The long-awaited Cyber security Law of China was finally passed at the National People’s Congress of China on November 7, 2016. This follows a long process, begun more than one year ago, in which two interim drafts were circulated for comment.
Though the text of the law is now final, it does not end all of the uncertainty that has been associated with the progress of the law towards its final version. Generally stated wording and a need for specific implementing rules and regulations, and specific technical standards, mean that further government publications are awaited before the full extent of the law’s requirements will be understood.
The following are some of the highlights of the new law:
1. The new law contains new requirements for the protection of personal information
The nature and extent of these new requirements have been seen before in China. In respect of the collection and use of personal information, the new Cybersecurity Law imposes a notice and consent requirement, and a requirement to comply with the principles of legitimacy, rightfulness and necessity.
Network operators are prohibited from providing a data subject’s personal information to third parties without the data subject’s consent, except in cases where the personal information is depersonalised in such a way that it cannot identify the underlying particular individual and that the depersonalisation cannot be reversed. In addition, a data subject can request a network operator to delete the personal information if he or she discovers that its collection or use of personal information is in violation of law or of a contract between the parties. A data subject can also request a network operator to correct any personal information that is inaccurate.
In other words, the shape of the new requirements follow the same pattern that has been seen before, in the data protection rules for personal information that is electronically formatted, and for the consumer protection and telecommunications sectors.
What is new is that this same template is now made applicable to “network operators.” This may in and of itself also be nothing new in practice, because these “network operators” are likely to be subject to the same template already, by way of the fact that they are most probably handling personal information that is electronically formatted.
The more significant fact may be that a new government entity may be given authority to interpret and enforce data protection rules. The precise entity has not been designated yet, but if it is the Ministry of Public Security, it will be one with exceptional capabilities to enforce the law and discourage violations, because the Ministry of Public Security (and its local offices) are the equivalent of China’s police force. Also potentially significant is the fact that the new law provides a definition of “personal information,” something that not all laws or regulations bother to do.
2. The new law contains a data localisation requirement
Under the new law, “operators of key information infrastructure” are subject to a data localisation requirement, under which they must retain within the territory of China critical information and personal information which they collect and produce in the course of their operations in China.
The term “key information infrastructure” generally refers to information infrastructure of which damage, misfunction or data leakage would seriously jeopardise national security and the public interest. Specific examples are given, including information infrastructure in the public communication and information services, energy, transportation, water resources utilisation, finance, public service and e-government affairs sectors. Further rulemaking from the State Council is necessary to clarify the precise scope of “key information infrastructure” and of the security protection requirements applicable thereto.
“Operators of key information infrastructure” may still be able to transmit critical data and personal information overseas, but they would first have to undergo and pass a security review. The nature of this security review is not defined yet and this is a source of ongoing uncertainty. An even more important remaining uncertainty is precisely how large the scope of “operators of key information infrastructure” will turn out to be. If only entities which actually operate (rather than use or rely upon) key information infrastructure, which has a truly national-level degree of macroeconomic significance, are to be considered “operators of key information infrastructure,” then the data localisation requirement may apply only to a relatively small number of enterprises. This is another item in prospective implementing rules that should be eagerly awaited.
The new Cybersecurity Law opens the possibility of extraterritorial application, by making overseas entities or persons which attack, intrude into, interfere with or destroy “key information infrastructure” in China subject to legal liability. Public security agencies in China are enabled under the law to adopt sanctions against them, such as freezing their assets.
3. Certain information security standards are imposed that permit an eventual local procurement requirement
When operators of key information infrastructure procure network products or services that may affect national security, a national security inspection is required. This and other similar requirements do not in and of themselves establish a local procurement requirement, but open the door for one, if later specifications for passing the national security inspection and cybersecurity standards are formulated in such a way that only locally-made information technology equipment can satisfy them.
4. Security safeguards will be required to be put in place in a tangible and concrete way
As particular examples: “network operators” will be required to adopt technological measures to monitor and record their network operations and cybersecurity incidents. They will be required to preserve related web logs for at least six months. Also, “operators of key information infrastructure” will be required to undergo a network safety assessment at least once a year.
5. Assisting Investigations
According to the Cybersecurity Law, network operators must provide technical support and assistance to public or national security agencies which are conducting investigations of a crime.
6. Penalties for Violations
The new Cybersecurity Law establishes penalties for violations of cybersecurity requirements. These mostly rely on fines of varying amounts, but also can in certain serious instances include suspension of a relevant business, stopping the business for rectification or closing down a website, or revocation of relevant business permits or licenses.
The new law authorises short term detention in some instances but avoids formal imprisonment as a penalty. Generally, the final version of the law increased the weight of the fines over those that had been proposed in the preceding draft.
Bing Maisog, partner at law firm Hunton & Williams
Image Credit: Pavel Ignatov / Shutterstock