On June 1st, 2017 the Cyber Security Law of the People's Republic of China ("CSL"), has finally came into force. The new CSL aims to "safeguard sovereignty and security of cyberspace in the state", according to the Chinese government. To achieve that aim the regulation implemented affects and highlights the rights and obligations of both companies and citizens within the People's Republic of China by strengthening the protection and security of important information and key information infrastructure as well as regulating more precisely the treatment of personal data. However, one of the points that concerns foreign entities and international organizations is that it might also affect the interests of multi-national businesses in the IT field in China due to the potential of this law for discriminatory application to foreign technologies and equipment.
How the CSL will affect companies?
Obligations under the Cyber Security Law attach to two main classes of business: "network operators" and operators of "critical information infrastructure." Neither of these terms are defined in any detail under the new law, which therefore will be subject for speculation and interpretation. At the same time, another question remains in the air after the promulgation of the law and it basically involves to small companies who wonder whether the CSL may apply to their businesses. At a first sight the answer should be yes, although it is unclear that regulators will want information or demand compliance from every small business in China, much less be able to handle that workload.
How the CSL will affect citizens or the relation of companies with citizens when treating personal information?
The new CSL, assuming a definition already implemented in western data protection regulations, refers to "personal data" as all kinds of information, stored in electronic or other forms, which individually or in combination with other information allows the identification of a natural person's individual identity.
In this regard, network operator's activities involving personal data handling should be framed by principles of legality, propriety and necessity. They may only collect, use and store personal information which is necessary for business purposes and with the consent of the user. This consent should be obtained before transmitting that information to any third party. They also should make publicly available data privacy notices (explicitly stating purposes, means and scope of personal information to be collected and used).
Among data subject rights any person has the right to demand deletion upon discovery of improper collection or use of its personal data and can demand correction of data if the collected information contains errors.
As a result, these facts lead to the conclusion that we are moving towards a much more heavily regulated Chinese internet and technology sector. However, the main features of this regulation appear to leave much to discretionary decisions by public authorities in many significant and relevant questions.
Altogether this invites to think that the question of a Chinese cyber space truly open does not seem to be nearer. Quite the contrary, the state control over media and communications infrastructure appear to grow with the implementation of the new CSL and restrictions to foreign participation seem to remain even harder.