In an unusual move, the Standing Committee of the National People’s Congress published the PRC Cyber Security Law (Second Consultation Draft) (“2nd Draft”) for a second round of public comment on 5 July 2016 (the full text is available in Chinese here and an unofficial translation can be found here).
This draft follows from the first consultation draft released on 6 July 2015 (KWM’s alert on the first consultation draft can be found here and a more comprehensive analysis can be found here). The amendments in the 2nd Draft revise and clarify certain obligations imposed in the first consultation draft, tighten the regulation of data-flows and suppliers of technological products and services, and also provide some additional insights into aspects of what China’s anticipated cyber security strategy may contain.
Cyber security strategy
- Significantly greater prominence has been given to a national cyber security strategy and cyber security defence capabilities, with the provision providing for the establishment of such a strategy (Article 4) being elevated from Part 2 (Support and Promotion of Cyber Security, formerly Strategy and Planning for Cyber Security) to Part 1 (General / Principal Provisions). In addition, new Article 5 also provides that the State will take measures to monitor, defend and deal with cybersecurity risks and threats from both within and outside its national territory, and in particular to protect key information infrastructure facilities from attack, invasion, interference and destruction.
- The 2nd Draft also hints at the possibility of a more open cyber environment and more collaborative cyber governance. In addition to maintaining the invitation to the private sector to participate in the formulation of national and industry cyber security standards (Article 14), it also calls for the establishment of a multilateral, democratic and transparent cyber governance regime (Article 7).
- The importance of data in driving innovation and economic development has also been recognised, and State support for open access to public data has been legislatively enshrined in new Article 17. In line with this, an exemption to the privacy and protection of personal data requirements has been introduced for de-identified data (where the risk of re-identification has been mitigated) in order to facilitate the use of Big Data (Article 41).
- Verification and validation capabilities also appear to rank highly in China’s cyber policy. State support for cyber security certification, security assessment and risk evaluation services is now provided for in new Article 16. At the same time, in addition to providing support for the development of secure and interoperable technologies for the verification of digital identity, the 2nd Draft also elevates the establishment of a trusted online identity to a matter of national strategy (Article 23).
- However, despite the call for a multilateral cyber governance system and more open access to data, the 2nd Draft also firmly keeps the control of cyber security related information in the hands of the State. In order to prevent the “the uncontrolled release of cyber security information”, such as announcements in relation to system vulnerabilities, computer viruses and network attacks and invasions from “impacting the maintenance of network security”, new Article 25 was introduced to require all publication of such information to be made “in accordance with the applicable laws”. Penalties for serious or repeated breaches of Article 25 can be harsh, and may include temporary closure of the business and shut down of the business’ website (Article 60). However neither the 2nd Draft nor the explanatory notes specify what these laws are (or whether they are yet to be legislated).
Some of the uncertainties in the previous consultation draft continue while some have now been clarified:
- Length of network operators’ record keeping obligations - Article 20 now makes clear that network logs used for monitoring and recording network status and network security incidences must be kept for a minimum of 6 months.
- Definition of “critical information infrastructure” - This definition had been broadly defined in the previous draft to mean operators of basic information networks providing services such as public correspondence and radio and television broadcast, important information systems for industries in infrastructure, utilities, medical and social services as well as military and government affairs networks. The previous definition also included the even broader limb “networks and systems owned or managed by network service providers with massive numbers of users” which potentially would include a wide range of businesses that raise little practical connection to national security. The revised definition now refers to any infrastructure that, if it were to be destroyed, lose functionality, or suffer a data breach, may cause a serious threat to national security, social or economic well-being of the nation, or the public interest (Article 29). The Standing Committee stated in its Explanation of Revisions that it did not want to enumerate the scope of critical information infrastructure in the 2nd Draft. Consequently, Article 29 states that the specific scope of sectors and entities falling within this definition and the security protection rules which will apply to them will be determined by the State Council separately.
While these information infrastructure and security protection rules will not be mandatory for network operators outside the field of critical information infrastructure, the State encourages all operators to voluntarily participate in the critical information infrastructure protection framework.
- Onshore Data storage requirements - The requirement for operators of critical information infrastructure to retain certain information within China has also been clarified. As was the case with the 1st draft, the 2nd draft still requires storage in China of citizens’ personal information. However, the requirement to store “other important data” in China has been changed to a requirement to store “important business information” in China (Article 35), making it clearer that the scope of this obligation applies to business and not personal data. Interestingly, the 2nd draft no longer explicitly allows that information to be “stored” overseas, only allowing “disclosure” overseas where the criterion of business necessity is met and the specified security assessments have been conducted and satisfied. It is not clear if this is intended to only allow temporary storage overseas and will require the data to be destroyed once the purpose of the disclosure is met, or if the authorisation of disclosure implicitly carries with it the authorisation of storage. The security assessments which are yet to be released may provide further clarity on this issue.
