On Nov. 7, 2016, the official and finalized version of the Cyberspace Security Law (the “CSL”) was approved by the Standing Committee of the National People’s Congress and signed off by Chinese President Xi Jinping. Under the CSL, the Chinese government has, for the first time, claimed sovereignty over cyberspace, asserting all the attendant rights and powers that such sovereignty grants, with a goal of ensuring the security and safety of users of the “network” as defined by the CSL (see explanation below) and their interests in cyberspace. This article summarizes what you should know about the CSL, anticipating its going into effect on June 1, 2017.
Sovereignty in Cyberspace
The CSL is the legal basis for the Chinese government to guard cyberspace security under the cloud of sovereignty.
Cyberspace Sovereignty. The Chinese government’s sovereignty in cyberspace is the most prominent concept created by the CSL. Simply put, it is the absolute power and right of the Chinese government to formulate laws, regulations, and administrative polices to regulate information facilities located in China and their related activities, to protect the information facilities and the information and data stored and processed thereon against attack and sabotage, and to prevent information from being illegally transmitted in the cyberspace that is created by the networks subject to the Chinese jurisdiction. Jurisdiction will be claimed by the Chinese government over a network if all, the majority of, or the core functional servers and equipment that constitute the network are located in China.
As an illustration, the CSL claims in Article 2 that it regulates the construction, operation, maintenance and use of networks in China, as well as the administration and supervision of such networks. The term “network” is defined in Article 76 as a system which is composed of computers and other information terminals and associated equipment, which collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures. Therefore, if all, the majority of, or key functional computers, information terminals, or associated equipment functioning in this manner reside in China, the Chinese government may claim sovereignty over that network pursuant to the CSL.
Cyberspace Security. The purpose of the CSL, according to its Article 1, is to safeguard cyberspace security for the purpose of maintaining cyberspace sovereignty, protecting national security, the public interest, and the lawful rights and interests of Chinese citizens, entities and other organizations, and promoting the healthy development of the informationalization in the Chinese economy and society.
Cyberspace Security under the CSL means the capability, by using necessary measures, to prevent a network from attacks, infiltration, interruption, sabotage, illegal use and incidents so as to ensure the stable and reliable operation status of the network and ensure the integrity, confidentiality, and availability of the network data. “Network data” is defined by the CSL to mean the various electronic data collected, stored, transmitted, processed and produced by a network. Thus, through the CSL, the Chinese government now wields the power to regulate what individuals and entities must do with respect to protecting and engaging with their networks that are subject to the Chinese jurisdiction.
Cyberspace Security Requirements for Network Operation
Most of the compliance requirements for cyberspace security imposed by the CSL are not new (except for one), but rather, they are an endorsement of the administrative security policies that have been implemented for years. The exception is the newly created concept of critical information infrastructure under the law, and the associated requirements imposed on it.
Critical Information Infrastructure and the Relevant Requirements. The definition for the Critical Information Infrastructure (“CII”) is vague under the CSL. The CSL defines CII as information infrastructure, which, if sabotaged or suffering from malfunction or data leakage, could seriously harm national security, governmental strategies, people’s livelihood, or public interests. Although the CSL provides some examples of CII, these examples are limited to systems supporting important industries and areas such as public telecommunication and information services, energy, transportation, water conservancy, and irrigation, financing, public services, and electronic administration. Because this is not an exhaustive list, and the CSL does not offer further details to determine what is considered to be CII, there is a concern that the definition of CII could be interpreted unnecessarily broadly and at the sole discretion of the regulatory authority.
If an individual or entity is operating CII, in addition to generally applicable protective measures, the CSL imposes the following special requirements:
- Information Localization. Article 37 is of the greatest concern. It requires storage in China of all “personal information” and “important data” that is collected or generated in the operation of CII. In some specific instances, however, CII operators may store this information outside of China where a safety and security assessment has first been conducted by the competent authorities.Under the CSL, “personal information” is defined as the various types of information about an individual, recorded in electronic or any other format, which by itself or by combination with other information can identify the individual. Personal information includes name, birthday, ID number, bio-identification information (such as fingerprints), address, and phone numbers, among other thing. By contrast, the CSL does not define “important information” as it relates to this provision.
- It is worthwhile to mention that the information localization requirement under the CSL is only applicable to CII operators, not to other the network operators and network service providers, which further emphasizes the importance of what will ultimately be considered to be CII;
- CII Construction. Article 33 requires that the construction of CII must ensure stable processing and consistent operation of the CII and must further ensure protection and security technical measures are designed, constructed, and implemented simultaneously;
- National Security Procurement Review. Article 35 requires that CII operators’ procurement of network products and related services must be subject to national security review if the operation of the CII impacts national security;
- Vendor Confidentiality. Article 36 asks CII operators to enter into security and confidentiality agreements with their suppliers in order to impose specific security and confidentiality obligations in the supply of products and services to the CII; and
- Annual Security Risk Assessment. CII operators are required to run a security risk assessment annually. This may be run either by the CII operator or by a third party network security service provider, and the resulting risk assessment report, together with any corresponding improvement plans, must be submitted to the competent authority.
Although the intent behind and general obligations arising under each of the above requirements are fairly clear, the CSL does not provide sufficient detail for implementation guidance.
The uncertainty of the definition for CII and how operators should implement these requirements will remain until the China State Council provides clarification through its administrative rules. It is unclear whether the administrative rules will be released before the CSL goes into effect.
Generally Applicable Operation Requirements. In addition to the above special operation requirements for CII, the CSL also calls for a set of generally applicable operation requirements. Many of these requirements have actually been in place for many years in the form of administrative policies, but are just now being formally codified.
