Mimi Yang, a Ropes & Gray government enforcement partner in Hong Kong, provides an overview of China’s new cybersecurity law (CSL), which came into effect in June 2017.
The new cybersecurity law of China has been in the works for a few years. It actually recently went into effect on June 1, 2017, so this year. It really regulates a lot of the cybersecurity issues, for instance data risk, data storage, personal information and important data. All of those are quite loosely defined in the new cybersecurity law however. Most multinationals will fall under “network operators” as defined under the new cybersecurity law. The cybersecurity law also has a provision that relates to “critical information infrastructure operators” (CIIOs) – those are operators that are not well defined in the new cybersecurity law, but may fall under certain industries such as telecommunications, water resources, the public health sector, social welfare and other industries.
One of the implementing regulations for the cybersecurity law will be the measures for security assessment of personal information and important data to be transferred abroad. So these draft review measures really say to network operators and CIIOs exactly what can be transferred abroad, exactly what types of data can be transferred abroad, and in those cases, what you need to do before you can transfer that data abroad. So for instance, for personal information, network operators have to make a security assessment as to the necessity, legality and logistics of transporting that information abroad. Another issue to be considered under the draft measures is consent of the individual whose personal information is to be transferred abroad. Personal information is defined quite broadly under both the cybersecurity law and its implementing regulations. It can be anything that identifies a person – the person's full name, the person's date of birth, their telephone number, their address. So it can be very, very broadly defined.
I think in terms of understanding the law, because a lot of the provisions are very loosely defined, companies should take care to actively monitor the implementing regulations in the new cybersecurity law. They should also make sure to actively monitor what is happening around the new law and what the Cyberspace Administration of China is saying with regards to the implementing measures, with regards to the other regulations and with regards to the law itself. Other things that the companies can be doing is making sure that they are already actively in compliance with the key measures of the cybersecurity law, especially with regards to making sure that they have personnel who are qualified to make data risk assessments. For instance, making sure that you have a chief information security officer; making sure that they have data policies that are visible and that are disclosed; making sure that their IT personnel and information security personnel knows about the new regulations and the new cybersecurity law; making sure that they think about obtaining express and implied consent from their employees with regards to personal information. As of this time, we actually don't know whether HR information falls under the new cybersecurity law, which can be a very big issue for multinational companies who have personnel in China, but are operating overseas.
So the penalties for violating the cybersecurity law can be quite strict in terms of monetary penalties. Someone can be fined up to RMB 1 million, which is the equivalent of about US$150,000. In some rare cases, an individual, the supervising personnel for instance of the information that was transferred abroad, may be subject to imprisonment. However, we haven't really seen enforcement of the new cybersecurity law yet, so all that really is up in the air.