It has been more than three months since the PRC Cyber Security Law (“CSL”) has taken effect on 1 June 2017. Except for the Provisions on Examination of Network Products and Services (Trial) (“NPS Provisions”) which have come into effect on the same day as the CSL, other regulations to supplement and implement the CLS have not yet been enacted. So far, only some supplementary regulations are available in draft versions for public consultation purposes.
On 10 July 2017, the Cyberspace Administration of China (“CAC”) issued a draft of the Regulations for Protection of Critical Information Infrastructure (“CII Regulations”) for public consultation. Given the stringent requirements for “keeping data in China” and “national security assessments” which are initially provided under the CSL for the Critical Information Infrastructure (“CII”) and CII Operators, the draft CII Regulations which are intended to provide clarifications on the CII and CII Operators have generated a lot of attention from companies in private sectors.
Despite of the early stages, the PRC authorities have already taken initiatives to enforce the CSL towards governmental and quasi-governmental entities (i.e. those non-operational entities directly or indirectly supervised or set up by government authorities).
1. Legislative Development – Draft CII Regulations
Pursuant to Article 31 of the CSL, the regulations in respect of the scope of and protection requirements for the CII are to be promulgated by the State Council of the PRC. However, the draft CII Regulations were actually drafted by the CAC, a lower-level authority of the State Council.
As such, there is criticism that certain provisions of the draft CII Regulations including those governing the scope of the CII and obligations of CII Operators have somehow broadened or are inconsistent with the original meaning of the provisions set out in the CSL.
a) What is a CII and what is a CII Operator?
Under the CSL, CII refers to the information infrastructure used in important industries and sectors such as public communications, information services, energy, transport, water conservancy, finance, public services, e-government where it would result in serious damages to the national security, national economy, people's livelihood and public interests if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure. According to a literal reading of the CSL, Network Operators engaged in the foregoing CII industries and sectors are likely to be categorized as CII Operators. The meaning and scope of the CII Operator is subject to the scope of the CII.
Article 18 of the draft CII Regulations provides that: the following units' operation and management of network facilities and information systems would result in serious damages to the national security, national economy, people's livelihood and public interests, if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure:
(1) Governmental agencies/organs and those entities in the field of energy, finance, transportation, water conservancy, hygiene and medical services, education, social insurance, environmental protection and the public utilities sector;
(2) Information networks, such as telecommunication networks, broadcast television networks and the internet as well as entities that provide cloud computing, big data and other large-scale public information internet services;
(3) Scientific research and production entities in the fields such as national defense, large-scale equipment, chemical engineering and food and drug industry sectors;
(4) Press units such as broadcasting stations, TV stations, news agencies; and
(5) Other key entities.
As can be seen from the wording of the draft CII Regulations, an entity would be categorized as a CII Operator if both of the following conditions are satisfied:
(1) The CII is used in a key industry – The scope of the key industries specified in the draft CII Regulations is broader than that in the CSL.
(2) The CII may give rise to key risks – This is generally in line with the CSL definition, i.e. potentially serious damage to the national security, national economy, people's livelihood and public interests, if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure.
It is notable that the scope of the CII and CII Operators under the draft CII Regulations has been significantly broadened. For example, private companies that provide cloud computing, big data or companies in the food and drug sectors are now subject to higher risks of being categorized as CII Operators. Additional clarifications will be provided through the Guidelines for Identification of Critical Information Infrastructure (“CII Guidelines”) to be jointly promulgated by the CAC, the Ministry of Public Security (“MPS”) and the Ministry of Industry and Information Technology (“MIIT”), which are currently not publicly available. For example, under the draft CII Regulations, the meaning and scope of large-scale public information internet services is still unclear.
So far, the draft of the CII Guidelines has not yet been issued. According to the draft CII Regulations, the respective industry-specific regulatory authorities will be undertaking the activities for identification of CIIs in its respective industry based on the CII Guidelines and report such identified CIIs to the CAC (the reporting line is not clearly stated in the CII Regulations). As such, whether or not a specific information infrastructure will be categorized as a CII is subject to the discretionary assessment and determination of the industry-specific regulatory authority.
