On 6 July 2015, the National People’s Congress of China (the NPC) released an initial draft Cyber Security Law.  The Cyber Security Law builds on the recently enacted National Security Law (see our previous post below).

The draft Cyber Security Law imposes a number of cybersecurity obligations on “operators of critical information infrastructure” and “network operators” to ensure the security of their systems. Of particular interest to foreign technology companies is the requirement that “critical network equipment” and other cybersecurity products may only be sold after being accredited and tested by a qualified institution designated by the Cyberspace Administration of China (the CAC). It remains to be seen if the requirements for approval will be further developed in implementing measures at a later stage.  

Another provision of the Cyber Security Law prevents “operators of critical information infrastructure” from transferring any “important data” such as the “personal information of [Chinese] citizens” from being disclosed to persons or entities located abroad, subject to the prior approval of the CAC.  “Operators of critical information infrastructure” appears to be a broadly defined term, and includes entities providing “important information systems” in the telecoms, energy, transport, natural resources, financial, medical, military, and public services sectors .  Thus, depending on its implementation, this new requirement may restrict the ability of such operators to engage in certain types of cross-border dealings with foreign businesses (for example, foreign companies would be unable to provide operators of critical information infrastructure with offshore cloud-based services that involve “important data”). 

In addition, the draft Cyber Security Law generally restates and consolidates the patchwork of personal data privacy laws that have been promulgated by various state agencies over the past several years. While no material substantive changes to existing Chinese data privacy laws are proposed, the draft does introduce specific financial penalties that can be imposed on individuals and business that violate individuals’ data privacy rights, ranging from RMB10,000 to RMB500,000 per violation (and in relation to profits gained from the illegal sale of personal data, up to 10 times the profit obtained). 

This is a first draft for consideration by the NPC and it would be typical for at least one further draft to be issued before the law is enacted.  However, in the case of the National Security Law, discussion in the NPC was fast-tracked with the law being enacted about six months from the introduction of the first draft at the end of 2014. A similarly curtailed legislative process might be expected with the Cyber Security Law.

For an English translation of the draft, please refer to http://bit.ly/1I1S0aE.