On June 1, 2017, China’s controversial Cyber Security Law (“CSL”) came into force, with the stated aims of “formulating a comprehensive regulatory regime for network security” and “safeguarding national security”. The law joins a growing body of Chinese cyber regulation (including the July 2015 National Security Law and April 2017 Draft Encryption Law), marking an increasing focus of the Chinese regulatory authorities on controlling cyberspace and furthering President Xi Jinping’s goal of asserting China’s “internet sovereignty”.
Imposing strict requirements on data storage and surveillance, the CSL has wide ramifications for foreign companies operating in China. Provisions requiring the “localization” of data have raised concerns of discrimination against foreign companies. Meanwhile, the terms and scope of the CSL remain the subjects of worrying ambiguity. Over 50 overseas businesses and chambers of commerce petitioned, without success, against the June 1st enforcement date.
In the coming months, the new Cybersecurity Administration of China (“CAC”) overseeing the CSL is expected to issue more comprehensive implementing regulations. Nonetheless, companies with operations in China are advised to identify their obligations under the new law without delay and take measures to maintain compliance.
Who is affected by the CSL?
Any company which owns, manages or provides services through a “network” in China (“Network Operators”) is subject to the provisions of the CSL. Under Article 76, a network comprises “any system that can be used for information gathering, storage, transmission, exchange or processing”. As such, any entity which operates more than one computer in China stands to be affected.
The law creates additional compliance burdens for Critical Information Infrastructure Operators (“CIIOs”); defined broadly to include companies in the radio, television, energy, transport, water conservancy, finance and public service sectors or other critical information infrastructure that “will result in serious damage to state security, the national economy and the people's livelihood and public interest if it is destroyed, loses function or encounters data leakage” (Article 31).
What new requirements are imposed by the CSL?
Under the CSL, all Network Operators are required to implement the following measures, as relate to:
- Gain permission before collecting personal data, which must be related to the services of the Network Operator (Article 41);
- Explicitly indicate the purpose, means and scope of the collection and use of personal data (Article 41);
- In the event of data leakage, damage or loss, inform citizens affected, report to the competent government departments and take remedial measures (Article 42);
- Delete or amend, on request, any personal data found to violate the provisions of the CSL (Article 43).
- Establish internal security management systems and operating rules, such as emergency response plans and periodical risk warnings for members, according to a tiered network security protection system (to be released by the State Council) (Articles 21-30);
- Appoint a member of personnel responsible for network security (Article 21);
- Store important data, and personal information gathered or produced during operations in China, within the mainland territory of the PRC;
- When business need requires the transfer of such data out of China, demonstrate the necessity of data export and conduct or submit to a security assessment, depending on the size or importance of data (the specifics of which the CAC has yet to disclose) (Article 37).
Note that while Article 37 only imposes this last provision on CIIOs, controversially, the CAC’s supplementary Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (“Measures”) extend the provision to all Network Operators, scheduling full enforcement for the end of 2018.
Many are concerned that, among the implications of this extension, the administrative hurdles proposed by the Measures will impact upon the ability of a range of companies to conduct cross-border business in a timely manner. It is also ultimately possible that companies unable to demonstrate the “necessity” of data export will need to relocate servers to China, involving significant IT restructurings.
Maintaining Compliance: How should companies respond?
Seeking to ease the concerns of multinationals, the CAC has made assurances that it is not the object of the CSL to obstruct cross-border data flow or China’s integration with the global economy, both of fundamental importance to China’s global economic ambitions. Notably, discourse surrounding the CSL has also often overlooked the fact that the present escalation in cyber governance is not unique to China. Coming into force in May 2018, the EU’s General Data Protection Regulation (“GDPR”) bears remarkable similarity to the CSL in respect of the need to appoint data protection “officers”, report data breaches and justify cross-border data transfers.
Nonetheless, China’s historic restriction of the freedom of information and newly professed goal of asserting “internet sovereignty” have sparked concerns over the potential for arbitrary implementation of the new law. Severe penalties for violations of the CSL, including the cancellation of business licenses and fines of up to RMB 1,000,000 (approximately USD 150,000), have done little to allay these concerns.
Given the potential scope and impact of the CSL, companies are advised to take preparatory measures as soon as possible. These should include:
- Reviewing privacy policies to ensure compliance with new provisions on data collection;
- Appointing responsible network security personnel and staff to monitor the release of implementing regulations;
- Conducting internal audits, creating checklists of issues to address and protocols to establish;
- Determining whether company could be categorised as a CIIO, and identifying any additional obligations;
- Understanding the potential implications of data localization for data storage.
Only the forthcoming implementing regulations, which the CAC and State Council may issue at any time, will reveal the wider implications of the new law. Multinational companies operating in China are advised to monitor closely these on-going developments in the evolution of China’s cybersecurity regime.