China’s Cybersecurity Law and Draft Implementation Rules
The law applies to all “network operators” and introduces cybersecurity mechanisms.
On November 7, 2016, the Chinese government released a draft version of the Cybersecurity Law (CSL) that will govern China’s cyberspace effective June 1, 2017. The CSL declares the Chinese government’s sovereign authority over the construction, operation, maintenance, and usage of networks in China. It also introduces various mechanisms that the government will use to oversee cybersecurity, such as a multitiered cyber protection scheme, a security review for network products and services, and a security assessment for the cross-border transmission of data, and contains some provisions related to personal data protection.
The practical effect of the CSL will depend on implementing regulations and standards, many of which have yet to be issued. One such regulation that is still in draft form is the Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (Outbound Data Transmission Draft); it was circulated for public comment on April 11, 2017. Another regulation, the Measures for the Security Review of Network Products and Services (Security Review Measures) has passed through the draft stage, with a final version being published on May 2, 2017. The Security Review Measures will take effect on June 1, 2017, at the same time the CSL takes effect.
This LawFlash summarizes the CSL, the implementing rules that have been released, and the rules that are still in draft form. It also examines how ambiguities in the CSL are likely to be resolved, how data transmission practices of most companies will need to be updated, and how some data that used to be freely transmitted outside of China will now have to remain within Chinese territory. The law in this area is evolving rapidly—although the effective date for the CSL is June 1, 2017, we expect that important changes and interpretations will continue to be made for some time to come.
Summary of the Cybersecurity Law and Implementing Regulations
- Broad scope of application
The CSL applies to all “network operators,” which is defined broadly to include “owners and administrators of networks as well as network service providers.” The CSL also introduces the concept of operators of critical information infrastructure (CII), which is a subset of network operators. Compared to general network operators, operators of CII are subject to stricter cybersecurity standards. Detailed rules regarding CII operators will be found in implementing rules that have yet to be released.
- Establishes a multitiered cyber protection scheme
The CSL provides that all network operators must be in compliance with a multitiered cyber protection scheme. This scheme requires that providers of network products and services adopt methods to protect their networks, supervise their operation, preserve operational logs, and keep important data confidential. The details of this scheme have not yet been released.
- Security review for network products and network services required
- Scope of the security review
The CSL provides that a security review will take place only when network products or services that might affect national security are purchased by a CII operator. However, the scope of application of the Security Review Measures is slightly inconsistent with that of the CSL. The Security Review Measures provide that all important network products and services purchased for networks and information systems that are pertinent to national security will be subject to cybersecurity review. The Security Review Measures do not clearly define the term “important network products and services” or “networks and information systems that are pertinent to the national security,” although in Article 10 there is a list of “critical industries and sectors” that are related to “national security”—namely, network products and services purchased by other CII operators, public communications and information services, energy, transportation, hydropower, finance, public services, and e-government services.
The final promulgated version of the Security Review Measures does not include some areas that were found in earlier drafts, such as certain online products and services related to the “public interest” and those used by “departments of the Communist Party and government ministries.”
- Implemented by a network security review commission
A network security review commission established by the government will cooperate with third-party institutions recognized by the government to conduct the security review.
- Focus of the security review
The security review will determine whether a product or service is “secure and controllable.” More specifically, it will focus on (1) the security risk posed by the product or service itself, and the risk that the product or service may be illegally controlled, interfered with, or suspended; (2) risks in the supply chain that may arise during production, testing, delivery, and technical support of the product or service; (3) the risk that the provider of the product or service may use it to illegally collect, store, process, or use the personal information of its users; (4) the risk that the provider of the product or service may infringe upon the cybersecurity or the interests of users by taking advantage of their reliance on the product or service; and (5) any other risks that may jeopardize national security.
- Legal consequences
In the CSL, sanctions for failing to conduct a security review include orders to cease operations and a fine of up to 10 times the purchase price of the product or service. A fine from RMB 10,000 to RMB 100,000 may also be imposed on the responsible individual. The Security Review Measures, however, merely state that violators will be subject to relevant laws.
- Scope of the security review
- Security assessment of data transmitted across borders
- Security assessments under the CSL
The CSL introduces the principles of localization and security assessment. CII operators must retain within China the personal information and critical data that are collected or generated in the course of doing business in China. Then, if there is a business necessity to transmit personal information or critical data overseas, a security assessment must be conducted by the government. As discussed above, CII has not yet been defined.
- Expanded localization and security assessment requirements
In the Outbound Data Transmission Draft, the scope of localization and security assessment has been expanded from CII operators to all “network operators” and all outbound transmissions of personal information and critical data collected or generated within China by individuals or entities.
- Express consent required for the outbound transmission of personal information
The Outbound Data Transmission Draft introduces the requirement of express consent for the outbound transmission of personal information. It requires that individuals be informed of the purpose, scope, content, recipient, and country or territory of the recipient of the outbound transmitted information, and prior consent must be obtained before the outbound transmission.
