As countries increasingly focus on cybersecurity, there is a tension between protecting systems and data, and creating a robust and cooperative environment to minimise risk. We take a look at activities in Singapore and China by way of example.
Singapore has significantly stepped up its activities in the cybersecurity arena over the last year.
The migration towards the digital economy must invariably include consideration of the protection and security of the data that flows within. The design and conceptualisation of any system, or of any devices, for interconnection should have cyber security as a default consideration.
The emphasis on cybersecurity becomes more critical than ever, with Singapore’s vision to become a Smart Nation through the optimal use of technology to address Singapore’s challenges. Developers of Smart City eco-systems will need to provide the reassurance and security required within interconnected networks and devices in order for such eco-systems to flourish.
New Cybersecurity Act
Perhaps the most significant recent legislative development is the Cybersecurity Act (CSA), which came into effect in early February 2018. The CSA is the first ever omnibus legislative framework for proactive oversight and response to cyber-threats and incidents. The CSA has three main objectives:-
- institutionalising a framework for protecting Critical Information Infrastructure (CII) against cyberattacks;
- authorising the Cyber Security Agency of Singapore to prevent and to respond to cybersecurity threats and incidents; and
- establishing a licensing regime for cybersecurity service providers.
The emphasis of protecting CII mirrors the position taken in other countries and regions, notably in European Union and in China, emphasising the need for parties who are interconnected within the eco-system in which CII owners and operators operate to adopt a harmonised approach.
The significance and purpose of the new CSA
Some of the intended purposes of this landmark piece of legislation include: -
- the CSA is intended to raise the standards and awareness of CII owners of the importance of being and remaining vigilant against cybersecurity threats, and to instil a mind-set of ‘security-by-design’;
- CII owners will be required to put in place mechanisms to detect and report cybersecurity threats against the backdrop of the Personal Data Protection Commission being poised to amend the Personal Data Protection Act to introduce mandatory breach notification measures inspired by Articles 33 and 34 of the General Data Protection Regulation; and
- the establishment of the licensing framework for licensable cybersecurity services, intended to raise and recognise minimum standards of quality in the provision of cybersecurity services.
Enhanced Cyber Crime Law
One other notable development was the changes to the Computer Misuse and Cybersecurity Act (CMCA), which came into effect on 1 June 2017. The changes included criminalising:
- the use of hacking tools (such as their procurement, retention or supply) to commit a computer offence; and
- the activity of dealing in personal information obtained via a cybercrime such as trading in hacked credit card details.
Another change concerns the wider jurisdictional reach of the CMCA. It is now an offence for someone committing a criminal act while overseas, against a computer located overseas, if the act "causes, or creates a significant risk of, serious harm in Singapore". The CMCA defines “serious harm in Singapore” as includes injury or death of individuals in Singapore or disrupting, or seriously diminishing public confidence in the provision of essential services in Singapore.
As the Chinese government increasingly prioritises cybersecurity, it has taken a series of actions to strengthen its control in the virtual world. On the legislative side, the most notable development is the enactment of the new Cyber Security Law in 2016, which came into effect on 1 June 2017 (CS Law).
On 11 April 2017, the Cyberspace Administration of China (CAC) issued the draft Measures for the Security Assessment of Export of Personal Information and Critical Data (Draft) for consultation. This move by the CAC is intended to pave the way for easier implementation of the CS Law.
Article 37 of the CS Law stipulates that critical information infrastructure operators (CIIOs) must store personal and other important data collected and generated out of its operation in China, onshore. If transmission of such data outside China is necessary due to business needs, clearance procedures must be followed under separate rules to be formulated by the CAC (and included in the Draft). While clarifying some of the implementation details around the CS Law, this Draft also creates complexities and concerns.
Who does Article 37 apply to?
A literal reading of the CS Law gives the impression that a CIIO would include, for example, telecoms infrastructure service operators. However, there is no clear definition of this term. The CS Law gives examples of businesses which will qualify as a CIIO, including public communications networks and information services, energy, transport, water conservation, finance, public services, and e-government affairs. In addition, the category includes any other areas where a data breach or security compromise could result in serious harm to national security, the national economy, people’s livelihoods and the public interest. As the term “information service” is broad and vague, it could potentially be interpreted widely as covering all businesses with an online feature, so further clarity is needed.
