China’s Cybersecurity Law (the “Cybersecurity Law”) was passed on November 7, 2016 by China’s 12th National People’s Congress Standing Committee. The Cybersecurity Law comes into effect in June 2017 and applies to both domestic and foreign network operators who operate on the Chinese mainland. The Cybersecurity Law implements security protections which are aimed at tightening and centralizing state control over information flows and technology equipment, and preventing computer viruses, cyber-attacks and other network security violations (such as unauthorized data leakage or theft). The Cybersecurity Law also has a broader reach which may affect many foreign technology companies.
The Cybersecurity Law addresses certain prominent principles, including: cyberspace sovereignty; security obligations of network service providers and operators; improvements to personal information protection regulations; establishment of a key information infrastructure security system; and rules for cross-border data transmission.
The Cybersecurity Law will apply to all network operators conducting their business in China, with special attention given to “key information infrastructure” companies. The term “key information infrastructure” is left vague and could potentially encompass a broad range of companies. It is anticipated that the State Council will provide a more detailed definition in subsequent regulation, but it is unlikely that the definition will be specific enough. According to Article 31 of the Cybersecurity Law, areas such as public communication, information service, energy, transportation, water resources, finance and e-government are most likely to fall within the scope of the term.
The Cybersecurity Law will require both domestic and foreign “key information infrastructure” companies to comply with the following key requirements (among others):
- monitor and report to the government any “network security incidents”;
- provide “technical support” to aid in investigations;
- store data locally;
- monitor and log the operational status of the network, and store such logs for at least six months;
- stop the dissemination of illegal content; and
- comply with relevant laws and regulations on online information control.
Non-compliance with the requirements may result in administrative, civil or criminal proceedings.
Foreign tech companies may find it difficult to comply with the requirement to store data locally. Foreign tech companies may also be concerned by the requirement under the Cybersecurity Law to employ technology deemed “secure” (as will be defined by future regulation to be enacted by the State Council). These measures will seemingly create an edge for local tech firms over foreign rivals, as local companies may already comply with, or will find it easier to comply with, those requirements which favour a local presence.
The Cybersecurity Law has numerous critics, and has drawn swift criticism from international business groups and human rights organizations. Despite the manner in which the Chinese government presents the new Cybersecurity Law, as a tool for security and economic growth, international critics point out that it tightens China’s grip on the internet by requiring service providers to collect personal information and by preventing personal or “important” data collected in China from leaving the country. The meaning of “important” data remains ambiguous.
Business groups from around the world are fearful that the Cybersecurity Law will put data security at risk, and could potentially cut China off from the rest of the world’s digital economy. Chinese news sites have noted that more than 40 business and international groups publicly expressed opposition to the Cybersecurity Law and requested the Chinese government to amend some of the more onerous restrictions prior to the Cybersecurity Law being approved in November. These groups claimed that the Cybersecurity Law “creates trade and innovation barriers in national borders”.
Given the wide reach of the Cybersecurity Law, additional regulations and clarification from the Chinese government are expected in the near future. In the meantime, tech companies that conduct business in China would be wise to carefully monitor any developments in relation to the Cybersecurity Law in order that they will be ready to comply with the new Cybersecurity Law once it becomes effective. We would be pleased to assist.