On 7 November 2016 the Standing Committee of the National People’s Congress of the PRC has approved the third draft of the PRC Cyber Security Law (“Law”). The Law will come into force on 1 June 2017. The Law applies to the construction, operation, maintenance and use of information networks in China, as well as supervision and administration of the network security. This newsletter discusses three major issues to which the Law will bring the most significant changes of the existing regulatory regime. These issues have a long-term impact on multinational companies in doing business in China, namely:
(i) Obligations imposed on network operators (“Network Operators”);
(ii) Obligations imposed on critical information infrastructure operators (“CIIOs”); and
(iii) Restrictions on key network products (“Key Network Products”).
1. Obligations imposed on Network Operators
a) General Obligations
Network Operators are widely defined in the Law to include owners, administrators of networks and network service providers. Further, “network” is defined broadly to encompass any system which is constituted by computers or other information terminals and relevant equipment to collect, store, transmit, exchange, and process information. There are reports that Network Operators are likely to include any business operating over networks and the Internet. I.e. companies owning or operating network infrastructures in China and those operating websites may be regarded as Network Operators. The Law imposes broad obligations on Network Operators. The Network Operators must:
(1) formulate internal security management systems and operating instructions, determine the persons responsible for cyber security, and implement responsibilities for cyber security protection;
(2) take technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering cyber security;
(3) take technological measures to monitor and record the network operation status and cyber security incidents, and preserve the relevant web logs for no less than six months according to the regulations;
(4) take measures such as data classification, and back-up and encryption of important data.
b) Cooperation with the Authorities
The Law requests the Network Operators to cooperate with and provide technical support and assistance to the public security authorities and state security authorities for reasons of national security or criminal investigation. It remains unclear in what type of investigations Network Operators will be obliged to provide assistance. In a worst case scenario, the Network Operators may be obliged to provide a wide assistance to the Chinese authorities, including granting access to confidential information of the company. The above cooperation obligation on Network Operators is one of the most significant concerns of the foreign companies. There are risks that the data privacy, trade secrets and intellectual properties of a company may be requested to be disclosed in investigations conducted by the Chinese authorities.
2. Obligations imposed on CIIOs
a) The Law for the first time introduced the term critical information infrastructure. According to the Law, critical information infrastructure refers to the key information infrastructures in the important industries and sectors such as public telecommunication, information service, energy, transportation, water conservancy, finance, public service and electric government affairs as well as other infrastructures that in the event of damage, loss of function, or data leak, might seriously endanger national security, social or economic well-being of the nation, or the public interests.
b) The Law imposes more stringent degree of data security obligations on critical information infrastructure operators (“CIIOs”), among them, one of the most significant obligations on CIIOs are the data localization obligations. As provided in Article 37 of the Law, CIIOs shall store personal data and other important business data within the territory of the PRC. Such critical data are not allowed to be transferred out of the PRC unless it is “truly necessary” and specified security assessments have been conducted and satisfied. However, it is not clear what might constitute important business information and the exceptions to this data localization obligation are vague. The security assessments which will be released by the national cyberspace administration authorities in a later stage might provide further clarification on this issue.
c) In the past, data localization requirements only apply to several limited industries such as banking and mapping etc. The Law has now introduced obligations on CIIOs in many industries. Multinational companies with operations across countries will potentially encounter new challenges triggered by these new requirements. In practice, many companies store information on offshore servers for better storage service, back up data, or to store the data in their offshore headquarters. After the Law comes into force multinational companies have to evaluate their IT infrastructure, and may need to apply for a security assessment before any cross-border transfer.
3. Restrictions on Key Network Product
a) The Law also imposes obligations on providers of network products, raising concerns for foreign suppliers. Article 23 of the Law provides that “critical network equipments” and “specialized cyber security products” (collectively as “Key Network Products”) must satisfy the national compulsory standards and must be inspected or certified by a qualified institution before such products are permitted to be sold or provided in China. A catalogue will be published by the national cyberspace administration authorities for specification of the Key Network Products.
b) In the past, Chinese companies and authorities widely used foreign hardware and software in their IT systems. However, with the occurrence of a number of spying and hacking events around the world in recent years, the Chinese government was alerted to the potential risks that critical national information might be provided to foreign governments or companies through these foreign IT equipments. On the one hand, the Chinese government has already started to conduct security reviews on information system security products procured by government authorities especially at central-levels in recent years. On the other hand, more and more Chinese companies and authorities turn to domestically developed products and services and stopped using foreign IT equipments. The Law is likely to expand the scope of the product security reviews to all Key Network Products, and probably to all CIIOs. The restrictions for Key Network Products provided under the Law may lead to difficulties for foreign IT equipments suppliers to enter into the Chinese market.
The PRC Cyber Security Law will be the first and fundamental legislation exclusively focusing on network security protection. The obligations on Network Operators and on CIIOs will have significant commercial impact on foreign network operators as well as network products providers. There are different voices coming from multinational companies that these obligations may impose trade barriers in entering the Chinese market. Further, stringent government supervision and control is also regarded by some of the scholars as separating China from the global digital economy. The full influence of the law can only be accessed after it has been enforced in practice and the relevant interpretations to the legislative provisions have been enacted.