CHINESE UPDATE — China Adopted Cybersecurity Law
After deliberations over more than a year’s time, the Standing Committee of the National People’s Congress (“NPC Standing Committee”) finally adopted the Cyber Security Law (“CSL”) on November 7, 2016. The CSL is the first omnibus law in China governing cyber security issues and has incorporated a number of new legal concepts and requirements that may impact companies with business operations in China.
Below we will briefly introduce the CLS in terms of its background, applicable scope and legislative purpose, major requirements, and potential practical impact.
This legislation includes provisions relating to information and technology security. Meanwhile, as China has not enacted a unified data protection law, the CSL also incorporates several provisions related to the protection of personal information, which is also an issue of wide concern.
Application Scope and Purpose
The CSL applies to the construction, operation, maintenance and use of networks as well as the supervision and administration of cyber security within the territory of the PRC. “Networks” include networks and systems that are composed of computers and other information terminals and the relevant facilities and used for purposes of collecting, storing, transmitting, exchanging and processing information in accordance with certain rules and procedures (Article 76). “Network operators”, an important subject of legal obligations under the CSL, is broadly defined as “owners and administrator of networks and network service providers (Article 76)”.
The CSL provides for “safeguarding the national cyberspace sovereignty” as a fundamental principle, and, for that purpose, includes provisions on, inter alia, the strategy, plan and promotion of cyber security, network operation security, network information security, and alarm and emergency response systems.
The national cyberspace administration authority, namely the Cyberspace Administration of China (“CAC”), is responsible for the coordination of cyber security protection activities and the relevant supervision and administration activities on a national level. It further provides that the Ministry of Industry and Information Technology, the Ministry of Public Security and other relevant government departments shall be responsible for the protection and supervision of cyber security within their respective authorities.
The CSL will become effective on June 1, 2017. Therefore, nearly a half year is provided as a transition period before its implementation.
Major Legal Requirements
Strengthened Network Operation Security Obligations
The CSL provides various security protection obligations for network operators, including, inter alia:
- the compliance with a series of requirements of tiered cyber protection systems (Article 21);
- the verification of users’ real identity (an obligation for certain network operators) (Article 24);
- the formulation of cyber security emergency response plans (Article 25); and
- the assistance and support necessary to investigative authorities where necessary for protecting national security and investigating crimes (Article 28).
In addition, network products and service providers shall inform users about and report to the relevant authorities any known security defects and bugs, and furthermore shall provide constant security maintenance services for their products and services, not install malware with their products, and clearly inform users and obtain their consent if their products or services collect users’ information (Article 22).
Key network facilities and special products used for protecting network security shall comply with the relevant national standards and compulsory certification requirements, and may only be offered for sale after being certified by the qualified security certification organization or passing the relevant security tests (Article 23).
It is notable that some requirements for network operators, such as retention of user logs for at least six months (Article 21) and regulations on the publication of cyber security information regarding system loopholes, computer viruses, cyber-attacks, cyber invasions, etc. (Article 26), are prescribed for the first time under PRC laws.
Heightened Protection of Critical Information Infrastructure
The CSL, for the first time under PRC law, clearly imposes a series of heighted security obligations for operators of critical information infrastructure (“CII”), including:
- internal organization, training, data backup and emergency response requirements (Article 34);
- storage of personal information and other important data must in principle be secured within the PRC territory (Article 37);
- procurement of network products and services which may affect national security shall pass the security inspection of the relevant authorities (Article 35); and
- conducting annual assessments of cyber security risks and reporting the result of those assessments and improvement measures to the relevant authority (Article 38).
Protection of Personal Information
The CSL reiterates the obligations of network operators regarding the protection of personal information which appear across existing laws and regulations, including the mandate to observe the principle of lawfulness, necessity and appropriateness in the collection and use of personal information and to observe “the notification and consent requirements” (Article 41), to use personal information only for the purpose agreed upon by the relevant individual (Article 41), to adopt security protection measures for personal information (Article 42), and to protect the individual’s right to access and correct personal information (Article 43). In addition, the CSL also incorporates some new rules on personal information protection, including data breach notification requirements (Article 42), and data anonymization as an exception for notification and consent requirements (Article 42), and the individual’s right to request the network operators make corrections to or delete their personal information in case the information is wrong or used beyond the agreed purpose (Article 43).
The CSL is the first law in the PRC specially focused on cyber security matters. When the CSL takes effect on June 1, 2017, internet companies and other industries in China will be subject to stricter and more comprehensive obligations and face more severe punishments for violations. As an omnibus law on cyber security issues, many provisions of the CSL are still very general and abstract, and the detailed requirements for implementation and enforcement depend on subsequent and more specific implementation regulations as well as the opinion of the relevant authorities. We may expect that the relevant regulatory authorities may promulgate a series of implementation regulations to clarify certain requirements under the CSL, such as the regulations on tiered cyber security protection systems, the specific scope and protection measures of CII, the protection of minors on networks, the mandatory security certification and the test requirements for key network devices and special cyber security products, national security review on the network products and services procured by CII operators, etc. For example, as for the protection of minors on the internet, the CAC published a draft of Regulations on Protection of Minors Online for public comment last month.
Nearly half a year remains before the formal implementation of the CSL and companies may use this transition period to improve their understanding of the potential impacts of the CSL on their business. In particular, if companies are deemed operators of CII, the CSL may have a significant impact on its network security framework, procurement of security products, and data storage. Companies may consider whether they need to adjust their business and operation practices in these aforementioned aspects and enhance their cyber security protections so as to ensure fully compliance with the CSL. Given the specific implementation of the requirements in the CSL are not entirely clear, companies will also need to closely follow any subsequently released regulations and opinions of the relevant governmental authorities.