Surprisingly, the Draft does not address the question of what constitutes a CIIO. Instead, it rephrases Article 37 of the CS Law by imposing local data storage requirements upon “network operators”. This term is further defined to cover those who own networks, manage networks and provide network services. Although the Draft is purportedly regulating data export clearance procedures, use of a different term for the scope of application creates the impression that local storage of data becomes a general principle (instead of only applying to CIIOs). This is all the more true given that the Draft further states that other individuals or organisations should also refer to the data export clearance procedures under this Draft.
What data is covered?
Article 37 of the CS Law refers to two types of data, namely personal data and critical data collected and generated within the territory of China. The definition of the former is repeated under the Draft, i.e. information recorded by electronic or other means that, alone or jointly with other information, can serve to identify a natural person, including but not limited to a natural person’s name, date of birth, identification number, personal biometrics data, address, or phone number. The CS Law does not define critical data. The Draft clarifies that critical data is data closely related to national security, economic development and public interest, of which the exact scope will be set out in relevant national standards and classification guidance.
According to the Draft, the following types of data must not be exported:
- personal data for which no prior consent to export was sought or where export might jeopardise the personal interests of the data subject;
- any data which poses a risk to national security (e.g. political, economic, technological, national defence) or may possibly affect national security and damage the public interest; and
- data which is barred from export by administrative authorities like the CAC, police authority and national security authority.
Security self-assessment procedures
Network operators are required to conduct a self-assessment before exporting personal and critical data. This should focus on aspects including business demand for export, quantity of data, scope of data, category and sensitivity of the data, whether consent for export has been obtained where applicable, the security and competence provided by the data importer, including the level of cybersecurity regulation in the data importer's jurisdiction, data breach risk and impact after export including the potential for further export.
Network operators need to get clearance from the relevant administrative regulators to export any of the following:
- personal information involving over 500,000 individuals (including on an accrued basis);
- data quantity exceeding 1,000 GB;
- data concerning nuclear facilities, biochemistry, national defence and military matters, demographics and health, large-scale project activities, marine environment or sensitive geographic information;
- cybersecurity information about system vulnerabilities and security protection of critical information infrastructures;
- data exports by a CIIO; and/or
- data potentially impacting national security and the public interest, in relation to which an assessment is deemed necessary by the regulators.
The Draft answers some questions under the CS Law, but also generates questions of its own. This reflects the fact that the CAC - as a new rising power among the Chinese ministries - plays an increasingly critical role as the Chinese government prioritises cybersecurity.
Of particular concern is the Draft's seemingly extended interpretation of the CS Law which appears to apply data export limitations to all network operators and could be interpreted as extending them to all online activities. This could mean that, in future, all data exports will require clearance from the Chinese government to stay on the safe side.
Although this might sound similar to the situation in Europe where all data exports are regulated, the clearance mechanism under the Draft is extremely cumbersome compared with the approach adopted by EU and may jeopardise business operations and contradict the goal of “promoting orderly and freely the flow of data” set out in the Draft.
Although the Draft has not been finalised, companies operating in China are advised to follow developments closely and be prepared to tackle new challenges.
On 24 November 2016, the Ministry of Industry and Information Technology (MIIT) presented to the public the draft Notice on Regulating the Operation Behaviours in the Cloud Service Market (Draft Circular) for consultation. Although its intention is to better regulate the market, including in terms of data and systems security, unfortunately, it serves mainly to make the picture foggy again. Its stated purpose is to improve the market environment, regulate administration and promote the healthy development of the internet industry, but it aims to introduce many new regulatory requirements and constraints which will have a substantial impact on existing business models, in particular those of foreign players. Their cloud service platforms must be constructed within the territory of China, and connection to overseas networks must go through MIIT-approved internet gateways. Connection to the outside via dedicated lines (in Chinese) or VPNs is not allowed (see our articles on Cloud services in China and VPNs).