China’s broad new Cybersecurity Law, slated to go into effect on June 1, imposes sweeping data security requirements on network operators and critical information infrastructure providers. Enacted in November 2016 by the Standing Committee for the National People’s Congress of China, the law will be administered by the Cybersecurity Administration of China, the Public Security Bureau and the Ministry of Industry and Technology.

Requirements for Network Operators

Network operators are defined as the owners or administrators of a network and network service providers. Networks refer to systems that consist of computers or other information terminals that collect, store, transmit, exchange and process information. The Cybersecurity Law requires network operators to provide technical support and assistance to public or national security agencies when conducting an investigation of a crime. Network operators are also required to adopt technical measures to monitor and record their network operations, and to preserve network logs for six months. Network operators are further required to adopt technical measures to prevent intrusions such as viruses, adopt measures such as data classification systems, and implement security measures, such as backup systems and encryption.

Requirements for Critical Information Infrastructure Operators

Critical information infrastructure is defined as infrastructure maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructure malfunction, or be subject to damage or data breaches. These sectors include, but are not limited to, public communication and information services, energy, transportation, water, financial services, public service and e-government affairs. Network products and services procured by critical information infrastructure operators are subject to national security examination if such products or services are likely to affect “national security.” Critical network products and dedicated network security products are subject to mandatory national standards and need to be certified and approved before they can be sold or provided in China. Critical information infrastructure operators are also required to undergo a network safety assessment at least once a year.

The Cybersecurity Law subjects critical information infrastructure operators to data localization requirements under which they must retain, within the territory of China, critical and personal information which they collect and produce during their operations in China. Personal information is defined as all information that either singly or in combination with other information identifies a natural person, including but not limited to names, dates of birth, identification numbers, personal biometric information, addresses and telephone numbers. They may still be able to transmit this information overseas, but only after undergoing and passing a security review.

Protections for Individuals

The Cybersecurity Law also provides certain protections for individuals. It prohibits network operators from providing an individual’s personal information to third parties without the individual’s consent, except in cases where the personal information is irreversibly depersonalized such that the data does not identify particular individuals. In general, consent needs to be obtained from the individual from whom personal information is collected when a third party processes it.

Individuals can request that a network operator delete personal information if he or she discovers that its collection or use is in violation of the new law or a contract between the parties. Individuals can also request that a network operator correct any personal information that is inaccurate.

Penalties

The Cybersecurity Law imposes penalties for noncompliance, including warnings, suspensions of operations, imprisonment and fines of up to RMB 1 million. It also imposes penalties—such as freezing of assets—against foreign corporations or individuals who endanger critical information infrastructure. In addition, the Cybersecurity Law provides that civil liability may be incurred for any breach of any provision of the Cybersecurity Law which results in damages to a third party.

On April 11, the Cyberspace Administration of China released draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. On May 19, after receiving comments, the CAC released a revised draft measures. These provide additional detail on the restrictions for cross-border transfers and guidance on security assessments for data transfers.

Storing and Transferring Data

The revised draft measures require not only critical information infrastructure operators but also network operators to store personal information and important data (defined as data closely related to national security, economic development and social and public interest) within the territory of China, unless there is a genuine and legitimate business need to transfer the data overseas. In the event of such a transfer, network operators are required to conduct a security assessment. Large scale transfers (i.e., transfers involving the personal data of more than 500,000 Chinese citizens), or transfers involving sensitive information, such as data concerning national defense or military, public health, and large-scale engineering projects, must be conducted before a regulatory authority. In addition to these security assessments, network operators transferring personal information must also conduct security reviews of their cross-border transfers at least annually and report the assessment to the appropriate regulatory authorities.

There are three instances where data transfers are expressly prohibited under the revised draft measures:

  1. Where the individual does not consent, or when it may infringe upon the interest of the individual;
  2. Where the cross-border transfer poses a security risk to the national political system, economy, science or technology, or the national defense, or societal or public interest could be jeopardized; and
  3. When the Chinese government deems it necessary.

Even when an individual consents, network operators must notify the individual about the purpose, cope, content and recipient and country where the recipient of the transfer resides.

Timeline

The revised draft measures were scheduled to go into effect together with the Cybersecurity Law on June 1, 2017. However, they contain a grace period until December 31, 2018 for network operators to comply with the cross-border transfer requirements.