With China’s new Cybersecurity Law (网络安全法, “CSL”) coming into effect on June 1, 2017, companies operating in China need to consider the major implications of this law and how to address compliance with what is a new and untested set of requirements.
The CSL and related guidance issued this year by the Cybersecurity Administration of China (“CAC”) impose on a broad range of companies requirements to store data locally in China, to undergo an as-yet-undefined “security review” of certain IT infrastructure, and to implement prescriptive cybersecurity governance measures, among other mandates.
This client alert outlines the key points of China’s new cybersecurity regime and concludes by proposing several action items for clients to prepare for the implementation of the applicable rules once the CSL takes effect.
Scope and Application of the CSL
The CSL mainly regulates “Network Operators” (网络运营者) and “Critical Information Infrastructure Operators” (关键信息基础设施, “CII Operators”), and we describe the scope of these two important categories below, as well as the requirements applicable to each.
“Network Operators” are “network owners, administrators, or service providers,” a broad definition that could be interpreted to cover any company using the Internet or other networks to conduct business. Accordingly, virtually every multinational company doing business in China may be deemed to come within the scope of the CSL and related mandates. Network Operators’ obligations include:
- Formulating an internal security protocol and operating procedures, including the designation of specific corporate officers responsible for network security;
- Adopting technical measures to prevent and mitigate cyber intrusions;
- Making notifications to users and regulatory authorities upon identification of any security deficiency and loophole;
- Adopting technical measures to monitor and record the operating status of a network and security incidents, and preserving related network logs for at least six months; and
- Adopting such measures as data categorization, disaster recovery back-up of important data and systems, and encryption of important data.
- Furthermore, Network Operators providing internet, phone, or messaging access to customers “shall require users to provide their real identity,” and deny service to customers who refuse to do so.
CII Operators are subject to additional requirements under the CSL. Critical Information Infrastructure (“CII”) is defined broadly to cover enumerated industries, including public communication and information services, power, transportation, water, finance, public services, and e-government affairs, as well as a catch-all category of other infrastructure that “might seriously endanger national security, the national economy, people’s livelihood, or the public interest” if such infrastructure is damaged, malfunctions, or experiences a data leak. While the CSL states that the precise scope of CII will be specified at a later time by the State Council, prior regulatory guidance in China contains a non-exhaustive list of the key businesses that are likely to be deemed to involve CII (see Appendix A).
In addition to the requirements imposed on Network Operators, CII Operators are also subject to the following obligations:
- Establishing specialized security management departments and persons in charge, and conducting background checks of personnel in key security positions;
- Conducting regular cybersecurity education, training, and skill assessment exercises for employees;
- Carrying out disaster recovery backup of important systems and databases;
- Formulating emergency response plans for cybersecurity incidents and conducting regular drills;
- Undergoing state security assessments conducted by competent authorities when procuring network products or services “that may affect state security;”
- Conducting, or engaging a qualified third party to conduct, annual cybersecurity and risk assessments, and submitting the assessment results and improvement plans to the competent authority; and,
- Cooperating and sharing certain cybersecurity information with government authorities, relevant research institutions, and cybersecurity service institutions.
Most significantly, the CSL stipulates that personal information and other important data collected in China by CII Operators are required to be stored domestically. Moreover, a security review by Chinese government authorities is required if a CII Operator wants to transfer such data outside of China.
Data Localization and Out-of-China Data Transmission
On April 11, 2017, the CAC issued for public comment the Security Assessment Measures regarding the Exit of Border of Personal Information and Important Data (Draft for Consultation) (个人信息和重要数据出境安全评估办法（征求意见稿）, “Draft CAC Data Measures”), extending data-localization requirements to Network Operators, which by definition would cover CII Operators. Under the original CSL, only CII Operators had been subject to the data localization requirements, so this draft, if enacted in final form, would mark a significant broadening.
Under the Draft CAC Data Measures, if Network Operators have legitimate business needs to transmit personal information or important data outside China, they are required to undertake a security assessment. The relevant factors under this assessment include the size, scope, type, and sensitivity of the data involved, and whether the transmission was consented to by the owner of the personal information. Chinese government authorities must conduct the assessment (i.e., a corporate self-assessment is not sufficient) if the out-of-China transfer:
- involves the personal information of over 500,000 individuals;
- exceeds 1,000 GB;
- concerns nuclear facilities, chemistry and biology, national defense and military, public health, large-scale construction activities, the marine environment, or sensitive geographical data;
- concerns CII security issues; or
- involves data transmitted by CII operators.
The Draft CAC Data Measures also contain a catch-all provision stating that the measures could be “of reference” when “other individuals and organizations” transmit personal information and important data collected and generated within China. Thus, these requirements could in some instances impact the operations of non-Network Operators and non-CII Operators.
Proposed Action Items
With less than two months remaining before the effective date of the CSL, companies operating in China should consider taking the following actions:
Evaluating Whether the Company Comes Within the Scope of the New Requirements
In light of the vague and potentially sweeping definitions of CII Operators and Network Operators, companies should evaluate immediately whether their operations put them within the law’s scope. Companies should also understand whether any of their clients or customers in China could be considered CII Operators. Any purchase of network products or services by CII Operators that could affect state security is subject to state security inspection. In addition, suppliers of such products and services are required to sign security and confidentiality agreements with CII Operators.
Preparing to Store Personal Information and Important Data within China
Companies need to examine how they are storing and transferring data they collect and generate in China. The data localization and cross-border transfer requirements will have a significant impact on the way companies run their operations in China. With the law coming into effect on June 1 and the interpretation and enforcement landscape still unclear, impacted companies need to engage in data mapping and compliance policy reviews now.
Conducting Cybersecurity Governance and Policy Assessments
Companies should review and potentially update their internal cybersecurity and privacy policies and governance structures. The CSL will require many companies to have designated personnel in charge of cybersecurity; to have mechanisms for providing information upon request from law enforcement; to preserve certain cybersecurity network data for specified periods; to implement employee training programs; to have cyber incident response plans; and to conduct cybersecurity exercises. Companies that are likely to be classified as CII or Network Operators should take steps to ensure compliance before the law goes into effect.
Preparing for Government Security Reviews
The CSL requires security reviews of CII Operators, including the network equipment that CII Operators procure. The Chinese government has offered little guidance as to what these security reviews will entail, but we recommend that companies prepare for implementation of the law by reviewing which of their intellectual properties, trade secrets, source codes, or other sensitive information requires protection.
How Paul Hastings Can Help
Paul Hastings’ Privacy and Cybersecurity practice can help companies prepare for the impending effective date of the CSL. Our team—based in the United States, Europe, and China—has been monitoring the law and is developing practical approaches that take into account the continuing uncertainty the law presents. One member of our team recently joined us from the United States government, where he engaged in direct discussions with representatives of the Chinese government regarding the CSL, affording us valuable insights into their objectives. In addition, we possess deep experience in helping enterprises in a variety of industries design multi-jurisdictional compliance programs that address differing legal requirements across national boundaries.