This article was first published in the June 2017 edition of CSj, the journal of the Hong Kong Institute of Chartered Secretaries and published by Ninehills Media Ltd. It aims to give an introduction to China’s Cybersecurity Law which becomes effective this month, and assess the implications of the law for companies with a business presence in both Mainland China and Hong Kong.
China’s Cybersecurity Law (the “CSL”) was approved in November 2016, and took effect on June 1st, 2017. Being the first legislation devoted to cyberspace, this legislation governs the establishment, operation, maintenance and use of cyber networks within China and the supervision and management of cybersecurity. The Cyber Administration of China (CAC) is the principal governmental authority supervising and administering the CSL and cybersecurity regime. In conjunction with the CSL, CAC recently published a series of supplementary implementation measures, including the Measures for the Security Review of Network Products and Services (Provisional) (the “Security Review Measures”), Public Opinion Draft of the Measures for Evaluating the Security of Transferring Personal Information and Important Data Overseas (the “Draft Data Transfer Measures”), the Measures on Administrative Law Enforcement Procedures for Internet Information Content Management, as well as some rules governing internet news information services (collectively the “Implementation Measures”). Most of the Implementation Measures are set to come into force with the CSL on June 1st, 2017, but further measures will be forthcoming.
Generally speaking, only entities incorporated in Mainland China are required to abide by the CSL and its Implementation Measures. Yet in practice, we believe the CSL will exert profound impacts, direct or indirect, on Hong Kong companies as well, considering the countless ties between mainland China and Hong Kong in the cyber space. This article aims to give Hong Kong based readers an overall introduction to the CSL and its Implementation Measures, with some high-level comments on its potential impact to companies having a business presence in both Mainland China and Hong Kong.
Almost a quarter of the CSL is dedicated to a series of requirements and obligations imposed on so-called “network operators” for the protection of cybersecurity. Under the CSL, network owners, administrators, as well as network service providers are qualified as network operators; meanwhile, the term “network” is defined by the CSL to encompass any system that is comprised of computers or other information terminals and relevant equipment that collect, store, transmit, exchange, and process information. Given internet’s widespread use and borderless connectivity nowadays, the definition of “network operators” seems to be a bit vague and can potentially be interpreted broadly. On its surface, any entities that own internet infrastructures, or utilize computers or other information terminals such as websites, mobile apps, online platforms, where information is stored, transmitted, exchanged or processed, are possibly to be considered as network operators, provided that they involve operation or use of networks within Mainland China. In other words, if a Hong Kong entity stores, transmits or processes information collected from its users from Mainland China, or has Chinese affiliates administer or maintain its websites, this entity is likely to be deemed as a Network Operator and is hence captured by the CSL.
Whilst the scope of network operators calls for further clarifications, the CSL and its Implementation Measures make it abundantly clear that all network operators shall abide by the obligations set out below:
Classified cybersecurity protection system – network operators shall comply with certain tiered security obligations according to the requirements of a classified cybersecurity protection system, which includes, among others:
- formulating internal security management systems and operating instructions;
- appointing dedicated cybersecurity personnel;
- taking technological measures to prevent computer viruses and other similar threats and attacks, and formulating plans to monitor and respond to internet security incidents;
- retaining internet logs for at least six months; and
- undertaking data classification, back up, encryption and similar activities.
Emergency response plan and incidence report – network operators are obligated to formulate emergency response plans for network security incidents and report incidents to the authorities.
Co-operation with authorities – network operators shall provide technical support and assistance to state security bodies safeguarding national security and investigating crimes, and will be subject to government and public supervision.
Personal information protection – network operators shall not disclose, falsify, or damage personal information of citizens they collect. Without consent of information owners, no network operators are allowed to disclose such personal information to others, except that such personal information after being processed cannot identify specific persons and cannot be restored. Network operators must take remedial actions to address any data leakage, report the same to relevant regulatory authorities and notify the data owners
Oversight of information published by users – network operators are required to block, delete, save relevant records of prohibited information published by users, and report the same to the authorities.
Establishment of complaint systems – network operators shall establish cybersecurity complaint and reporting systems, and promptly accept and handle complaints and reports.
Critical Information Infrastructure
Of particular note is that the CSL introduces a new concept of “critical information infrastructure” (CII), which makes reference to networks used in public communications, information services, energy, transportation, water conservancy, finance, public services, and electronic government as well as those networks of which the failure would possibly harm national security, national economy, or public interest. This coverage of CII is non-inclusive, and the CSL provides that the specific scope and security measures for CII shall be provided by the State Council separately (though the timeline is unknown). On this point, neither the CSL nor its Implementation Measures have issued any rules or guidelines about the specific scope and security measures for CII.
