The PRC Cyber Security Law (“CSL”) issued by the Standing Committee of the National People’s Congress of the PRC has come into effect on 1 June 2017.
The CSL is the first set of comprehensive legislation governing cyber security and data privacy in China. It regulates all activites in relation to construction, operation, maintenance and use of networks as well as the supervision and administration of the cyber security within the territory of the PRC. Unfortunately, the definition of regulated entities such as the Network Operators (please see details under Section1. a)) and CII Operators (please see details under Section 1. b)) is very broad and ambiguous. Further, many requirements under the CSL, such as the requirement for localization of personal information and im-portant data in China lead to the result that companies in private sectors in particular foreign companies doing business in China are fairly concerned about the applicability of and compliance with the CSL requirements. Since many terms of the CSL are rather vague, many details are still subject to implementing regulations, some of which have already been published, the majority of which, however, still has to be enacted.
On 1 June 2017, the Provisions on Examination of Network Products and Services (Trial) (“NPS Provisions”) have also come into effect. They are the first and an important set of implementing regulations of the CSL. Although further clarifications are needed, the NPS Provisions are likely to mainly apply to the Critical Information Infrastructure Operators (as defined below). Other than the NPS Provisions, other regulations to supplement and implement the CLS have not yet been enacted and so far only drafts are available. They include, inter alia, Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (a draft was issued on 11 April 2017), Information Security Technology – Guidelines on Data Security Assessment (a draft issued on 27 May 2017), Guidelines on Identification of Major Data, Regulations on Security of Personal Data, Catalogue of Critical Network Equipment and Specialized Cyber Security Products; Provisions on Security Protection and Scope of Critical Information Infrastructure, etc.
The legal framework is still evolving, with supporting regulations and guidelines to be promulgated in the next a couple of months. Media reports indicate that the Cyberspace Administration of China (“CAC”) has informally agreed to delay the implementation of the CSL requirements governing cross-border transmission of information until the end of 2018.
1. Regulated Entities
Subject to further clarification of the CSL by implementing rules, according to its wording, the CSL will apply to all persons and entities engaged in network-related activities in China, including construction, operation, maintenance and use of networks as well as to the supervision and administration of the cyber security within the territory of the PRC. “Networks” are defined as systems that are composed of computers and other in-formation terminals and the relevant facilities for collecting, storing, transmitting, exchanging and processing information in accordance with certain rules and procedures.
There are four types of entities which are specifically regulated under the CSL, i.e. Network Operators, Critical Information Infrastructure Operators (“CII Operators”), Network Products and Services Providers (“NPS Providers”), and ordinary entities and individuals. CII Operators are a sub-category of Network Operators, which means if an entity is categorized as a CII Operator, then it shall comply with the obligations for Network Operators and CII Operators.
a) Network Operators
Network Operators are defined in the CSL to include owners, administrators of networks and network service providers. Upon a literal reading of the provisions, they are likely to include any entities operating business over networks and Internet. I.e. all companies owning or operating network infrastructures in China (i.e. not only telecommunication companies but also ordinary manufacturing and trading companies which have their own IT network) and those companies operating websites can be regarded as Network Operators.
b) CII Operators and NPS Providers
The meaning of the CII Operators and NPS Providers which are subject to the scope of the CII and NPS is likely to be defined under the upcoming supplemental regulations, such as the Catalogue of Critical Network Equipment and Specialized Cyber Security Products; Provisions on Security Protection and Scope of Critical Information Infrastructure, etc. The meaning of NPS is not defined and unclear under the CSL. We understand that it refers to IT companies or internet service providers that provide software, applications, network equipment or devices and related consulting services.
The focus of the CSL currently falls on the CII and CII Operators. Under the CSL, CII refers to the information infrastructure used in important industries and sectors such as public communications, information services, energy, transport, water conservancy, finance, public services, e-government where it would result in serious damage to the national security, national economy, people's livelihood and public interests if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure.
Thus, according to a literal reading of the CSL, Network Operators engaged in the foregoing CII industries and sectors are likely to be categorized as CII Operators. The broad definition of CII may make any company that holds a significant amount of information of Chinese citizens being categorized as a CII Operator if the leakage of data may result in serious damages to the people’s livelihood or public interests. Further, it remains unclear if any company that provides services or products (rather than networks related products or services which are regulated separately under the CSL) to a typical CII Operator (such as China Telecoms) will also be categorized as a CII Operator. We tend to believe that a narrow interpretation for CII Operators may likely to be adopted in the subsequent stipulations of guidelines and regulations supplementing the CSL.