2. Internal CII Guidelines
As stated above, so far, no CII Guidelines have been formally issued. However, the Guidelines for Determination of Critical Information Infrastructure (“Internal CII Guidelines”) seem to have been circulated among the local Chinese governmental authorities for their enforcement of the CSL towards governmental and quasigovernmental entities (excluding State-owned enterprises) for the time being. Which authority drafted such Internal CII Guidelines, the legal effects, and the date of issuance of such Internal CII Guidelines are all unclear.
a) Scope of the CII under the Internal CII Guidelines
Under such Internal CII Guidelines, the definition of the CII is generally in line with that under the CSL. Further, the Internal CII Guidelines have divided the CII into three categories:
(1) Websites, including the websites of the Party, governmental agencies/organs, quasi-governmental entities, and news agencies;
(2) Platforms, including instant-messaging platforms, online trading/purchase platforms, online payment platforms, search engine platforms, email platforms, Bulletin Board System (BBS) platforms, mapping platforms, video/audio sharing platforms, etc;
(3) Production businesses, including office and operation systems, industrial control systems, large-scale data centers, cloud computing platforms, Television transmission systems, etc.
The scope of the CII under the Internal CII Guidelines is not consistent with that provided under the draft CII Regulations.
b) Three Steps for Identification of the CII
The Internal CII Guidelines set out three steps to identify and determine the CII in a particular industry:
(1) Determine the key business of a particular industry in the relevant jurisdiction;
(2) Determine the information system or industrial control system which supports the key business; and
(3) Determine the level of significance of the information system or industrial control system to the key business , and the potential damages that may be caused by a security event in respect of the information system or industrial control system.
c) For step (1) and step (2) above, the Internal CII Guidelines provide a table setting out the key industries, key segments of the key industries, key businesses, the category and name of the CII that may potentially support such key businesses. Amongst others, the key industries include energy, transport, water conservancy, finance, public facilities and services, hygiene and medical services, environmental protection, industrial production (raw materials, equipment, and consumer goods), telecoms and Internet, broadcast televisions, education, and governmental agencies/organs.
For example, the key industry “telecoms and internet” is divided into two sub-categories as below:
(1) Telecoms operators, with their key businesses and corresponding CII supporting such key business being:
(a) Consumer relationship management. The relevant CII is the CRM system.
(b) Data center. The relevant CII are the comprehensive services systems for data center.
(c) Communication networks (including voices, data, internet access, cloud computing networks). The relevant CII includes public switched telephone networks (i.e. “PSTN”), signaling systems, synchronization networks, optical transport networks, mobile core networks, IP bearer networks, etc.
(2) Internet companies, with their key businesses and corresponding CII supporting such key business being:
Internet services including BSB services, instant communication services, online trading/purchase services, online payment services, search engine services, email services, mapping services, video/audio sharing platforms. The relevant CII includes services platforms, business platforms, transaction platforms, and marketing platforms.
d) For step (3) above, the identification and determination of the CII will be based on the category of the CII, i.e. website category, platform category, and production business category. For example, with respect to the platform category, such as online trading/purchase platforms, it would be identified as a CII if either of the following conditions is met:
(1) The amount of users registered with the platform exceeds 10 million, or the amount of active users (who log onto the platform at least one time per day) exceeds 1 million; or
(2) It may potentially give rise to any of the following results if any security event occurs:
(a) Direct economic losses of more than RMB 10 million; or
(b) Directly affect more than 10 million people’s life or work; or
(c) Disclosure or leakage of personal data of more than 1 million people; or
(d) Disclosure or leakage of a large amount of sensitive information of entities or companies; or
(e) Disclosure or leakage of a large amount of geographic data, population data, resources data or any other national basic data; or
(f) Grave damage to the order of society and economy, or damage to the national security.
As can be noted from the foregoing examples, it can be reasonably anticipated that the CII Guidelines, once formally promulgated, may provide detailed clarifications or guidelines for private companies to conduct selfassessment of the risks of being categorized as a CII Operator. Although it remains unclear, we tend to assume that the requirements in the final or formal CII Guidelines are likely to be substantially similar to those under the Internal CII Guidelines.
3. Obligations of CII Operators
The draft CII Regulations have imposed various obligations on CII Operators, some of which just affirm or further clarify in detail the requirements originally set out in the CSL, while some others are brand new requirements.
