The Legislative Affairs Commission of the Standing Committee of the National People’s Congress recently issued the Draft Cyber Security Law (the “Draft”) aiming at safeguarding China’s cyber sovereignty.

The Draft’s main highlights:

  • It establishes the government’s leading role in network building, operation, maintenance, security and use.
  • It establishes a supervision mechanism for security protection within China, under which network operators (i.e., network owners and managers and network service providers that use networks owned or managed by third parties to provide services) have a monitoring role that includes the following obligations:
  1. To formulate internal management and operating procedures for network security protection, determining the people in charge.
  2. To adopt technical measures to prevent computer viruses and other activities endangering network security.
  3. To adopt technical measures to record and track network operation status and to monitor and record network security incidents.
  4. To implement important data classification, backup and encryption measures.
  5. To verify user identity when managing network access or domain name registration services.
  6. To formulate emergency response plans for network security incidents and to manage system loopholes, computer viruses, network intrusions and attacks and any other security risks in a timely manner.
  • Key network equipment and specialized network security products must be certified or tested by licensed security institutions before accessing the market to ensure compliance with relevant national and industry standards.
  • Key information infrastructures –broadly defined to cover media, energy, water resources, transportation, finance, public services, military and government affairs, and network service providers with large numbers of users- will be protected through the following mechanisms:
  1. Operators will enter into a security and confidentiality agreement with suppliers of network products and services.
  2. Network products or services that may give rise to national security and public social order concerns will be subject to a security review by the relevant governmental authorities.
  3. Personal information and other important data obtained will be stored in China, and any disclosure overseas for business purposes will be subject to review in accordance with the standards set out by the State Council.
  4. Operators will carry out annual security reviews and adopt proper measures for security risk mitigation.
  • The Draft reiterates the importance and requirements of personal data protection, the need to obtain consent to collect user information and the need to inform users of the purposes, method and scope of information collection.
  • The Draft establishes various non-compliance liabilities, from warnings to penalties for network operators and those directly responsible for them.

The Draft, if approved, will be the first law promulgated by the highest Chinese legislative bodies that comprehensively addresses and may raise significant challenges to existing network operators, as they will be subject to greater scrutiny and administrative control. 

Date of issue: July 6, 2015. Deadline for public comments: August 5, 2015.