Pressure continues to increase on businesses operating in China to comply with an increasingly comprehensive and strictly enforced data privacy regulatory regime. Those companies that fail to bring their practices into compliance face ever-growing legal exposure, and the risk will only escalate after 1 December 2019, when the Chinese government implements the latest legislative update to its multi-level protection scheme (MLPS) for data security.
Overview of MLPS 2.0
As part of the ever-expanding data and cybersecurity regulatory regime in China – with the 2017 Cybersecurity Law of the People's Republic of China (CSL) as a key legal basis – the Chinese government has updated its pre-existing requirement that individual 'network operators' in China must implement and maintain an MLPS with respect to their networks. The statutory foundation for this update, which builds upon previously existing requirements dating to 1994 and 2007 (known as the MLPS 1.0 series of regulations), is found in Article 21 of the CSL, which provides in part:
Network operators shall, according to the requirements of the multi-level protection system, fulfill [their security obligations] so as to ensure that the network is free from interference, damage or unauthorized access, and prevent network data from being divulged, stolen or falsified.
In June 2018, the Chinese Ministry of Public Security (MPS) released the draft Regulation on the Cybersecurity Multi-level Protection Scheme, which contains specific details regarding the updated MLPS requirements (draft New Regulation). In addition, on 13 May 2019, the State Administration for Market Regulation (SAMR) released three new national standards regarding MLPS. These three new national standards, together with the draft New Regulation and other regulations and national standards that will be released, constitute what is referred to as MLPS 2.0, for they impose heightened regulatory requirements compared to MLPS 1.0.
The three newly released national standards include (1) the GB/T 22239-2019 Basic Requirements for the Multi-level Protection of Information Security Technology, (2) the GB/T 25070-2019 Information Security Technology Cybersecurity Multi-level Protection Security Design Technical Requirements, and (3) the GB/T 28448-2019 Information Security Technology Cybersecurity Multi-level Protection Assessment Requirements, which will take effective on 1 December 2019. Furthermore, another national standard entitled GB/T 25058-2019 Information Security Technology-Implementation Guide for Cybersecurity Classified Protection will come into effect on 1 March 2020.
Specific MLPS 2.0 requirements
As noted above, the MLPS affects all 'network operators', which is defined broadly under the CSL to include virtually all businesses operating in China. According to the draft New Regulation, MLPS 2.0 continues the five-level scheme of MLPS 1.0 with few changes in terms of the criteria for determining the appropriate security level of a company's network, as summarised below.
Damage to the network will cause harm to the legitimate rights and interests of the Chinese citizens, legal persons and other organisations concerned, but not to national security, social order or public interest on a general level.
Damage to the network will cause serious harm to the legitimate rights and interests of the Chinese citizens, legal persons and other organisations concerned, or cause harm to social order and the public interest, but not to national security.
Damage to the network will cause particularly serious damage to the legitimate rights and interests of the Chinese citizens, legal persons and other organisations concerned, or cause serious harm to social order and the public interest, or cause harm to national security.
Damage to the network would cause particularly serious harm to social order and the public interest, or cause serious harm to national security.
Damage to the network will impose a particularly serious harm to national security.
However, MLPS 2.0 has consolidated and updated key obligations on the part of network operators. The chart below provides a non-exhaustive summary of these requirements stipulated in the draft New Regulation:
|Draft new regulation|
Self-grading and expert review
Government approval of grading
General security obligations
Specialised security obligations
Online security examination
Early warning system incident investigation
Data and information protection
Article 34, 40
At the outset, it is the responsibility of the network operator to propose a classification of the network, which is based upon a self-assessment. Those network operators who propose a classification of Level 2 or above are then required to engage a qualified expert to conduct an additional review and verification. The determination of the security level sets forth the corresponding level of scrutiny of the security assessments in connection with MLPS 2.0: (1) evaluation of the technical aspect of the network security, which encompasses elements of both the physical and electronic security of the network; and (2) management of network security, which includes management of security personnel, policies and procedures, and system set-up and maintenance.
