On May 28, 2019, China released draftMeasures for Data Security Management (“Measures”) that purport to implement data protection requirements by creating individual rights to correct and delete personal information from data storage, mandatory notifications to individuals in the event of a data breach, and a presumption of liability on network operators for breaches caused by third-parties. The Measures include a catch-all provision, however, that would compel the network operator (broadly defined) to provide so-called “important data” to the government upon its request. This follows a recent trend of regulations that empower the Chinese government to collect personal and corporate data, including regulations passed last November that give its national police authority to conduct remote or in-person inspections on nearly any entity with computers connected to the internet, the ability to copy user information from those entities deemed relevant for “internet safety supervision,” — another catch-all — and the power to share this information with other state agencies. At a time when the U.S. government has banned all Huawei products due to its concern that the Chinese government is using Huawei as a vehicle to spy, these regulations provide the Chinese government with a direct window into U.S. and foreign companies doing business in China.
On November 1, 2018, China issued “Regulations on Internet Security Supervision and Inspection by Public Security Organs” to clarify portions of its 2017 Cybersecurity Law, which had already granted the Ministry of Public Security (“MPS”) broad authority over corporate computer networks in China. The new regulations apply to all internet service providers and to all “networking units,” defined as any organization with “five or more computers connected to the internet to conduct internet or internet-related activity.” “Internet-related activity” has been construed broadly to cover any company that uses the internet to conduct its business. The stated purpose of these regulations is to enable MPS to identify and prosecute companies for possessing “prohibited content” under Chinese law, which basically means anything that is banned by the Chinese government, including articles published by blocked news outlets, videos produced by banned entertainment companies, and social media such as YouTube and Facebook.
The regulations empower MPS to conduct in-person or remote inspections of companies and to view and copy information, including all user information and information related to network specifications, such as a network’s cybersecurity system. Companies who do not cooperate risk penalties ranging from fines to criminal detention.
There are no scope or time-limit restrictions on the remote inspections, which are easy for MPS to conduct and difficult for companies to detect. MPS can also share the company’s copied information with third-party agencies, and MPS is not required to provide the company with any pre- or post-inspection report. This means that a company might have little or no idea what information was procured by MPS, let alone which agencies possess it.
What This Means For You
These regulations may impact organizations in several different ways. First, in-person inspections will likely disrupt business networks and continuity. To comply with an in-person inspection, a business may be required to take its website offline, which can result in interrupted operations and lost revenue. Second, while remote inspections will not be as disruptive to company operations, they can pose great security risks to a company’s IP, user information, and client information that may be of use to a company’s competitors. If MPS shares the entity’s information with third-party agencies, new entry ports for hackers will be created (and remember there is a presumption of guilt on network operators who suffer data breaches). Third, international companies operating in China risk providing MPS with access to their international network, as opposed to an isolated network based in China. For example, if an international company uses one network for all of its offices, MPS would have access to the user information for each location.
There are many unanswered questions regarding how the Chinese government will interpret the catch-all provisions in the regulations and Measures. However, the regulations and Measures raise concerns about what information companies should store on their networks, as well as what information individuals should provide to Chinese-based entities. Companies should evaluate their networks to ensure that any networks used in China are securely isolated from their global networks. Finally, in order to avoid prosecution for possession of “prohibited content,” companies should inspect their own systems to ensure that they have not published material that would otherwise be banned in China.