The 2nd Draft has included further regulation in a number of areas:
- New Article 9 introduces an explicit requirement that network operators comply with all laws and administrative regulations, and act in accordance with the principles of social ethics, honesty and fair commercial practice. Of particular interest is the obligation of network operators to “fulfil their duty of maintaining network security, accept government supervision and public scrutiny, and assume social responsibility”. When Article 9 is read in conjunction with amendments to include “the promotion of core socialist values” (Article 6) and the prohibition on “incitement for the overturn of the socialist system” (Article 12), it is possible that there could be a perception that the underlying purpose of these new obligations are to strengthen State control of the dissemination of information.
- As part of their cyber security notification obligations, providers of network products and services are now required to report any risks such as security flaws or vulnerabilities to the relevant authority in accordance with the regulations, in addition to notifying end users (Article 21). As currently drafted, the provision would impose significantly higher disclosure burdens on those persons than existing and proposed notification schemes internationally, given that it relates to security risks rather than actual breaches, and does not have any materiality threshold.
- The requirement to verify the identity of end users has been extended to providers of instant messaging services (Article 23). This requirement may limit the ability of overseas application, web messaging and VoIP service providers to enter into or continue operating in the Chinese market, since it will be more difficult for them to verify the identity of Chinese users without a physical presence in China.
- Regulatory authorities have also been provided with explicit and enhanced monitoring, investigation and enforcement powers. A new clause added to Article 47 now expressly requires network operators to cooperate with the network and information departments and other relevant departments in their authorised supervision and inspection duties. At the same time, new Article 54 gives regulatory authorities investigatory powers and allows regulatory authorities at the provincial level or higher to request interviews with the legal representative or key responsible persons of network operators in the event of any significant security risks or security incidences. Network operators are required to implement mitigation strategies and security enhancements as directed.
- The 2nd Draft also introduces some new penalties for breaches of the cybersecurity law. For example, a serious breach of Article 26 by engaging in activities which endanger national security or providing tools or assistance to those who endanger national security or network security is not just a civil offence with financial penalties, but is also a criminal offence punishable by detention for a period of up to 15 days. In addition, under the new Article 61, any person who intentionally engages in activities which endanger cybersecurity may be subject to a lifetime prohibition from working in network security management or in key network operations positions (in addition to other civil and criminal penalties). Corporations who breach cybersecurity law may also have such contraventions recorded in their credit files and made public (Article 68).
What does this mean for business?
The 2nd Draft is still open to the criticisms made in respect of the initial draft released in July last year, particularly about the vagueness and uncertainty around the scope and extent of the legislation. This is particularly apparent in the Standing Committee decision to not define “critical information infrastructure”. It remains unclear whether the final definition will be narrower or broader still than what was already contained in the 1st draft. While the 2nd Draft has not changed this uncertainty significantly and retains the onerous regulatory burdens of the initial draft, some of the policy positions and focus areas revealed in the new drafting have been made clearer.
The draft PRC Cybersecurity Law, when first released, appeared to consolidate State control over data and communications, and appeared to be a further step in the government’s protection of China’s technological sovereignty. This is still the case. The 2nd Draft still represents challenges for foreign companies operating in and seeking to access China’s technology and technology service markets, increases data residency requirements and necessitates greater cooperation with the State through disclosure rules and requirements to cooperate with authorities conducting supervision and investigations. The law still provides compelling reasons for companies to review how they handle data and the way which security qualifications will affect how they can sell their IT hardware and equipment in China.
However, there is hope that the Chinese government will respond positively to the concerns expressed on the draft Cybersecurity Law. For example, rules requiring companies in the financial sector to prove the “security and controllability” of their equipment through intrusive testing were suspended, and encryption code handover requirements under national security and counter terrorism laws were also rolled back.
Consistent with this, the National Information Security Standardization Technical Committee (TC260), the body charged with defining cyber security standards, has taken a more inclusive approach in instituting its regulations. Earlier this year, foreign technology companies, which were previously only granted observer status on the committee, were allowed to take an active part in rule drafting for the first time. (Notable foreign companies on the committee include Amazon, Apple, IBM, Intel and Microsoft.)
More recently, on 10 August 2016, 46 trade associations wrote a joint letter to Premier Li Keqiang stating a concern that the Cybersecurity Law appeared to impose trade barriers in contravention of WTO principles. The letter stated that the onshore data retention requirements, increased government monitoring and strict parameters imposed on cyber security technology were seen as measures that would weaken security and separate China from the global digital economy.
Public submissions to the 2nd Draft closed on 4 August 2016. Under the usual procedures, the Standing Committee of the National People’s Congress may conduct a third reading and make further revisions before putting the legislative bill to vote.