by Rui Wang (Beijing), Martyn Huckerby, Colin Bailey and Yijia Tu (Shanghai) and Kim O’Connell (Sydney)

Foreign companies doing business with Chinese entities or on their own account in China should be aware of the changing landscape for digital information.

A Consultation Draft of a New PRC Cyber Security Law was posted on the National People’s Congress website on 6 July 2015 for public comment (available in Chinese at http://www.npc.gov.cn/npc/xinwen/lfgz/flca/2015-07/06/content_1940614.htm). The consultation period concludes on August 5, 2015.

The proposed law applies to the construction, operation, maintenance and use of information networks in China. While many of the key obligations will apply to “Network Operators” only (i.e. companies that own and operate core information networks in China) the draft also imposes obligations on providers of information network products and services.

Key highlights include:

  • The State Council will formulate a list of “critical network equipment and specialised network security products” (such as those used by banks) which must comply with new national and industry standards and obtain safety certification (requiring government inspection) prior to sale in China.
  • All network products and services (critical or otherwise) will be required to comply with relevant national and industry standards and must not install malicious programs (i.e. malware). Product and service providers must provide ongoing security maintenance during service periods agreed with clients (and it will be an offence to fail to do so).
  • Network products and services (critical or otherwise) that collect user data must inform users of these functions, obtain user consent prior to collection, promptly inform users upon discovery of security risks and promptly rectify such issues.
  • Network Operators must comply with new security protection duties that will be set out in a “tiered network security protection system” to be formulated by the State Council and have an emergency response plan for responding to network security incidents, complaint and reporting procedures.
  • Network Operators handling network access and domain registration, fixed line or mobile network access, or providing information publication services to end users must require users to provide their real personal identity information (i.e. their Chinese ID Card number) prior to accessing and using such services.
  • Network Operators must establish systems to protect the privacy of user information and the confidentiality of commercial secrets. They must explicitly state the purposes, means and scope for which such information has been collected and will be used and must ensure that it is kept strictly confidential and must not disclose, distort, damage, sell or illegally provide such information to others without user consent.
  • Special obligations will also be imposed on owners and operators of “Critical Information Infrastructure” which is defined broadly to include information networks in important sectors such as energy, transportation, water conservation, finance, public utilities, medical services, social security, military and government. Critical Information Infrastructure also includes systems and network services with large numbers of users, which would appear to include popular social networking platforms such as WeChat and WieXin. Operators of Critical Information Infrastructure must:
    •  obtain government approval for purchase of network products and services that “might influence national security”; and
    • store the personal information of PRC citizens and “other important data” collected during operations within the territory of mainland China unless special government approval has been obtained to move data storage offshore (which may be granted where it is “truly necessary” to do so);
    • ensure information security by appointing responsible security officers, conducting network security education and training and backing up data.
  • The law creates a number of new offences applying both to Network Operators and other providers of network applications, products and services including personal liability for individuals who are directly responsible for such breaches. The draft specifically identifies the following conduct that would constitute an offence:
    • installation of malware;
    • unauthorized collection of user information (i.e. without prior user consent);
    • failing to inform users of security breaches affecting their personal information;
    • failing to take remedial measures to rectify network security flaws or vulnerabilities in products or software; and
    • failure to continue to undertake security maintenance of products and services during the product maintenance period agreed with clients.
  • The draft also contemplates third party civil claims for violations of the Cyber Security Law which cause damage to third parties.

The consultation draft elaborates on the general cyber security provisions set out in the new National Security Law. It can also be seen as a key outcome of the “Central Internet Security and Informatization Leading Group” established in 2014 and headed by President Xi Jinping himself.

To date, China has adopted a multi-faceted approach to protecting its technological sovereignty. In addition to direct technical measures, China has taken steps to transition certain key sectors (such as banking) away from reliance on foreign owned technology and software by seeking to impose the incremental adoption of “secure and controllable” technologies. These measures are intended (at least in part) to put greater control of technology into Chinese hands. The Chinese Government has been particularly concerned about the security of Chinese information and the risk of cyber espionage following the public revelation that widely used software platforms and network devices produced by foreign technology companies had their security features compromised by the inclusion of “back door” access that could be exploited by foreign intelligence agencies. This alignment of China’s cyber security strategy with the development of the domestic technology sector will concern foreign technology companies.

The proposed law builds on these measures. It prohibits software installing malicious programs, for example. It confirms the State’s wide reaching emergency powers to respond to security incidents, including taking “temporary measures regarding network communications”.

A recent Reuters article(1) quoted Joerg Wuttke, president of the European Union Chamber of Commerce in China, as saying that the business lobby was still reviewing the draft law but that it was “worried”: “The chief concern is that, as with many Chinese laws, the language is vague enough to make it unclear how the law will be enforced.”

Anyone with a current or future interest in handling data in China should keep a close watch on the progress of the proposed law. Technology providers, in particular, should review and consider the practicality of the proposals and whether they offer sufficient protection for the confidential information and intellectual property of those who provide hardware, software or information technology services to Chinese customers.

For technology vendors, the proposed changes raise the possibility that they may need to allow more of their Chinese customers to have a greater level of control over their devices and software than they would give to customers elsewhere, raising intellectual property concerns. To date, these measures have not been fully implemented, as European and US economic partners have lobbied against them.

In parallel, the Chinese government has encouraged the development of domestic technology industries, to reduce reliance on foreign technology providers – particularly in light of the cyber espionage risks disclosed in documents leaked by former NSA contractor Edward Snowden.

While it remains to be seen which aspects of the draft law will be enacted, it is clear that China intends to maintain a high level of State control over the cybersphere in China. All companies doing business in China should ensure that they are aware of existing regime for protecting information and controlling technology. They should also watch the changes to regulation in this area as China steps up its cyber- defences.