China's new Cyber-Security Law was recently issued, with the government downplaying suggestions that the new law would be used to drive foreign technology and products out of the Chinese market. One beneficial aspect of the new law is that it provides a tighter definition of critical information infrastructure, making it less likely that the operations of foreign-invested enterprises in China will be caught by strict implementation of the new law.
China's new Cyber-Security Law will take effect 1 June 2017. It was approved by the Standing Committee of the National People's Congress on 7 November 2016, following a third reading.
The draft of the Cyber-Security Law was first released to the public for consultation in July 2015. We made a comprehensive analysis on the first draft in our e-bulletin dated 29 July 2015. A second draft was released for public consultation a year later in July 2016, which was followed by a third reading by NPC in October 2016. The drafts have provoked controversies among foreign organizations and businesses, and generated concern over the vagueness of text and suspected protectionism.
The final Cyber-Security Law contains many of the same provisions as in the previously circulated drafts, including the requirement that personal data and key business data collected and generated via critical information infrastructure (CII) must be stored in the PRC.
We highlight below various critical changes that the final version of the legislation has made as compared to the first draft. We also set out our observations on the law.
- Critical Information Infrastructure
The Cyber-Security Law subjects CII to various restrictions and close security by the government, including, among other things, higher security protection standards, security review of equipment and service procurement, data localization standards and evaluation of cross-border data transfer. The definition of CII in the drafts was criticized for being too broad and vague.
The revised and final definition has the following distinctive features:
a. CII is defined as critical information infrastructure, which, in case of destruction, loss of function or leak of data, will result in serious damage to national security, the national economy and people's livelihood or public interest. Examples of industries and sectors, in which CIIs exist, include public communication networks, information services, energy systems, transportation systems, water- resources, utilities and e-government. This definition is a step forward in that it has inserted a generalized description to the previous definition's simple list of industries and sectors. Arguably the new definition sets higher criteria for determining something as CII.
b. The following wording has been deleted from the definition of CII: "the network or system owned or managed by a network service provider that has a significant number of users". If included, this wording would have set a pretty low criterion in the context of the internet industry and might have covered a wide spectrum of internet service providers. Deletion of these words should mean that fewer systems are deemed to be CII.
c. In addition to the security measures set out in the Cyber-Security Law, CIIs will also be subject to the Multi-Level Protection Scheme (MLPS) for network security. It is unclear, however, whether the MLPS for network security refers to the MLPS for information security, which was formally launched in 2007 by the Ministry of Public Security (MPS), National Administration for Protection of State Secrets (NAPSS) and the Office of State Cipher Code Administration (OSCCA), led by the State Council. We note the definition of level 3 to 5 (5 levels in total) of information systems under MLPS for information security is substantially similar to that of CII.
d. The State Council will publish regulations on the specific scope of CIIs and security protection measures. Given that the current definition of CII is still susceptible to discretion at the time of enforcement, we hope that the State Council will fully clarify the scope of CIIs by the time when Cyber-Security Law takes effect.
- Data Protection - Carve-out for Big Data Industry
The Cyber-Security Law is the first national legislation regarding rules on the collection and use of personal data. It states that personal data collected should not be provided to a third party unless the data subject has given prior consent. However, it also states that such data may be provided to a third party if the data has been processed in a way that the individual data subject is unidentifiable and personal data relating to any particular individual cannot be recovered. The carve-out for processed data appears to be aimed at addressing the activities of the data processing and trading industry, where the raw personal data is processed and analysed and the generated data product is sold on.
- Real-name Requirement Stepped-up – Strategy for Trusted Identities in Cyberspace
In addition to the real-name requirements for certain network services, the Cyber-Security Law has also introduced the concept of national strategy for trusted identities in cyberspace (NSTIC), under which the government will support research on secure and convenient electronic identity technology and mutual-recognition between different electronic identities.
This is the first time that NSTIC has been mentioned in legislation. There was little reference to this issue by the government before the enactment of the Cyber-Security Law. The NSTIC seems to be a Chinese equivalent to the NSTIC implemented by the United States and could herald further control on the identities of the network users.
- Secure and Trusted Product
The Cyber-Security Law states that the government will promote secure and trusted network products and services. "Secure and trusted" is not defined and lacks clear and objective criteria. Presumably, network products and services will need to be tested and certified for security and trustworthiness. The standards or requirements for network products or services to be considered "secure and trusted" have not been specified.
In other chapters of the Cyber-Security Law, it is required that network products and services comply with mandatory requirements of national standards and that key network equipment and network security products be tested and certified for satisfaction of mandatory requirements of national standards. It is unclear what these mandatory requirements will be and how difficult it will be for products or services to meet these requirements.
- Special Meeting Sessions
It has been common practice for departments of the Chinese government to invite senior management of a company to a special meeting in respect particular incidents or concerns. The provincial-level government is now officially given the power under the Cyber-Security Law to invite the legal representative or other person in charge of a network operator to a special meeting if there is a high security risk in the network or a security incident has occurred.
- Would my entity be considered a CII?
Although the definition of a CII remains vague and subject to interpretation of the Chinese government, the Cyber-Security Law has set up relatively higher criteria for CII. Arguably, few entities, foreign companies in particular, would meet the criteria. From the status of the implementation of the MLPS for information security, those subject to highest scrutiny of the authority are likely to be government departments and state-owned enterprises that provide vital services to the public.
The industries and sectors named in the CII definition are mostly restricted from foreign investment, as they provide basic "infrastructure" for the functioning of the country and government. Most foreign companies will fall outside the scope of CII. We hope that the State Council could soon publish the detailed scope of CII to clarify this issue.
- Will foreign technology or products be shut out of China?
In a press conference held for the publication of the Cyber-Security Law, an official of the Cyberspace Administration of China (CAC) denied suggestions that the reference to "secure and trusted" network products and services is intended to drive out foreign technology and products from the Chinese market. However, those who remember the actions of the China Banking Regulatory Commission (CBRC) between 2014 and 2015 may well think otherwise. Back then, the CBRC attempted to impose a requirement that a minimum percentage of information technology used by banks and financial institutions must be "secure and controllable", which at the time meant that the corresponding intellectual property should be owned indigenously.
China will still need foreign technology to protect its cyber security, and to keep its networks functioning, for the foreseeable future. The change of expression from "controllable" to "trusted" might indicate a less stringent requirement in terms of the indigenous ownership of the intellectual property. However, it should be noted that the concept of "secure and trusted", according to the CAC official, is an evolving one. With the localization of information technology remaining at the top of its agenda, the government may well tailor the concept in the future as it sees fit.