- Multi-Level Protection System.
- The CSL requires network operators to formulate and adopt proper operating policies and rules in accordance with the requirements of the multi-level protection system.
- The multi-level protection system was established to assist the implementation of the Computer Information System Security Protection Regulation as early as 2004 and was jointly released by the Ministry of the Public Security, the National Secretary Administration Bureau, the Office of State Commercial Encryption Administration, and the former Informatization Working Office of the State Council.
- Following this release, a number of subsequent regulations, rules and national standards, as well as industry focused implementation rules, were issued by various ministry level governmental agencies.
- Under the CSL, the key requirement with respect to the multi-level protection system is that each network operator must determine the proper security level for the network they operate and should then comply with the detailed security requirements for that security level.
- Network Products and Services Compliance Requirements.
- Under the CSL, network products and service providers must ensure that their products and services conform to the compulsory national standards and requirements and do not contain any malicious programs, security defects, and/or loopholes.
- Such providers must also commit to providing consistent security maintenance for their products and services in the time period required by law or contract.
- In addition, the suppliers of key network equipment and network security specialty products must ensure that their equipment and products have passed the security authentication or inspection requirements, established by the competent regulatory authorities
- The CSL does not have a clear definition regarding the scope of what constitutes key network equipment and network security specialty products, but rather it delegates the task of formulating and releasing such a list to the relevant government agencies at some point in the future.
- Real Name Authentication.
- The CSL requires that all network operators obtain true identity information from users before providing network services to them
- The CSL does not define the specific measures to be implemented in order to verify users’ identities, but various recently released regulations regarding online services provide guidance on what may be considered proper, such as using cell phone numbers for individual users.
- Emergency Planning.
- Network operators are required to make practical and comprehensive plans to deal with security incidents, such as data breaches, in accordance with the relevant Chinese national standards and regulatory guidance
- Such operators should be able to launch the plan as formulated and report to the appropriate regulatory authority when a security incident occurs.
Information Security in Cyber Space
Under the CSL, network operators bear two types of obligations relating to information security: (i) the obligation to properly collect, maintain, and use individual information, and (ii) the obligation to assist information censorship.
Personal Information. Network operators are obligated to keep personal information that they collect strictly confidential, regardless of the nationality of the individuals whose information was collected. They must publicly announce their rules for personal information collection and use, only collect personal information after receiving proper consent, and specify the purposes, means, and scope of the information collection and how that information will be used. Network operators must only collect personal information in compliance with the law, applicable regulations, and any relevant agreements entered into with their users. Further, network operators may not collect personal information that is irrelevant to their network services they provide.
Network operators also must not disclose, alter, or destroy personal information they collect and must not provide such information to third parties without first obtaining consent from the individuals. Where there is actual or possible information leakage, destruction, and loss, network operators should take immediate remedial measures, notify the individual users in accordance with its policies, and report such incidents to the competent authority.
However, there are two important exceptions to the above general requirements:
(1) Network operators are allowed to share personal information if such shared information has been properly processed so that it cannot personally identify the individual and so that the process cannot be reversed in such a way that an individual's identity can be learned. This exception leaves room for big data businesses to operate in China.
(2) Individual users have the right to request that network operators either (a) delete their personal information if they discover that their personal information is being collected, maintained or used in violation of the above requirements, or (b) correct their personal information if the information collected and maintained by the network operators is inaccurate. If individual users properly make such requests, network operators must honor them.
Information Censorship. Network operators must not allow websites or communication/messaging groups to be established on their networks that teach how to commit fraud and crimes, or actually do commit fraud or crimes, offer contents with malicious programs and illegal information, or produce or sell prohibited or regulated items without proper approvals. Upon discovery of such websites or groups, network operators must immediately interrupt the transmission of the illegal information, remove the illegal information from the network, record all relevant investigative information, and file a report with the relevant authorities.
Additionally, network operators must establish and maintain a special channel for public complaints and reports of any compliance issues or violations and must process received complaints in a timely manner.
Long-Arm Effect of the CSL
A unique feature of the CSL is that it protects not only Chinese citizens, but also foreign citizens who use the services provided by the regulated networks. Correspondingly, the CSL does not limit its enforcement and penalty issuing authority solely to network security violations committed by network operators in China, but rather extends this authority over operators of regulated networks where the operators reside in foreign countries.
In Articles 5, 7, and 75, the CSL provides that the government will monitor, defend against, and dispose of network security risks and threats originating both within and outside of China, and will endeavor to protect CII from attacks, infiltration, interference, and sabotage. Per the CSL, the government will take initiatives to carry out international exchange and cooperation activities aimed at international regulation of cyberspace and fighting against cybercrime. Additionally, if any foreign entity or individual attacks, infiltrates, interferes, or sabotages CII, resulting in serious consequences, the Chinese police and other competent authorities are empowered under the CSL to freeze the assets of that entity or individual, or to take other necessary sanction measures against them.
The CSL is the first specialized law in China that regulates network security and information security relating to cyberspace. It is plagued with the sort of uncertainties and vagueness which is often the norm for legislation in China. Regulations regarding the implementation of the law and supporting rules will be established by the relevant regulators, who will endeavor to clarify this uncertainty and vagueness. Therefore, businesses, both foreign and domestic, that may be subject to the CSL, need not be overly optimistic or pessimistic about the current provisions codified in the CSL. Going forward, there may still be considerable opportunities to advocate for how these requirements are actually implemented and enforced in practice.