Though compliance with the MLPS 2.0 system is mandatory, some businesses have expressed hesitation to provide regulators with access to their networks for fear of the exposure of confidential or personal information related to their customers and their business. However, businesses are advised to not delay their implementation of the MLPS due to this concern, for enforcement has been underway and will intensify going forward. Companies should instead work with experienced counsel to ensure that they proactively assert and take advantage of the protections provided by Article 60 of the draft New Regulation, which provides that regulators must maintain the confidentiality of protected information to which they may have access, including not only state secrets and related sensitive information, but also the personal information of individuals and other such confidential data.
Existing data security laws are strictly enforced
Even before 1 December, government enforcement actions continue apace under MLPS 1.0 and its related cybersecurity regulations. In one recent case, a Chinese bank was fined a total of RMB 223.37 million (US$31.65 million) for its failure to report data breaches and for lacking effective internal controls for data security, among other misconducts. While the publicly available information on the case does not reveal the details of the portion of the penalty that is directly linked with data security violations, cases such as this highlight the significance of compliance with data security laws and regulations, which should be a top priority for all businesses operating in China, for the authorities can invoke existing, industry-specific data protection laws and regulations that predate the CSL but continue to be effective and enforced.
In another recent case, enforcement agencies in Jiangsu province issued a press release on social media regarding 12 'typical' enforcement cases launched on the basis of the CSL and MLPS 1.0 regulations. The statement also provided a summary of enforcement efforts in the province since the passage of the CSL in 2017, which have included 6,467 administrative cases opened, 4,631 warnings, RMB 3.74 million in fines, and the administrative detention of 185 individuals. In some of these cases, failure to implement the multi-level protections system was cited in the enforcement actions, including one company that was also fined RMB 50,000 after a hacking incident.
More enforcement activism is expected
Other regulations also provide the authorities with additional mechanisms for enforcement. The Provisions for the Supervision and Inspection of Network Security by Public Security Agencies, known as 'Circular 151', lays out procedural rules for the enforcement of the CSL and related laws and regulations, and it grants local Public Security Bureaus (PSB) the power to conduct either on-site or remote inspections of the data networks of 'network operators' under the CSL. The powers granted under Circular 151 are broad, and businesses can be subject to dawn raids without prior notification by the authorities, with strict penalties imposed upon businesses and individuals that refuse to cooperate.
Finally, in July 2019, the Chinese government also released the draft Measures on Credit Information for Seriously Untrustworthy Internet Information Services Entities for public comment. The draft would implement a social credit and blacklist system applicable to 'untrustworthy' conduct with respect to internet information services, both on the basis of the CSL and in line with the overall Planning Outline for the Establishment of a Social Credit System (2014-2020). 'Internet information services' may include any entity that qualifies as a 'network operator' under the CSL which, as noted above, includes essentially all businesses operating in China. The range of misconduct that will lead to inclusion on the proposed blacklist is broad, and includes any non-compliance with the CSL and its related regulations. The consequences for companies on the blacklist are therefore serious and far-reaching. In addition to significant reputational harm, the penalties could include restrictions on internet use, shutdown of company networks or websites, and revocation of business licences or restrictions on participation in specific industries.
Significance for businesses operating in China: Advanced compliance planning recommended
Although parts of MLPS 2.0 regulations are yet to be finalised, the main requirements are expected to remain substantially unchanged from their current form. Therefore, businesses should move forward with implementation of the MLPS system as quickly as possible, relying upon the MLPS 2.0 regulations for guidance. Getting started with the process as early as possible is important, as even the grading process, which is only the first step of implementation, requires a significant devotion of time and resources. Companies are advised to appoint an internal team with responsibility for ensuring timely and continuing compliance, to seek guidance from external advisors in navigating the filing process and prioritising compliance objectives, and to arrange for the periodic training of employees with data and network security responsibilities, as well as dawn raid preparedness.
For Chinese businesses and foreign multinational companies (MNCs) operating in China, the importance of planning ahead to achieve MLPS compliance and complete the required filing with the Public Security Bureau cannot be overstated. After the 1 December 2019 effective date, all China-based business operations of MNCs and their associated networks will be under increased regulatory scrutiny under the terms of the CSL. Therefore, businesses are advised to focus on bringing their operations into compliance with all requirements under the CSL by 1 December, as the likelihood of any non-compliance being reported to or investigated by the authorities will increase dramatically. Businesses should seek advice from experienced cybersecurity counsel who can evaluate their networks and recommend strategies for compliance build-out to mitigate legal exposure and ensure sufficient and continuous compliance.