China's Cyber Security Law (CSL) came into force on 1 June 2017. In this e-bulletin we highlight the key systems required to be implemented under the new law and the latest developments on implementation progress. For a general overview of the CSL, please see our earlier e-bulletin (click here)

Summary of the key systems and their status

The table below shows the key systems that are required to be implemented under the CSL and their current implementation status.  

Systems

Status

Security review of network products and services

Trial measures published in May 2017. Please see our e-bulletin for further details (click here)

Catalogue of key network equipment and network security products

Catalogue of first batch equipment and products published in June 2017

Multi-level protection system (MLPS) for network security

Regulations are still to be published. Implementation guidelines published in November 2016

Data export security assessment

Second draft of the Data Export Measures and Draft Guidelines (as defined below) published in May 2017

Critical information infrastructure (CII) protection

Regulations are yet to be published


Catalogue of first batch of key network equipment and network security products (Catalogue)

The Catalogue was published jointly by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS), and the Certification and Accreditation Administration (CNCA) on 9 June 2017 (click here for the catalogue).

Under the CSL, equipment and security products falling within the scope of the Catalogue will be subject to mandatory testing and certification by third-party institutions authorized by the government before they can be sold in the market. Manufacturers of such equipment and security products will need to apply to the third-party institutions for the testing and certification.

It remains unclear how the testing and certification requirement will affect existing network or information security products that have been tested or certified under the prior regimes established by the MPS and CNCA respectively. The CSL promotes recognition between different testing or certification regimes to avoid duplication. However, ministries led by CAC should clarify whether the new requirements under the CSL will apply to equipment and products already approved for sale in China.

Second draft of Data Export Measures published

The CAC released the second draft of its Measures for the Security Assessment of Export of Personal Information and Important Data(Data Export Measures) at a conference held on 19 May 2017. There have been some major changes compared to the first draft (click herefor our e-bulletin on the first draft):

  1. removing the requirement that personal data and important data should be stored within the PRC territory;

  2. adding the principles of "fairness, impartiality and objectivity" in conducting security assessments;

  3. making clear that data subjects may consent to use of data by their actions;

  4. removing the 1000 GB threshold for mandatory security assessments;

  5. removing the requirement for annual self-assessment;

  6. narrowing down the scope of data prohibited from being exported abroad;

  7. deleting the requirement that "other organizations and individuals" should also be subject to security assessment;

  8. extended the scope of personal information to include information reflecting personal activities; and

  9. introducing a grace period until 31 December 2018.

The changes made by the CAC to the second draft of the Data Export Measures reflect some of the comments given on the first draft by companies and organizations. Most notably, it removes the requirement that personal data and important data be stored within the PRC. This major change will benefit a number of multinational companies that store their data on servers located outside China. Additionally, the second draft reduces the scope of data that is subject to security assessment and data prohibited for export. It also removes other organisations and individuals from the scope of the Data Export Measures which helpfully limits the application of the regime and removes the uncertainties in the first draft.

The second draft provides that the Data Export Measures take effect on 1 June 2017 and network operators should ensure compliance from 31 June 2018. The CAC appears to acknowledge the difficulties faced by companies and organization in implementing the Data Export Measures by granting the preparatory period.

Whilst the second draft of the Data Export Measures provides that the measures take effect on 1 June 2017, the official version of the regulations has not yet been published. The reason for the delay in publishing the formal Data Export Measures is not clear. However, it appears that the CAC has not reached consensus on the final draft internally and is still amending the second draft.

Draft guidelines for data export security assessment (Draft Guidelines)

Following release of the second draft of the Date Export Measures, the Draft Guidelines were published on 27 May 2017 by the National Information Security Standardization Technical Committee seeking public comments. The deadline for submitting comments is 27 June 2017. The Draft Guidelines set out the assessment procedures and key considerations for data export and define the scope of "important data".

The Draft Guidelines are key to the interpreting the Data Export Measures and bring them a step closer to implementation. As the Draft Guidelines serve as a practical guide for entities to follow in conducting security assessments, we encourage our readers to review the Draft Guidelines and submit comments to the CAC as soon as possible.

Security assessment regime for new internet service

MIIT published the draft Administrative Measures for Security Review on New Internet Service (New Internet Service Measures) on 8 June 2017 seeking public comments by 9 July 2017.

Under the New Internet Service Measures, telecom service operators are required to conduct, or engage a third-party institution to conduct, a security self-assessment for any new internet services (New Internet Services) that the telecom service operators intend to provide to the public, including:

  1. operating a licensed telecom service on the internet; or

  2. operating a telecom service that is not included the Classified Catalogue of Telecom Services.

Telecom service operators must complete the security assessment and produce an assessment report before the New Internet Services commence online. Results of the security assessment must be notified to MIIT and its local counterparts within 45 days after completion of the assessment.

Telecom service operators also need to conduct reviews every six months following the launch of a New Internet Service and conduct security assessments if any security risk arises due to changes to the New Internet Service.

If the telecom service operators fail to carry out the security assessment or otherwise violate relevant requirements, MIIT and its local counterparts have the power to require a meeting with management of the telecom service operator, in addition to taking administrative action and imposing penalties.

The CSL does not provide for a security assessment regime for the New Internet Services, nor is the CSL referred to in the draft New Internet Service Measures. MIIT appears to have taken its own initiative in establishing the regime.

The definition of New Internet Services is so broad that it encompasses almost all telecom services to be provided on the internet. The MIIT has yet to release detailed standards or requirements for the security assessment. Companies that provide or intend to provide telecom services on the internet should closely monitor the development of the New Internet Service Measures and submit their comments to the MIIT.

With the CSL taking effect on 1 June, we expect the CAC and other ministries to publish more regulations and standards in the coming months to facilitate implementation of the law. We will keep you posted with the latest development and would encourage companies to seek advice from a professional adviser on the impact.