After a year of legislative proceedings, the Standing Committee of the National People’s Congress of China enacted the Cybersecurity Law, taking effect on June 1, 2017. This move is illustrative of China’s increasing focus on cybersecurity and its intention to bring its cyber practices in line with global best practices for data privacy. The Cybersecurity Law appears to impose what some say to be “more onerous” requirements than even those imposed by the European Union’s General Data Protection Regulation (the “GDPR”).
China’s Data Practices Prior to the Cybersecurity Law
The National People’s Congress passed the Cybersecurity Law (the “Law”) in November 2016. The Law intends to reform data management and internet usage regulations in China and impose new requirements for network and system security.
China’s data protection law and framework is much like that of the United States, in that it is sector-specific. China has industry-specific laws, such as Commercial Banking Law, Postal Law, or the Provisions on the Protection of Personal Information of Telecommunication and Internet users. The many laws and lack of a single central data protection authority have made navigating the legal environment in China difficult. Since July 2015, China has been introducing many laws and draft laws on internet controls and state access to private data. Until the enactment of the Cybersecurity Law, formal requirements for data control and safeguards were not in place, resulting in an incomplete legal system for data management, control, and security.
The Scope of the Law
The Law seeks to change this as it is one of three laws intended to operate in tandem to regulate cybersecurity and privacy law in China. The other two laws, the National Security Law and the Anti-Terrorism Law, seek to bolster the Cybersecurity Law and its authority in order to safeguard against threats to the country and grant the government broader surveillance powers.
The recently enacted Law is applicable to “network operators” and “critical information infrastructure” (“CII”) providers. Because the Law defines a network as any system comprised of computers and related equipment to gather, store, transmit, exchange or process information, the Law is applicable to many businesses in China that manage their own data networks or operate in a manner similar to networks. Because these categories are broadly defined and permit a wide scope, companies that would not ordinarily consider themselves network operators or CII providers may be recognized as such by this Law. For example, the definition of a network operator includes operators of basic telecommunication networks, internet information service providers, and key information systems, which suggests that any company that maintains a computer network may be a network operator for the purposes of this Law. Companies based outside of China that use networks to conduct businesses within China may also be subject to the Law.
CII providers are those that provide services that, if lost or destroyed, would damage Chinese national security or the public interest. These include information services, transportation, water resources, and public services. The State Council gives the government the final say in determining companies that fall under this definition, which may later sweep in other industries not currently designated. The ambiguity of what qualifies as damaging to national security or the public interest increases the scope of this definition and the government’s reach.
Those covered by the Law are to provide full cooperation and full access to Chinese crime or security investigations upon request. Under the Law, network operators “are subject to mandatory testing and certification.” Compliance measures are also mandated, as Article 21 of the Law requires network operators to formulate internal security management systems, implement network security protections, adopt technological measures to prevent viruses, and monitor and record the safety of a network. Security measures, such as data classification, backup systems, and encryption processes must also be in place.
Considered one of the most critical provisions of the Law is Article 37. This article requires operators of CII to store data that it gathers or produces within mainland China. Data that is gathered on Chinese entities, whether businesses or individuals, must be stored on domestic services and transferred abroad with consent.
Criticisms of the Law
In June 2016, businesses from around the world, including from Europe and Japan, sent letters to Premier Li Keqiang, current Premier of the State Council of the People’s Republic of China, and criticized the law as impeding foreign entry and innovation. The data localization requirement pursuant to Article 37 may significantly impact international companies who need to regularly share data on a cross-border basis. Because of the compliance measures, the Law may require authorities to request companies to provide source code, encryption, or other information that is at risk of being replicated, lost, or even destroyed. With no exemptions articulated yet by the Law, foreign companies have expressed great concern.
Increasing the government’s power and reach is Article 9 of the Law. Article 9 reads, “network operators … must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.” Given the vague language, the government may have grounds to investigate and limit a foreign company’s ability to contest a government demand for data access.
The Law obligates foreign companies to invest resources in meeting the requirements of the Law, especially its data localization requirement. Foreign firms will either invest in new data servicers in China or hire a local server provider, such as Huawei or Alibaba. Huawei and Alibaba are just two of the many companies that have spent millions establishing domestic data centers, leading critics of the Law to believe the Law is partly designed to support domestic data management industries against foreign competitors. Still, others see the data localization requirement to be of minimal impact on economic growth. Instead, they urge that this Law and its requirements are simply China’s effort to streamline its data privacy protections and prosecutions.
Understanding the Cybersecurity Law
Given the complex legislative and legal systems of China, a plain reading of the Law is not the best way to understand it and determine whether it is applicable to one’s company. Instead, the law firm Proskauer Rose LLP says that, “understanding the government’s motivations and regulators’ approach to enforcing the law is key.” As clarification on the Law’s clear requirements is awaited, practitioners are advised to be proactive by conducting a compliance risk assessment or a privacy and security audit of their Chinese operations. Given the increased presence of multinational companies in China, practitioners are advised to dedicate the appropriate amount of time and resources to find the best solutions for their companies under this Law.
Please find the official and untranslated version of China’s Cybersecurity Law here.
This blog post is part of a series looking at privacy regulations around the world in light of Europe’s GDPR. For further information, please visit our GDPR webpage or contact us at firstname.lastname@example.org.
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of the GDPR.