On November 1, 2018, China’s new “Regulation on the Internet Security Supervision and Inspection by Public Security Organs” (公安机关互联网安全监督检查规定) will take effect. Passed by China’s Public Ministry of Public Security (MPS) on September 30, 2018, it is the latest regulation that implements China’s Cybersecurity Law (CSL), which took effect in June last year. The regulation sets forth guidance and procedures for how China’s Public Security Bureaus (PSBs) conduct cybersecurity inspections of businesses providing or using Internet services in China. The regulation gives PSBs broad authority over cybersecurity inspections and is anticipated to pave the way for enforcement measures in the future. Considering the likely overlap between the regulation and other MPS regulations aiming to implement the CSL, further guidance is expected to clarify how these different implementing regulations interact with each other.
China’s new cybersecurity inspection regulation
Scope and applicability. The regulation allows PSBs to conduct cybersecurity inspection on four types of Internet service providers and network-using entities (联网使用单位):
- Providers of Internet, data centers, content distribution and domain name services;
- Providers of Internet information services;
- Providers of public Internet access (such as Internet cafés); and
- Providers of other Internet services, which will be determined at the PSBs’ discretion.
PSBs are granted considerable discretion to determine whether the regulation applies to a specific business. Notably, the regulation is silent on what constitutes Internet service providers and network-using entities, the latter of which was defined in a 1997 MPS regulation as entities connected to the Internet that are required to register with the local PSB. Arguably, these two types of entities would also be deemed network operators under the CSL, defined to mean “owners, operators, and service providers of computer networks,” and further subject to various obligations imposed by the CSL.
PSB’s broad authority to inspect. Under the regulation, PSBs are granted broad authority to conduct on-site and remote inspections, either by themselves or by engaging qualified third-party vendors. Remote inspections are allowed if the company is informed of the time and scope of the inspection in advance. On-site inspections, however, are allowed on the facilities of a business, including its data centers, without any advance notice. Additionally, it is within PSBs’ authority to interview business executives, and review and copy documents discovered during inspections.
A PSB inspection, whether on site or remote, can focus on one, or more, of seven aspects. Specifically, PSBs can inspect whether a company has:
- Filed for record with the PSB as a network-using entity;
- Implemented internal cybersecurity programs and appointed a cybersecurity officer;
- Recorded and retained registration information and web logs of users;
- Taken measures to prevent computer viruses and cyberattacks;
- Taken measures to prevent the transmission and publication of illegal content;
- Provided assistance to PSBs in investigations relating to national security, terrorism and crimes; and
- Fulfilled its obligations under the Cybersecurity Multi-Level Protection Scheme, which requires that network operators take certain measures to protect their networks based on the relative impact on national security, social order and economic interests if their IT systems are damaged or compromised.
One major concern about the PSBs’ broad inspection power granted by the regulation is the protection of confidential and proprietary information discovered during inspections. The regulation attempts to address this by prohibiting the PSBs from disclosing, sharing or selling personal or private information, trade secrets and state secrets discovered during the inspections, or from being used for any purposes other than enforcing the regulation (article 5), and subjecting violations to potential criminal penalties (article 25). How these provisions will be enforced is unclear absent any specific language detailing procedures for administrative oversight or private causes of action.
Penalties. The regulation gives PSBs authority to impose a range of penalties for cybersecurity violations. For example, PSBs may order a company to remediate issues that result from minor, administrative violations. PSBs may also issue penalties in accordance to the CSL and China’s Counter-Terrorism Law. These penalties range from warnings and orders to remediate the issue to heavy fines and detention of individuals in charge.
Under the CSL, PSBs are already afforded with broad powers to protect, supervise and administer cybersecurity affairs. The local branches of PSBs have been actively involved in the enforcement of the CSL by punishing companies in violation of Article 21 of the CSL requiring, inter alia, adoption of cybersecurity measures based on assigned security grade and keeping of security logs for six months or more. The new regulation codifies PSBs’ additional power to inspect, giving PSBs unchecked discretion to determine to whom the regulation applies, to what it applies, when an inspection can occur and what penalties should apply to a given violation. Multinational companies doing business in China falling under the definitions of Internet service providers and network-using entities of the regulation will need to get prepared to deal with this authority.