IP aspects of China's new controversial Cyber Security Law December 2016 IP aspects of China's new controversial Cyber Security Law December 2016 1 China’s Cyber Security Law, which will take effect from 1 June, 2017 was finally adopted on 7 November. The third draft of the law adopted by the Standing Committee of the National People’s Congress, China’s highest legislative authority, contained few changes from the second draft put forward for comment in July, 2016 (see our briefing). The net result is on-going controversy coupled with uncertainty, with multi-national businesses in particular questioning the intent behind the law and criticising its vagueness. All in all, the direction of travel is towards a much more heavily regulated Chinese internet and technology sector. In this briefing, we shine a light on the aspects of the new law that are most relevant to intellectual property ("IP") law (for a full overview of the new law, see our most recent TMT briefing). A Quick Recap The Cyber Security Law’s seventy-nine articles address a wide range of issues, focusing on three main aspects: Technology regulation: The Cyber Security Law seeks to regulate the technology that can or cannot be used in China’s cyber space ; Co-operation with authorities: The Cyber Security Law imposes duties on “network operators” to provide technical support and assistance in national security and criminal investigations and to retain weblogs for at least 6 months; Data Localisation: The Cyber Security Law requires operators of “critical information infrastructure” to store personal information and “important data” within China, save where it is truly necessary to send this data offshore, and the offshoring arrangements have cleared a security assessment process that is yet to be defined. Continuing Uncertainty as to Scope Obligations under the Cyber Security Law attach to two main classes of business: “network operators” and operators of “critical information infrastructure.” Neither of these terms are defined in any detail under the new law, leaving, as with most of China's IT and cyberspace laws, much room for speculation and interpretation by the authorities. In its press release on the Cyberspace Inspection, the CAC set out a non-exhaustive list of critical businesses within each of the critical industries identified. In relation to telecommunications and internet sector, a wide swathe of facilities and non-facilities-based services were identified, from voice, data, basic internet networks and hubs, through to domain name resolution systems and data centre and cloud services. IP implications of the new law 1. IT technology (software copyright or patented technology) The new law imposes strict requirements on both domestic and foreign technology used in China's cyber space by (1) imposing a requirement of prior certification of any “critical network equipment” and “specialised security products” (this could have an impact on, e.g. anti-virus and firewall software etc.) and (2) designating certain systems as “critical information infrastructure” that will be subject to national security reviews, with more detailed implementing regulations to be issued later by the State Council. The concern here is whether there will be a protectionist slant to these measures that will make it difficult for foreign players to compete. Another concern for businesses commercializing their software or other IT solutions in China is the requirement imposed upon the broad category of “network operators” to provide technical assistance to the Chinese government agencies in support of national security and criminal law investigations. It is for now not yet sure whether this duty to provide technical assistance includes, for instance, a IP aspects of China's new controversial Cyber Security Law 2 Hogan Lovells duty to install software “back doors”, enabling uninterrupted access by Chinese law enforcement to data and communications. Such back doors would obviously present serious threats to confidentiality of proprietary information and trade secrets. Similarly, when analysing the black letter law, it seems like several of the world's most popular instant communication tools (and other encrypted software and IT tools) would have to adapt their encryption software for China, as end-to-end encryption would likely not be compliant with the provider's duty to provide technical assistance to the Chinese law enforcement agencies. These measures could also lead to the creation of China-specific government approved technical standards, thereby stimulating the creation of separate patent pools for China, and could also compromise the interoperability of software and other IT systems across the globe. 2. Online content (copyright) In the area of online content, the new law confirms and complements China's new farreaching online publishing regulations (see our earlier briefing). The new law prohibits threatening national security by posing threats to the reputation or "interests of the state". These concepts are obviously very much open to interpretation and government discretion, which echo the provisions of the earlier online publishing regulations, thereby further tightening the state's control over China’s media and publishing sector. 3. Personal Data The new law contains China's first comprehensive regulation of personal data gathering and processing, and seems to draw heavily on existent US and EU data protection legislation. The explicit regulation of personal data could constitute a marked improvement, as China's personal data protection rules were formerly spread over a patchwork of laws and sector-specific regulations. The new data protection regime can be summarized as follows: network operators collecting personal information must (i) obtain the user's consent, (ii) expressly indicate the purpose, method and scope of information collection, (iii) must limit their data collection to proportional data collection (i.e. the data collection must be appropriate, necessary and directly related to the services provided), and (iv) the user has the right to correct incorrect personal data that is stored about him. Network operators must finally also adopt technical and other measures to ensure the security of the personal information they collect, and to prevent the disclosure of, destruction of or loss of such information. Practical Next Steps It is clear that businesses operating in China must review their technology and data protection arrangements in the light of the implications of the Cyber Security Law coming into effect on 1 June 2017. Technology businesses will need to review their Chinese business strategies and evaluate whether or not their products and services fall within the scope of the new requirements and if so, for example, will be subject to some form of certification or worse still, face exclusion from the market. They also need to consider matters such as the nature of personal data collected in China and how and where this data is stored. IP aspects of China's new controversial Cyber Security Law December 2016 3 Further information This note is written as a general guide only. It should not be relied upon as a substitute for specific legal advice. If you would like further information please contact a lawyer mentioned below or the lawyer with whom you usually deal. Contacts Beijing Deanna Wong* Partner firstname.lastname@example.org T +86 10 6582 9419 Shanghai Feng Zhen* Partner email@example.com T +86 21 6122 3826 William Fisher Partner firstname.lastname@example.org T +86 21 6122 3850 Hong Kong Eugene Low Partner email@example.com +852 2840 5907 *Partners or Directors of the Hogan Lovells Intellectual Property Service Co. Ltd. Hogan Lovells' China Intellectual Property Practice With more than 50 full-time IP lawyers and professionals in Hong Kong and Mainland China, Hogan Lovells has one of the largest and most experienced teams of IP professionals in the China region, based in its offices in Beijing, Shanghai and Hong Kong. As one of the few international law firms with an IP agency licence in China, we operate a domestic IP agency in Shanghai with a branch office in Beijing. The agency enables us to handle IP prosecution and trade mark/copyright litigation directly for our clients. Additionally, most of our Greater China-based lawyers are locally qualified and bilingual with in-depth knowledge of the local legal and business environment and language(s). We advise on all aspects of contentious and non-contentious intellectual property law. Hogan Lovells' China IP practice is consistently awarded a first tier ranking in IP matters by rating agencies such as Chambers, the Legal 500 and Managing Intellectual Property. Alicante Amsterdam Baltimore Beijing Brussels Budapest Caracas Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta Johannesburg London Los Angeles Louisville Luxembourg Madrid Mexico City Miami Milan Minneapolis Monterrey Moscow Munich New York Northern Virginia Paris Perth Philadelphia Rio de Janeiro Rome San Francisco São Paulo Shanghai Shanghai FTZ Silicon Valley Singapore Sydney Tokyo Ulaanbaatar Warsaw Washington, D.C. Zagreb Our offices Associated offices www.hoganlovells.com "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses. The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. Images of people may feature current or former lawyers and employees at Hogan Lovells or models not connected with the firm. ©Hogan Lovells 2016. All rights reserved.