On 7 November, the government of the People’s Republic of China passed the much-anticipated Cyber Security Law of China, which will come into force 1 June 2017. After first and second drafts were put out for public consultation in June 2015 and May 2016, respectively, it was a third draft issued in October 2016 that was ultimately passed into law.
China’s cyber history
Until the recent passing of the new Cybersecurity Law in November 2016, regulations relating to cybersecurity in China were scattered across many different laws, regulations and regulatory documents, e.g., Administrative Measures on Internet Information Services (last amended in 2011), and Telecommunications Regulations of the People’s Republic of China (last amended in 2016). The new Cybersecurity Law, as the first comprehensive law specifically regulating network security, contains several highlights that may greatly influence future network-related businesses in China.
The Chinese government has stated that its key goals in passing the new law were to better combat online fraud and to protect the nation against Internet security threats and risks.
The new law: what we know…
The final version of the law that will come into force 1 June 2017 contains the following key provisions:
- Data localisation rule: Personal data or “important data” of Chinese citizens, collected or produced by key information infrastructure operators during their operations within the PRC territory, should be kept within the borders of the PRC. Should key information infrastructure operators that collect or produce such personal data or important data seek to transfer such data outside of China, to do so will require a security assessment conducted by the National Cyberspace Administration and State Council (unless permission for the transfer is already provided under another PRC law).
- Network operations requirements: Network operations (a broadly defined term that may catch any business that owns and operates IT networks in the PRC) must:
◦ Make public all privacy notices
◦ Obtain individual consent for collecting and processing personal data
◦ Implement technical safeguarding measures, similar to those required in North American and Europe, that include, inter alia, securing against loss and destruction of personal data, data minimization, confidentiality, and rights to accuracy and restriction on processing of personal data
- Network security: Network operators must provide internal security management systems that meet the requirements of a classified protection system for cybersecurity, including:
◦ Appointment of dedicated cybersecurity personnel
◦ Retention of network logs for at least six months
◦ Reporting risks on network services and products to both users and authorities
◦ Formulating contingency plans for network security incidents, and reporting such incidents to the authorities
◦ Providing assistance and cooperation to public security bodies and state security bodies to safeguard national security and investigate crimes (the extent of which is not yet clear, especially in terms of the disclosure that will be required of private businesses)
- Security maintenance obligations: Network services and product providers will be required to provide security maintenance for all services and products for the full term of the contract – security maintenance cannot be terminated within the contract term.
- Government certification: Prior to being sold or produced in the PRC market, cybersecurity products and services will be required to obtain a government certification and/or meet prescribed safety inspection requirements and national standards.
In addition to the above, further rules within the new law address issues of personal responsibility for web use, requirements to comply with “real identity” rules (requiring users to register under their legal names that enables more effective tracking) when registering for certain services (e.g., network access, domain name registration services), and the online protection of minors.
Much is still unknown when it comes to the detail of the new Cybersecurity Law and what its enforcement will be like in practice.
Many welcome the introduction of requirements that are widely championed by data protection authorities and bodies across North American and Europe. Others have raised concerns that this new law may also be a way for China to flex its muscles by introducing more invasive policy and establishing data localisation rules that provide road blocks to international competition or, at least, create additional red tape and add significant cost for international organisations wanting to do business within the People’s Republic of China.
Further uncertainty surrounds exactly who will be caught by the new rules – including new proposed criminal sanctions as well as administrative penalties. While the new law will clearly apply to businesses and organisations, the extent to which its terms will apply to individual employees and officers as well as web users is unclear.
It is anticipated that the Chinese authorities will publish further detailed and practical guidance in the upcoming months.
In the meantime, organisations that conduct business in the PRC are strongly encouraged to start reviewing their data privacy and cybersecurity policies to ensure compliance with the incoming law.
Keep an eye on this space for further guidance and updates on this new Cybersecurity Law.