The PRC Network Security Law (the “NSL”) was promulgated in China on 7 November 2016 in response to the immense impact computers and the Internet have on the security of Internet users. It has developed from a patchwork of different regulations in such areas as data protection and telecommunication services, to what is now a consolidated law regulating cybersecurity. This article looks at the underlying objectives of this newly passed law, which will come into effect on 1 June 2017.
Scope of the NSL
Although the Internet is a borderless place where sovereign legislation is deemed almost impossible, the NSL nevertheless intends to confine its scope to “construction, operation, maintenance, and use of the network within the territory of the PRC”, but specifically empowers the competent authorities to “use technical means” to block any breach coming from overseas.
In particular, the NSL creates a new concept of “Network Operators” which includes “network owners, operators and network service providers”, on whom the main obligations of the NSL are imposed. This definition is capable of including any owner, operator, and provider of network infrastructure, as well as any network service provider, a controversially broad concept under the existing Chinese telecommunication service regime.
Providers of network-focused services, such as app stores and E-commerce platforms, are understandably subject to this concept, but companies providing non-commercial services through the network, or providing commercial services partially through the network, may also be caught by this concept. This essentially extends the scope of the NSL to almost every aspect of the general network service. As long as a Network Operator is located within China, regardless of whether it is domestic or foreign-owned, it falls under the obligations imposed by the NSL.
Chapter III of the NSL lays down two major requirements regarding network security: “Network Security Level Protection System” and “Protection of Critical Information Infrastructure”.
According to the NSL, a Network Operator is required to set up a “Network Security Level Protection System” which includes, among others, taking preventive measures against viruses and hackers, keeping network data for no less than six months, and encrypting and having backup for important data. However, apart from these general requirements on cyber security, “Network Security Level Protection System” per se is not defined, nor is any mention made of the existing legislations on network protection systems. Therefore, we expect further clarification in this regard.
The NSL also requires key protection of the “Critical Information Infrastructure”. The so-called “Critical Information” is non-exhaustively listed in the NSL as information regarding “public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields”. The obligation to employ such protection is not on Network Operators but on “Operators of Critical Information Infrastructure”, a concept so far not defined anywhere.
With the non-exhaustive list of “Critical Information” and the undefined “Operators of Critical Information Infrastructure”, any enterprise, including foreign investment in China, in such industries as deemed “important”, could be caught by such obligation. The scope is therefore anticipated to be narrowed down by interpretations or supplementing rules. In fact, the NSL leaves the discretion to the State Council to clarify the scope of “Critical Information Infrastructure” and the detailed protection measures to be taken.
An Operator of Critical Information Infrastructure shall generally satisfy a set of requirements to ensure cyber security, such as conducting annual risk check of its network and imposing confidentiality liability when purchasing products or services related to its network.
The scope and use of personal data in the NSL conform to the existing personal data regime in China. In particular, it reiterates the general principle of “legitimate, proper and necessary”, as well as “prior disclosure and consent”. The NSL is also the first attempt to define “Personal Information” in the form of a law as “all kinds of information recorded by electronic or other means that can be used to independently identify or be combined with other information to identify natural persons’ personal information, including but not limited to: natural persons’ names, dates of birth, identification numbers, biologically identified personal information, addresses and telephone numbers, etc.”
Most noticeably, the NSL specifically stipulates that all the Personal Information and important data collected and produced by an Operator of Critical Information Infrastructure during its operation in the territory of the PRC shall be stored within the PRC and only transferred overseas after being assessed by the competent authority.
This new provision is of particular importance to foreign-owned companies in China, especially those in the above mentioned critical industries, as their cross-border transmission of Personal Information or other information collected in China may face severe consequences such as penalties or revocation of business licenses in China due to the newly passed NSL.
In summary the NSL is the first piece of comprehensive legislation to regulate network security. The law itself is of significant importance in demonstrating the government’s ambition to reconstruct the rules in the cyberspace, but it also gives much leeway as to enforcement and interpretation.