On 7 November 2016, the Standing Committee of the National People’s Congress passed the first piece of internet security legislation, Cyber Security Law (the “Law”) which will come into effect on 1 June 2017. This new law sets out cyber security regulations in a consolidated manner, leading to a more regulated internet and technology sector. It clarifies, to a certain extent, the rights and obligations of the network users and network operators and helps to improve network security, combat cyber fraud and protect the nation against cyber security threats.
The Law consists of 7 Chapters with 79 Articles in total and broadly speaking, they are divided into 2 parts : cyber or network security and data administration. Some of the provisions of the Law and their significance / effects are summarized as follows.
According to Article 8, the Cyberspace Administration of China (“CAC”) shall be responsible for the comprehensive planning and coordination of the cyber security efforts and the related supervision and administration work. The telecommunication administrative departments and the public security bureau together with other relevant departments of the State Council shall be responsible for the protection, supervision and administration of the network security within the scope of their responsibilities.
Article 10 provides that network operators or suppliers of services through networks shall take necessary measures to safeguard the safe and stable operations of the networks in accordance with the laws and regulations and mandatory national requirements.
Network operators are defined as owners or administrators of cyber network and network service providers under Article 76(3).
It is unclear however if a business with an online platform will also be treated as a “network operator”.
Article 21(3) requires the network operators to adopt technical measures to monitor and record their network operation status and network security incidents and keep relevant network logs for at least 6 months which period is much longer than the current general practice in the market. It is expected that the maintenance cost of the network operators in this aspect will increase.
Critical Network Equipment / Specialised Security Products
Article 23 stipulates that critical network equipment and specialised security products shall comply with mandatory national standards and would require certification and approval from accredited institutions before they can be sold or supplied in China. The type of products is not defined in the Law and it appears that the certification and approval would also apply to critical network equipment and specialised security products imported from overseas. The CAC together with the other relevant departments of the State Council will formulate and publish a catalogue of critical network equipment and specialised security products later.
Critical Information Infrastructure
Articles 31 to 39 set out the provisions on “critical information infrastructures” (“CII”)
The State shall implement specific protection for key industries and sectors such as communications and information services, energy, transportation, water conservation, financial services, public services, e-government services and other key information infrastructures which may endanger national security, national welfare or public interest in case of any damage to, function loss or data leakage of the network. The scope of CII and the protection measures required will be formulated by the State Council.
If the network products and services that the CII operators would like to procure may affect national security, they will have to undergo a national security examination jointly organized by the CAC and the relevant departments of the State Council.
In addition, personal information and important data collected by the network operators of the CII should be stored in China. If for operational reasons, the network operators will send such information offshore, they will need to undergo a security assessment, details of which have yet to be defined and published. Network operators of the CII should therefore re-assess their business operation in the light of these new legal requirements.
There are concerns that the definitions of CII and “important data” are so wide or unclear that substantial data (including confidential or sensitive business information) will need to be kept in China.
Articles 40 to 44 set out the obligations of the network operators to protect personal data. They shall keep the user’s personal data strictly confidential. They also have to make public the collection and user rules, the purpose of, manner and scope of using the data and obtain the consent of the persons from whom the data is collected before they can collect or use the personal data. The form of the consent is not specified in the Law and the question is whether implied consent would be acceptable. Network operators should watch out for any implementing rules elaborating on this consent requirement in future as they may have to revise their data protection policies and procedures accordingly.
According to Article 76(5), personal information includes, but is not limited to, the name, birth date, identity certificate number, personal biological identification information, address, telephone number etc of a natural person (and not limited to PRC citizens). Therefore, foreign nationals in China will also be protected by these provisions. It is, however, noted that the data localization requirement mentioned above would also apply to foreign nationals.
Liability and Penalties
Article 74 stipulates that the person who violates the provisions of the Law, causing damage to others, shall bear civil liability in accordance with the Law.
According to Article 75, where any overseas institutions, organisations or individuals engage in the attacking or otherwise endangering the CII in China, the public security department and the relevant departments of the State Council may freeze the property or take other necessary sanctions against such offenders. Foreign organisations and individuals should be aware of these new sanctions in the Law and ensure that measures are in place to prevent any cyber attacks by other parties using their platform.
The Law helps to enhance cyber security in China by means of requiring certification, protection of personal information etc. However, as details of some requirements, standards or definitions are not yet available or uncertain, it remains to be seen whether the domestic standards to be adopted by China will become compatible with international standards so that there may be more interconnectivity between China and the rest of the world. Many multinational corporations especially those falling in the definition of “critical information infrastructure” such as financial institutions should take immediate actions to assess and review their use / policy of technology, equipment, data storage and data security in China.
If you have any questions on the above or other issues on doing business in Mainland China, experienced lawyers in our China Business Department will be happy to assist you.