China’s Cybersecurity Law: An Expression of China’s Cyber-Sovereignty Ambitions
January 10, 2019
This post originally appeared in Eurobiz.
Coming in to effect later this year, the final draft of the China’s Cyber Security Law contains a number of positives, such as the strengthened measures against cyber fraud and the further clarification of the sectors that will fall under the scope of ‘critical information infrastructure’. However, the European Chamber holds deep concerns that many controversial provisions that we commented on in the previous draft remain unchanged.
These include the requirements for strict data residency and restrictions on cross-border data flow. The overall lack of transparency over the last year concerning this significant and wide-reaching piece of legislation has also created a great deal of uncertainty among the business community. The European Chamber remains concerned that the new law will hinder foreign investment and businesses operating in and with China.
China’s recently approved Cybersecurity Law is set to take effect on 1st June, 2017, and serves as an overarching legal framework to govern cyberspace activities. In many respects, this law follows the global trend of increasing regulation of cyberspace in response to elevated threats worldwide. The EU, for example, just recently adopted The Directive on Security of Network and Information Systems (NIS Directive) in July 2016. But China’s Cybersecurity Law includes more than just network security. Its 79 articles cover ground including security requirements for network-related products, data security and privacy, and online content control.
In this respect the Cybersecurity Law should be understood in the context of China’s continued push for national security and ‘cyber-sovereignty’ – the belief that the Chinese Government should have supervisory power and jurisdiction over the activities that take place in the cyberspace that falls within China’s territory.
For companies wondering how this will affect their China business, the law does not provide a clear sense of its own practical application. It is full of subjective terms such as ‘important data’, while the two most important terms in the law—‘network operator’ and ‘critical information infrastructure (CII)’—lack a clear definition. The latter of these terms is crucial as the most stringent security obligations are reserved for CII operators. The law states that CII includes traditionally sensitive sectors such as “public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government”, but also includes the catch-all phrase “as well as other areas that may harm national security, the economy, and the public interest.” Furthermore, the law also encourages network operators outside of CII to “voluntarily participate”.
Some of the key provisions in the law include:
Lacking a clear road map, foreign companies can start preparing themselves by paying close attention to their cybersecurity practices and upgrading where appropriate. If not for the law, elevating cybersecurity issues in corporate boardrooms across industries would be a positive outcome anyway.
Second, numerous implementation measures, including technical standards in various industries, will come out before and after the Cybersecurity Law is enacted on 1st June, 2017. These measures will be key to how the law’s provisions are implemented in practice. Companies should proactively engage in discussions with their regulators and industry groups on how to best adopt the Cybersecurity Law in their areas of operation. It is especially important for likely CII operators, or those companies selling to likely CII operators, to engage with stakeholders and ensure compliance.
Finally, more important than parsing through each word of the Cybersecurity Law and the coming implementation measures, is to recognise and understand where your company stands in relationship to China’s overall cybersecurity and technology development goals. Over the long-term, companies that can align themselves with China’s vision, and contribute to it, are well placed to succeed.