Amongst others, the new requirements which have attracted most attention from foreign companies doing business in China are stipulated in Article 24 of the draft CII Regulations. I.e. the operation and maintenance of the CII shall be carried out in Mainland China, and if any maintenance services through remote access from overseas jurisdictions become necessary for business reasons, the CII Operator must report such case to and obtain prior approval of the relevant industry-specific regulatory authority or the MPS.
This new requirement together with the original requirements under the CSL (i.e. keeping in Mainland China all the personal information and important data collected during the business operations of the CII Operator in China) would have significant impacts on the business structure or data processing costs of foreign-invested companies in China whose business may fall under the key industries based on the upcoming CII Guidelines.
Some other newly-imposed major obligations of CII Operators include the follow:
(1) The CII Operator shall set up the mechanism/policy for security assessment of the CII, and shall conduct security assessment prior to the launch or operation of the CII, and at the time when any significant changes occurred to the CII; and
(2) The CII Operator shall conduct security assessment of the systems or software developed through outsourcing arrangements and of donated network products prior to the use or operation of such products.
4. Enforcement Initiatives
a) Compliance Review of Privacy Policies
According to media reports, on 27 July 2017, the CAC, the MIIT, the MPS, and the Standardization Administration of the PRC (“SAC”) have jointly initiated the task (“Task”) named “Actions to Enhance the Protection of Personal Data”.
The Task mainly entails the review of privacy policies adopted or used by the primary network operators in China to ensure their compliance with the applicable data privacy laws and regulations, including the CSL. Also, such review seems to be intended to pave the path for stipulating national or industry standards in respect of privacy policies in China.
The first round of review has been conducted against the top 10 Chinese network operators, including WeChat, WeiBo, Taobao, JD, Alipay, GaoDe Map, BaiDu Map, Didi, Umetrip, and Ctrip. The review has mainly focused on whether the operators have clearly informed the users or data subjects of the intended collection of their personal data, the means for collection, the rules for use of such collected personal data (for example, if such personal data can be used for direct marketing or commercial promotion, etc), the data subjects’ rights to access, delete, or amend the personal data collected by the network operator, the methods and restrictions thereof, etc.
The results of the review were reported to be published later this September. However, so far, these results are not publicly available.
b) Network Security Inspections on the CII
According to the notifications on official websites of several local governmental authorities in different geographic areas of China, some local governments have already carried out assessment and inspections on the CII used by governmental and quasi-governmental entities. The inspections include self-assessment by the entities and random onsite inspections by the competent local authority.
The assessment and inspections were based on the Internal CII Guidelines which seem to having been circulated to governmental offices only.
According to the work plan published by such local governments, the tasks or goals of the security inspections were to fully understand the amount and coverage of the CII used in the relevant area; the basic information of the network security management organizations and maintenance entities responsible for such CII; the major functionality of the CII, scope of services supported by the CII, situation of data storage, and potential risks in the event of destruction of the information infrastructure; operational environment, ways of operations, status of network security management and protection of the CII, etc.
The fact that some local governments conducted inspections on the security situation of the CII prior to the issuance of the entire supplemental or implementation regulations of the CSL, in particular bearing in mind that no official guidelines for determination of the CII has been issued so far, conveys the signal that the identification of the CII or the CII Operator would likely to be based on a strictly narrow interpretation of the definition of CII under the CSL. I.e. an informational infrastructure may only be determined as a CII if the damages or loss of the functionality of such information infrastructure or the leakage of data will seriously jeopardize national security, national economy, people’s livelihood or public interests. In other words, the risk for ordinary private business operators to be deemed as a CII Operator may likely to be relatively low.
Further, there is a possibility that such inspections targeting governmental or quasi-governmental entities may likely form part of the preparatory actions for the promulgation of the formal CII Guidelines.
The legal regime is still evolving, with further clarifications to be provided through the supplemental and implementation regulations of the CSL which will hopefully be published in the near future.
However, we recommend that foreign and foreign-invested companies, in particular those engaged in the key industries as listed in the Internal CII Guidelines, closely monitor the development of the CSL and its related regulations, and conduct self-assessment or seek tailor-made legal advice on the potential risks of being categorized as a CII Operator based on the Internal CII Guidelines or other related draft regulations.