Today, China’s much anticipated Network Security Law comes into effect after two years of review, revisions over three drafts and a public commenting process. The law is a historical development for China’s legislative coverage of information security and data protections. It also represents one of the strictest approaches in any jurisdiction worldwide, and a continuation of a broader effort at demonstrating the government’s cyber-sovereignty goals through control and regulation of data and the internet.

Overview of the Network Security Law

Commonly referred to as the “Cybersecurity Law,” the new piece of legislation has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers, including:

  • Increasing security measures and strengthening data security through a variety of specific obligations
  • Ensuring consent for collection of personal information through the principles of legality, proper justification and necessity
  • Screening equipment and products for security testing and certification
  • Ensuring real-name registration for users
  • Strengthening requirements to cooperate with government agencies during criminal investigations or to protect national security
  • Requiring personal information to be stored in China under some circumstances
  • Increasing confidentiality measures for user information
  • Setting up a complaint and reporting platform for network security

Which Companies Will Be Affected?

For most companies with operations in China, the relevant focuses of the law are for two specific categories of entities: critical information infrastructure operators (CII Operators) and owners and managers of networks and the network service providers (Network Operators). Both categories have significant obligations and related liability under the law, but the scope of focus for Network Operators mostly falls to security measures that are likely already implemented at many multinationals that follow any of the leading data security frameworks. CII Operators, however, have more significant obligations, notably including the requirement to store within China any personal information and important business data that has been “collected and generated in the operation” of the CII Operator within China.

Under the law, the concept of Network Operators falls within a very broad definition of any “owner or manager” of any networks or the network service providers in China, where a “network” is defined as systems of computers and relevant equipment that collect, store, transmit, exchange and process information. CII Operators is a more narrowly defined term in this law, and is primarily given an effects-based test for key industries in which there may be harm to national security, people’s livelihood or public interests if there is damage, function loss or data leakage in the network. The specific definition and scope of a CII Operator will be further defined and clarified by the government.

What Are the Potential Penalties?

The law has various penalties depending on the specific article that is violated. The possible penalties include warnings, demands to make a correction, fines, public announcements of the misconduct, negative effects in national credit records, civil liability, closing of websites and even a revocation of the business license.

How Should Companies Prepare?

Generally, the first step is to determine whether your company falls within the scope of a Network Operator or a CII Operator in China. After understanding the type of covered entity and the related obligations, a key next step is developing a detailed overview of the primary aspects of the company’s data systems in order to better understand any gaps that may exist between the legal requirements and the current systems. This process (often referred to as a “data inventory” or “data map”) can help the company prepare for a variety of situations in addition to data compliance, and can also be instrumental in developing an effective information governance strategy and improving business efficiency.

What Else Should Companies Know?

The Network Security Law is only one piece of the newly emerging data compliance requirements in China, and 2017 will be a year full of new laws, regulations and enforcement actions in this area. Due to the complex nature of data systems and the significant changes that are being implemented in the new legal requirements, a vigilant and proactive approach is necessary to remain compliant with this ever-changing field.