Data protection inspections have become more frequent for companies with operations in China. Many companies are struggling for guidance on how to comply.
In 2016, and as part of a global effort to update the law to address data and technology issues, China introduced the PRC Network Security Law (NSL), also known as the Cybersecurity Law. This was the first time China has implemented similar-themed legislation at the same time as European and other Western jurisdictions, allowing a clear comparison between China and the West’s attempts to move towards more aggressive data regulation.
The NSL and its group of related laws and regulations creates “top-down” regulation of China’s network security and data matters, and empowers several government agencies to supervise and conduct inspections on companies to ensure compliance with the law and its data and network protection requirements. These inspections are becoming more frequent, but companies are lacking guidance on how to handle them.
SUPPORT AT THE HIGHEST LEVELS
The NSL was implemented on 1 June 2017, and is aimed at protecting China’s cyber/network security and digital economy. Compared to Western data laws, such as the EU General Data Protection Regulations (GDPR), the scope of the NSL is much broader. It includes strict requirements for the protection of personal information; determines which companies are subject to data regulation; and how these companies must store, protect, and transfer personal data and data related to national security, economic development, or the public interest.
The importance placed on the NSL and its top-down framework is demonstrated by China’s President Xi Jinping declaring that “Cybersecurity is national security”, and his emphasis on companies’ responsibility to protect Chinese data and networks. This top-down approach seeks to create a framework of standards for companies charged with the protection of data and cybersecurity, as well as the creation by high-level agencies of a cyberspace or network security framework that is interpreted and implemented at lower levels.
The importance of data protection and cybersecurity to the government, coupled with the NSL’s broad scope, has resulted in an increase in the frequency and breadth of inspections.
Article 49 of the NSL provides the general legal basis for inspections of companies deemed to be “Network Operators” which, under the definition in the NSL, includes almost all companies. Article 49 states that such entities must implement a system of internal supervision and inspection, cooperate fully with any external inspections, and set up a complaint and reporting system to ensure the reporting of issues concerning network information security is accepted.
In addition to the NSL, there are other, related, laws and regulations from various government agencies that also empower authorities to conduct inspections.
Article 69 of the NSL obliges companies to comply with an inspection, stating that refusing or obstructing the relevant department from implementing a system of supervision and carrying out inspections, or refusing to support or assist Chinese public security agencies in its inspections, amounts to a violation of the NSL, which would likely result in a fine.
Although the fine amounts are small compared to fines under the GDPR, violations of the NSL carry additional penalties, such as a suspension of a company’s business license, shutting down the company website, and social credit implications.
There are three main agencies charged with conducting supervision and inspections:
> The Cyberspace Administration of China (CAC) is directly led by President Xi Jinping, and has oversight across all cybersecurity inspection and supervision work. In addition, the CAC is empowered to carry out its own audits and inspections, and to formulate its own policies. Its inspections cover the general breadth of data issues under the NSL. Given its broad scope and prominent leadership, the CAC is one of the most powerful administrative bodies involved in inspection work under the NSL.
> The Public Security Bureau (PSB) is China’s police equivalent and can initiate criminal inspections for data breaches and network crimes. It is empowered to conduct inspection and supervision under the NSL, PRC Criminal Law, and other regulations. The PSB also has its own regulations concerning network security supervision and inspection: the Public Security Bureau Regulations on Network Security Supervision and Inspection.
> The PRC Ministry of Industry and Information Technology (MIIT) is generally responsible for the regulation and development of the internet and other, related information technology. It is also empowered to conduct data inspections, supervisions, and audits under the NSL, but its inspection focus is on companies engaged in information technology-related industries.
The methods of inspection for all agencies are generally the same. At this stage, however, there are still several issues among the implementing agencies, including an unclear division of labour and jurisdictional authority, separate implementing regulations, and low efficiency when conducting inspections.
In general, there are two types of network security inspections:
1. A general inspection
2. A post-crisis inspection
A post-crisis inspection is conducted by any of the agencies listed above after a “data crisis” has occurred. Its purpose is to resolve the questions of how the breach occurred, who was responsible, and how it can be rectified.
A general inspection can be a scheduled, responsive, or random inspection by any of the agencies listed above. They can take place at different times, by different agencies, all focusing on different inspection goals. General inspections seek to increase a company’s compliance to ensure that the risk of data crises is mitigated.
Since the implementation of the NSL in June 2017, two main trends have emerged. The first is that inspections are seemingly random: taking place across various industries at various times. One explanation for this is that the government is trying to ensure initial compliance with the law, gauge the reaction of companies to the inspection system and new regulations, and learn from the inspections to be able to develop a more consistent general inspection system for future implementation. The other explanation is that the agencies are using the inspections to attempt to more clearly define their own jurisdictional authority and as a means to experiment and further develop inspection procedures.
"Companies should prepare for various frequencies and timing of inspections."
These explanations are likely to be the driving force behind the second trend: the agencies are continuously developing and releasing new implementation measures, guidelines, and notices concerning inspection actions. Examples include a notice detailing specific inspection work and methods by the MIIT in August 2018; a September 2018 notice mentioning a summit convened by the PSB, MIIT, CAC, and others to discuss developments in data inspection work; and the November 2018 regulations on inspection released by the PSB.
HOW TO PREPARE
The constant regulatory development combined with a lack of clarity between agencies means that companies should be prepared for sudden changes in compliance requirements and inspections at any time on a wide range of content.
Because any agency can conduct an inspection at any time, companies should prepare for various frequencies and timing of inspections. They should, however, not panic if they receive an inspection request, as it is very possibly a routine inspection.
Methods of inspection include
> Entrusting a third party to conduct an inspection or audit
> Remote inspections
> On-site inspections that include document review, employee interviews, on-site verifications, and tool and infrastructure testing.
When facing an inspection, companies should prepare for key employees to be interviewed, such as the general manager, IT managers, the legal representative, and legal personnel.
All companies should prepare a communication and engagement strategy to a government request for inspection, which can be challenging in a fast-changing regulatory environment. Global inspection response guidelines, or a policy drafted by a company’s headquarters, may not be sufficient for an inspection by Chinese authorities.
Companies therefore need inspection response guidelines or a policy tailored for China, and must continually monitor inspection trends and regulatory developments surrounding data protection. Having a China-specific plan in place to respond to inspections will allow a company to avoid risks and operate smoothly in the Chinese marketplace.