaluate their internal processes regarding collecting, storing, processing and transmitting user information, and adjust accordingly.
- The new law introduces a class-based network security protection system, which applies to all network operators in the PRC. While the details of the class-based network security protection system require further definition, the Network Security Law sets out general compliance requirements to ensure security of network operations, including: the establishment of internal network security systems, implementation of measures to monitor and record security incidents; identity verification; information management of prohibited content; enhanced cooperation with government authorities; and compliance with mandatory national standards.
- Unique and interesting breach notification requirements have been introduced. In addition to notification of incidents, internet product and service providers must not install or distribute malicious programs under the new law. In the event products or services have been discovered to contain security defects, or that data leakages or other security risks have occurred, providers must promptly inform their users and take remedial action. At present, the new law does not specify a required notifications timeframe, nor does language clarify responsibility in cases where third parties or other unsanctioned actors install malicious products or services.
- Identity verification is now a requirement for certain network services, however the new law has not elaborated on how a user’s identity will be verified. Network operators must require verification of a user’s real name and identity upon execution of a service agreement or upon confirmation by network operators to provide users with network access, domain name registration, local/mobile phone networking access, instant messaging and information publication services. In practice, identity verification is increasingly commonplace in the PRC.
At present, the new law does not fully clarify the processes now required for cross-border data transfer security assessment, network product security reviews or degree of cooperation government authorities will require. Consequently, the new Network Security Law could present significant compliance challenges to market participants both in China, and those international entities accessing internet in the PRC. Yet, the law could also bring new investment opportunities for corporations such as network security certification services, and development and application of network security technologies and convenient digital ID technology. As the deadline for compliance fast approaches, organizations will need to follow further legislative developments closely to ensure full compliance by 1 June 2017.