To provide further clarity on the definition and scope of CII Operators is important, because the CSL has imposed a number of stringent obligations on CII Operators, including localizing the personal information and important data in China, going through a “national security review and inspection” conducted by certified institutions for all networks products and services they plan to procure for their information infrastructure, etc.
The NPS Provisions seem to offer no clarifications on the meaning and scope of CII Operators or NPS Providers. Further, based on the current wording of the NPS Provisions, it remains unclear whether the requirement on the “national security review and inspection” of networks products and services will apply to CII Operators only or will also extend to other Network Operators.
2. Localization of data in China
Amongst the stringent requirements under the CSL, the one that has attracted most attention from foreign companies is the requirement for localization of personal information and important data in China.
The CSL requires a CII Operator to keep in China (i.e. Mainland China) all the personal information and important data collected during its business operations in China. Security assessments are required prior to any disclosure or transmission of such data from China to overseas jurisdictions.
a) Scope of Obliged Entities
Pursuant to the Provisions for the Security Assessment of Personal Information and Important Data Exporting from China (draft for consultation) issued on 11 April 2017 (“Draft PIID Provisions”), the security assessment requirement seems to extend to “Network Operators” in addition to CII Operators. For example, under the Draft PIID Provisions, a security assessment is required if the personal information for exportation reaches an amount of 1,000GB.
However, on 5 June 2017, the Cyber Security Coordination Bureau of Cyberspace Administration of China (“CSC Bureau”) has held a press conference, offering clarifications as follows:
(1) The data localization requirement will apply to CII Operators only.
(2) The regulated “important data” means the data important to the state rather than to specific entities or individuals.
(3) To the extent that an overseas transmission of such important data is needed, it can be exported outside of China as long as the relevant security assessment confirms that such exportation would not impair the national security and the public interest of the society.
(4) All personal information can be exported outside of China provided consents from the data subject are obtained.
It must be noted that the foregoing clarifications from the CSC Bureau do not constitute an official amendment or interpretation to the CSL, thus technically, it still remains unclear whether such data localization requirement will apply to CII Operators only or will also extend to other regular Network Operators.
b) Definition and Scope of Personal Information
Under the CSL, personal information is defined as various information which is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person, including but not limited to name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person. According to the CSL, personal information must be identifiable, which means, if the information and the personal identity are separated, the information shall no longer be deemed as personal information.
The information specified under the CSL is not meant to be an exhaustive list of protected person-al data. Thus, the CSL is unlikely to intentionally exclude other types of data specifically protected as personal information under other laws and regulations, even if such data is not explicitly listed under the CSL. For example, the information in respect of the time and location of the internet service used by users (“User’s Information”) explicitly protected as the personal information under the Provisions of Protection of Personal Information of Telecommunications and the Internet Users issued by the Ministry of Industry and Information Technology on 16 July 2013, and information regarding the tracks and records of a natural person’s whereabouts as specified under the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizen’s Personal Information which was recently issued and just came into effect on 1 June 2017, should also be deemed as protected personal information under the CSL.
c) Definition and Scope of Important Data
The term “important data” is not defined under the CSL. However, pursuant to the Guidelines on Security Assessment for Data Exportation (draft for consultation) (“Draft DE Guidelines”) issued on 27 May 2017 and the Draft PIID Provisions, “important data” is defined as data that is closely related to the national security, economic development, and the interests of the public and the society.
The Draft DE Guidelines have provided a detailed description and list of important data for 27 industries and sectors, as well as a catchall provision offering general principles for determination of important data in other industries and sectors.
As mentioned above, the regulatory regime is still evolving, and further clarifications on certain key issues, such as the scope of CII Operators, are definitely needed for foreign companies to determine on the applicability of the CSL requirements and the exact extent of potential impacts on their business in China.
Although the risk that the CSL will be actually implemented in practice prior to the issuance of implementing regulations may be relatively low, it is still advisable to seek tailormade legal advice on an ongoing basis to fully and accurately understand the scope and extent of the applicability of the CSL law to your business in China.