The Standing Committee of the National People's Congress passed the PRC Cybersecurity Law (《中华人民共和国网络安全法》) on 7 November 2016. The Cybersecurity Law regulates the establishment, operation, maintenance, and use of networks within the territory of China, as well as the supervision and administration of network security.
The following aspects of the Cybersecurity Law are worth noting:
- It declares the state’s sovereignty in cyberspace. The government will formulate cybersecurity strategies and implementation rules to facilitate the healthy development of cyberspace, and fight against cybercrimes, threats and risks originated from both inside and outside China.
- It sets out requirements on the products used in cyberspace. The government will formulate national and industrial standards for products used in cyberspace, and promote the use of safe and reliable products. Meanwhile, the government will publish a catalogue listing the categories of products used for cybersecurity safeguarding and other critical products used in cyberspace. Such products listed in the catalogue must pass certain examinations or evaluations conducted by designated institutions before they can be sold or supplied to the public.
- It specifies the security obligations of network operators (i.e. the owners or administrators of networks or network service providers). Network operators are required to take a series of measures to prevent the networks from being disturbed, damaged or given unauthorised access, including (without limitation) establishing internal cybersecurity protection systems; taking necessary anti-intrusion or anti-attack technical measures; monitoring network operations and keeping logs for at least six months; taking data classification, backup and encryption measures for important data; and having the proper response and mitigation capabilities to cope with attacks, virus, or other cyber security incidences. In addition, network operators are required to obtain true identification information from users.
- It further emphasises the legal principles concerning the collection, processing, use, and protection of personal information. Notably, under the Cybersecurity Law, a party who illegally obtains, sells or provides to others, personal information can be punished by a fine equal to 1 to 10 times the illegal income (or fined up to RMB 1 million if there is no illegal income), or even face criminal liabilities. It is expected that such penalties can deter the infringements against personal information in cyberspace.
- It defines “critical information infrastructure” (“CII”) as information infrastructure that is used in public communication and information services, energy, transportation, water conservancy, finance, public services, electronic government systems, and other important industries and areas, and those that might seriously endanger national security, citizens’ wellbeing, and public interests if damaged or suffered with loss of functions or data leakage. An operator of CII is subject to additional security obligations such as purchasing products and services that pass the national security examinations if such products and services affect national security when being used in cyberspace. In addition, an operator is required to store exclusively within the territory of China, all personal information and important data, that the operator collects during its operation within the territory of China, unless otherwise approved by the relevant government authorities or laws.
The Cybersecurity Law will take effect on 1 June 2017. Before the effective date, more detailed implementation rules (e.g. the relevant standards for network products and services, and the specific scope of CII) are expected to be published to provide practical guidance to both domestic and foreign operators.