This post originally appeared in Eurobiz.
Coming in to effect later this year, the final draft of the China’s Cyber Security Law contains a number of positives, such as the strengthened measures against cyber fraud and the further clarification of the sectors that will fall under the scope of ‘critical information infrastructure’. However, the European Chamber holds deep concerns that many controversial provisions that we commented on in the previous draft remain unchanged.
These include the requirements for strict data residency and restrictions on cross-border data flow. The overall lack of transparency over the last year concerning this significant and wide-reaching piece of legislation has also created a great deal of uncertainty among the business community. The European Chamber remains concerned that the new law will hinder foreign investment and businesses operating in and with China.
China’s recently approved Cybersecurity Law is set to take effect on 1st June, 2017, and serves as an overarching legal framework to govern cyberspace activities. In many respects, this law follows the global trend of increasing regulation of cyberspace in response to elevated threats worldwide. The EU, for example, just recently adopted The Directive on Security of Network and Information Systems (NIS Directive) in July 2016. But China’s Cybersecurity Law includes more than just network security. Its 79 articles cover ground including security requirements for network-related products, data security and privacy, and online content control.
In this respect the Cybersecurity Law should be understood in the context of China’s continued push for national security and ‘cyber-sovereignty’ – the belief that the Chinese Government should have supervisory power and jurisdiction over the activities that take place in the cyberspace that falls within China’s territory.
For companies wondering how this will affect their China business, the law does not provide a clear sense of its own practical application. It is full of subjective terms such as ‘important data’, while the two most important terms in the law—‘network operator’ and ‘critical information infrastructure (CII)’—lack a clear definition. The latter of these terms is crucial as the most stringent security obligations are reserved for CII operators. The law states that CII includes traditionally sensitive sectors such as “public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government”, but also includes the catch-all phrase “as well as other areas that may harm national security, the economy, and the public interest.” Furthermore, the law also encourages network operators outside of CII to “voluntarily participate”.
Some of the key provisions in the law include:
- Data localisation: CII operators will have to keep ‘important’ data and personal information in Mainland China. If it is truly necessary for a business to provide data outside of China it may be possible to do so but a security assessment must first be conducted. (Key Article: 37)
- Personal information protection: Network operators will be limited in collecting and using personal information. Personal information refers to information that allows the identification of a natural person’s individual identity, including, but not limited to, their name, date of birth, identity card number, personally distinctive biological information, address and telephone number. (Key Articles: 40-43, 76)
- Compulsory certification requirements: Critical network equipment and specialised network security products, both undefined, will have to follow compulsory standards and security certification. The law also implies that compulsory certification will no longer only be a requirement for government procurement. (Key Article: 23)
- Cooperation with public security bodies: When requested, network operators will have to provide technological support and assistance to public security and national security bodies. (Key Article: 28)
- National security review: Network operators will be subject to a multi-level protection scheme (MLPS), where they are graded based on the potential consequences of network damage and social impact. In addition, products and services procured by CII operators that may have an impact on national security must pass a national security review. (Key Articles: 31, 35)
Lacking a clear road map, foreign companies can start preparing themselves by paying close attention to their cybersecurity practices and upgrading where appropriate. If not for the law, elevating cybersecurity issues in corporate boardrooms across industries would be a positive outcome anyway.
Second, numerous implementation measures, including technical standards in various industries, will come out before and after the Cybersecurity Law is enacted on 1st June, 2017. These measures will be key to how the law’s provisions are implemented in practice. Companies should proactively engage in discussions with their regulators and industry groups on how to best adopt the Cybersecurity Law in their areas of operation. It is especially important for likely CII operators, or those companies selling to likely CII operators, to engage with stakeholders and ensure compliance.
Finally, more important than parsing through each word of the Cybersecurity Law and the coming implementation measures, is to recognise and understand where your company stands in relationship to China’s overall cybersecurity and technology development goals. Over the long-term, companies that can align themselves with China’s vision, and contribute to it, are well placed to succeed.