China’s new Cybersecurity Law will come into force on 1 June 2017, supporting the PRC government’s drive to protect “internet sovereignty” and ensure “secure and trusted” network products and services. However, many organizations (both domestic and international) are becoming increasingly concerned that the new law will lead to additional difficulties and restrictions when it comes to doing business in China. In this article we explore the implications of the new Cybersecurity Law and what impact it may have on your business operations.
Scope and applicability of the law
The new Cybersecurity Law will, amongst other requirements:
- impose security and privacy obligations on organizations who are "network operators" and suppliers of “network products and services”;
- require that Chinese citizens’ “personal information” and “important data” collected and processed by “critical information infrastructure operators” remain in China unless there are business needs requiring the data to be exported outside of China; and
- reinforce individual’s and organization’s responsibilities in protecting personal information and business secrets from unauthorized access and disclosure.
While some aspects of the new law will apply to any individual or organization, the majority of the more significant new obligations apply to two particular categories – those deemed to be “network operators” and those deemed to be operators of “critical information infrastructure”. While we expect the PRC government to publish more information on the scope and applicability of the new law in the coming months (both before and after 1 June 2017), we have summarized below what we know so far and how the law may apply.
"Critical Information Infrastructure Operators" ("CIIO")
One of the key points to note is that the much-publicised data sovereignty restriction (i.e. that data should not be transferred outside China) and some of the other more onerous obligations only apply to those who fall within the definition of a CIIO. This concept continues to be further explained and developed but its scope has seemingly been narrowed down in the most recent draft Measures on Security Examination of Network Products and Services (“Measures”). A non-exhaustive list of key industries is set out in the draft Measures and indicates that this aspect of the law will be predominantly targeted at companies operating in the financial services, telecommunications, energy and other public sectors.
The National Cyberspace Security Strategy (“Strategy”), published in late December last year, further elaborated on the scope of “critical information infrastructure” and indicated that it could also include those operating important information systems in the sectors of healthcare, scientific research social security and ‘important Internet application systems’.
While it seems likely that any (domestic or foreign) organization falling within the above sectors and conducting business in China could be caught under the new Cybersecurity Law, it is noted that the detail of this definition and how it may be interpreted (and enforced) in practice is not yet available. We expect more guidelines to be issued by the regulators to provide more clarity on the meaning of “critical information infrastructure” and applicability of the Cybersecurity law.
Similar to CIIOs, it is not yet known exactly how the concept of “network operators” will be defined. However, based on the information published in relation to the new law to date, there is a possibility that a broad interpretation could be adopted, which would extend to deeming any organization that owns or operates computer systems, networks or a website in China to be a “network operator”.
Therefore, even if you consider your organization as unlikely to fall within the definition of CIIO, if you have any kind of operation in China then we recommend keeping a close eye on the development and implementation of this law in order to understand whether your organization will be considered a “network operator”.
Key requirements of the law
We have discussed above the scope and applicability of the new law, which continues to be developed. However, what are the requirements of the new law that you may need to comply with? We have set out some of the key requirements below:
- Storing important data within China: Any Chinese citizens’ ‘personal information’ and ‘other important business data’ which is gathered or produced by CIIOs must be stored within China. Where the CIIOs can show that it is “truly necessary” due to business requirements to transfer it out of China, CIIOs must conduct a security assessment in line with the "Measures", which require CIIOs to consider various risks including of unauthorized control or access, or “other risks which may harm national security and public interests”. Given the broad language of the Measures, it is difficult to determine at this stage how easy it would be for an international company to satisfy this security assessment where it proposes to share information (e.g. personal information of its Chinese customers) with its other branches and affiliated companies overseas. Ultimately, this requirement may have the effect of requiring a global organisation to segregate their information system into two distinctive systems, one for China and one for the rest of the world, causing practical issues with shared IT systems, centralized back-up servers and databases and using global outsourced service providers.
- Data privacy obligations on all network operators: The new Cybersecurity Law consolidates, reinforces and supplements some of the existing data privacy guidelines in China. Some of the requirements which apply to network operators include obtaining consent before collection, use and disclosure of personal information, clearly and promptly notifying customers of the purposes for which their data will be used and processed, adopting technical measures to ensure the security of personal information, establishing a platform for complaints regarding data or network security breaches to be lodged and maintaining a mechanism to deal with complaints and reports promptly. While several of these requirements were already established as “best practice” in non-binding guidelines within China, the effect of the new Cybersecurity Law will be to make these requirements binding with legal effect, at least to the extent that your organization is considered to be a “network operator”.
- CIIO security assessments and checks: At least once a year, CIIOs are required to carry out an inspection and assessment of their network security and send a report to the regulatory authority. In addition, the state network information department can conduct spot checks. Where a CIIO is purchasing network products and services which “might impact national security”, the CIIO must go through a national security review process organized by the state information network department. In practice, each of these obligations may be onerous and time-consuming to comply with, particularly with the lack of detailed information about what is required at this stage. There is a real concern with many companies that it may be more difficult to obtain the necessary approvals and clearances where the network products and services originate from a foreign-owned provider rather than a PRC provider.
- Security of network products and services: Any network products and services must comply with the relevant national and industry standards. Any provider of such products and services must comply with requirements such as ensuring that there are no malicious programs installed, storing network logs for at least six months, obtaining consent from the relevant individuals if such products and services are capable of collecting personal information, promptly notifying the relevant individuals of any risk of a data breach or flaws in its data processing mechanism and “implementing network security protection responsibly”. Due to the lack of certainty in some of these concepts, it may be difficult for companies to satisfy themselves that they are in compliance with the law through their practices and processes, particularly in the early stages before further guidance and evidence of enforcement and implication is evident.
How to get ready for the new law
While we expect the regulatory authorities to issue further guidelines to resolve the ambiguity of some of the wording of the new Cybersecurity Law, we strongly recommend that any organization who has an online presence in China, owns or operates any computer systems in China, or intends to launch network products and services in China should keep up with the development of the new law and any media announcements, notes and guidelines issued by the regulatory authorities in relation to the law. This is particularly so due to the potentially serious consequences for breach of the new law, including fines and freezing of assets (specifically for foreign organisations). It would also be prudent to start reviewing strategies and policies in light of the new laws, preparing written policies for implementation of the relevant procedures and setting timeframes regarding when such procedures will be put in place.