Some commentaries have pointed out, however, that reference could be made to the scope of CII under the National Cyberspace Security Strategy published by the CAC in late 2016, where CII is defined as “information infrastructure that affects national security, the national economy and the people’s livelihood, where whenever data is leaked, it is destroyed or loses its functionality, national security and the public interest may be gravely harmed, including but not limited to basic information networks providing public telecommunications, radio and television transmission, and other such services, as well as important information systems in areas and state bodies such as energy, finance, transportation, education, scientific research, hydropower, industry and manufacturing, healthcare and medicine, social security, public undertakings, as well as important internet application systems, etc.”
By comparison, the National Cyberspace Security Strategy takes in some additional industries such as education, scientific research, industry and manufacturing, healthcare and medicine, and social security. Although the National Cyberspace Security Strategy does not make specific reference to the CSL as its legislative basis, we concur that it may shed some light on the construction of CII to some extent. In this regard, we advise companies in aforementioned industries, especially those in “additional” industries such education, scientific research, healthcare and medicine, to be fully aware of CII”s obligations, and to stay tuned for further interpretations to be issued by the regulatory authorities regarding CII.
In addition to abiding by all requirements for network operators, CII Operator should also comply with a higher level of obligations imposed by the CSL as follows:
- Data localization requirement – the CSL mandates CII Operators to retain, within Mainland China, critical and personal information which they collect and produce during their operations in the Mainland. They may still be able to transmit this information overseas, but only after undergoing and passing a security review. Nonetheless, the newly issued Draft Data Transfer Measures appear to expand the scope of undertakings for such data localization and security review requirements to a wider range of entities – under the Draft Data Transfer Measures, network operators, rather than CII Operators, shall store personal information and important data collected and produced during operations in Mainland China. Besides, the Draft Data Transfer Measures list certain circumstances where outbound data transfer is strictly prohibited, as well as the scenarios where data export is subject to approvals. Considering the broad and ambiguous scope of network operators under the CSL, the final version of the Draft Data Transfer Measures governing the data localization requirement may be of great significance for companies with a business presence in Mainland China. We would suggest a wait-and-see approach at this point, and advise international companies to pay special care and attention on updates about the Draft Data Transfer Measures.
- Annual safety assessment – CII Operators are required to, either by themselves or through third party agencies, carry out a review and an assessment of cybersecurity threats at least once a year.
- National security review – when CII Operators procure network products or services that may affect national security, a national security review is required. Furthermore, the Security Review Measures lay down more details about how a security review will actually be carried out. Similar to the Draft Data Transfer Measures, it seems that the Security Review Measures also have broadened the scope of products and services that are subject to security review to some extent – according to the Security Review Measures, all important network products and services for networks and information systems that are pertinent to national security will be subject to security reviews. In addition, the Security Review Measures require such review to focus on whether network products or services are “secure and controllable”, and further set forth detailed criteria to be considered. Pursuant to the Security Review Measures, the government will establish a special committee formulating important policies concerning security reviews, and the CAC is responsible for organizing the specific reviews, which will be conducted by designated third-party institutions and experts.
- Other obligations – CII Operators should set up dedicated security management bodies and persons responsible for security management, and conduct security background checks on those responsible persons and personnel in critical positions. CII Operators are required to periodically conduct cybersecurity education, technical training and skills evaluations for employees, and conduct disaster recovery backups of important systems and databases.
3. Provider of Network Products and Services
In addition to network operators and CII Operators, the CSL also singles out “providers of network products and services”. Despite the fact that both the Security Review Measures and the CSL are silent on the definition of “network products and services”, it is clear that certain statutory requirements have been imposed on its providers, to be specific:
- Compliance with national standards – all network products and services shall comply with mandatory requirements under PRC national standards, which we believe should refer to technical standards for quality, safety, specifications, etc.
- Technical security requirements – a provider of network products and services shall not install any malicious codes. In case the provider discovers that its product or service has security leaks or defects, it shall inform users and relevant authorities, and adopt remediation measures.
- Security maintenance – a provider of network products and services shall provide its customers with security maintenance of its products and services during the service period.
- Personal data protection – where a network product or service has a function to collect user’s information, its provider shall inform the user and obtain the consent from the user. If the collected information involves any personal information, the provider shall comply with the laws and regulations on the protection of personal information.
Despite the uncertainties and ambiguities of certain key terms and clauses, the changes that the CSL brings to China’s cybersecurity landscape will definitely be beyond all expectations. Hong Kong companies that operate businesses in Mainland China or have direct business interests in Mainland China, especially those falling into category of CII operators, are encouraged to carry out a review of their data security rules and privacy policies in the context of the CSL and its Implementation Measures. This may require a thorough understanding of companies’ infrastructure layout and operation mechanisms, data transfer routes, as well as day-to-day activities relating to information collection, storage, transmit and process within Mainland China. Last but not least, companies potentially affected by the CSL should keep a close eye on issuance of related guidelines, implementation rules, and the further development in China’s cybersecurity regime.