- The self-assessment and government assessment
The Outbound Data Transmission Draft introduces two types of security assessments: the self-assessment and the government assessment. All network operators must conduct self-assessments annually and before the outbound transmission of personal information. Outbound transmission in any of the following situations is furthermore subject to a government assessment: (1) when the data involves the personal information of more than 500,000 individuals; (2) when the volume of the data is greater than 1,000 GB; (3) when the data involves nuclear facilities, chemistry or biology, national defense or the military, public health, megaprojects, the marine environment, or sensitive geographic information; (4) when the data is related to information about the cybersecurity of CII, such as system vulnerabilities or security protections; (5) when the outbound transmission is conducted by a CII operator; and (6) when national security or the public interest is affected and the government believes a government assessment should be conducted. Also, immediately after any substantial change in information intended for outbound transmission, a security assessment must be reconducted before any such transmission.
- Factors that will be assessed
The following factors will be considered in a security assessment: (1) the necessity of the outbound transmission; (2) the quantity, scope, type, and sensitivity of the outbound transmitted information, and any prior express consent for the transmission of personal information; (3) the security capabilities of the recipient, as well as the cybersecurity environment of the recipient’s country or territory; (4) the risk of leakage, damage, or abuse of the information after the outbound transmission; (5) possible risks to national security, the public interest, or an individual’s legal rights that may result from the outbound information transmission and information aggregation; and (6) other important factors that should be assessed.
- Outbound transmission of some information prohibited
The outbound transmission of information is prohibited in the following situations: (1) with respect to personal information, if there is a lack of prior consent or a possible infringement of an individual’s interests; (2) where it would introduce risks to the security of the national political system, economy, science and technology, or national defense, or if the outbound transmission could affect national security or jeopardize the public interest; and (3) other situations in which the government believes the prohibition is necessary.
- Legal consequences
In the CSL, sanctions include orders to correct, warnings, the confiscation of illegal income, a fine from RMB 50,000 to RMB 500,000, the closure of businesses or websites, or the revocation of relevant licenses. A fine from RMB 10,000 to RMB 100,000 may also be imposed on the responsible individual. The Outbound Data Transmission Draft states that the legal consequences for illegal cross-border information transmissions will be found in other relevant laws and regulations.
- Security assessments under the CSL
- Other implementing rules not yet released
- Compulsory National Standards (Standards)
All network products and services must meet the relevant Standards of their respective sectors. These Standards will be formulated by the competent authorities in each sector.
- Directory of Critical Network Equipment and Specialized Cybersecurity Products (Directory)
The CSL provides that “critical network equipment” and “specialized cybersecurity products” (together, Critical Network Products) must satisfy additional requirements set forth in the Standards. The sale and provision of Critical Network Products are subject to national security certification, and products must comply with national compulsory safety requirements. The Standards and the Directory have not yet been released.
- Compulsory National Standards (Standards)
Are Ambiguities in the CSL to Be Resolved by Local Authorities?
Some key terms in the CSL and its implementing rules have not been clearly defined. For example, there is an ongoing debate over the definition of an “internet operator.” Does it include multinational companies whose businesses are not directly related to the internet even though their internal networks or VPN systems may be connected to the internet? The definition of “national security” is also unclear, as the threshold that network products must cross in order to be categorized as affecting national security is unknown. And in the context of data transmission, the standard that determines when there is a “necessity” to transmit data overseas has not been specified. The precise definitions of these terms will be crucial for determining if subsequent approval or review procedures will be required. As the CSL’s implementing rules have not been finalized, the answers to these questions might yet be found in the final versions of these rules.
But based on our experience, it is more likely that local authorities will have the discretion to interpret key elements of the CSL. If that is so, then case-by-case consultations with relevant local authorities, and a regular follow-up mechanism, would be required if multinational companies wish to remain in compliance with China’s data protection laws.
Data Transmission: Changes to Current Practices
Even though uncertainties still remain, the CSL and the Outbound Data Transmission Draft will definitely affect how multinational companies transmit data across borders: (1) new internal control procedures will be needed to protect data; (2) more detailed consent will be required to transmit personal information; and (3) new data localization requirements will mean that some data generated in China must stay in China.
New internal control procedures required to protect data
Although Foreign Invested Enterprises (FIEs) operating in China increasingly recognize the importance of establishing adequate internal controls, their compliance efforts usually focus on areas where there has historically been a high likelihood of enforcement, such as in the areas of anticorruption and antitrust. To date, few FIEs have established comprehensive data protection policies for their operations in China. But because the CSL comes into effect this June, data protection policies will soon become indispensable for most FIEs in China whose business includes the cross-border transmission of data.
Unlike the previous data protection regime in China that placed few restrictions on the cross-border transmission of data, the CSL and the Outbound Data Transmission Draft now make security assessments mandatory: they require annual self-assessments and an assessment before information is transmitted across borders. There will also be a government assessment for data transmissions that reach certain thresholds. Although this assessment requirement concerns the transmission of “personal information” and “critical data,” data that the authorities would consider sensitive will of course need to be identified as well.
In addition, for transactions and investigations where the cross-border transmission of information is inevitable, companies should consider the time and resources they will need to conduct a CSL security assessment. It is therefore advisable that companies establish data transmission and review mechanisms in advance and prepare for any contingencies that may occur.
More detailed consent required to transmit personal information
China’s data protection regulations already require that entities obtain consent before collecting personal information. The CSL extends this requirement so that companies must keep written records to prove that individuals have consented to the proposed cross-border transmission of personal information. The Outbound Data Transmission Draft also provides that companies must disclose the purpose, scope, content, recipient, and destination of any personal information transmitted across borders.
Many multinational companies currently collect statistics about Chinese customers and transmit the statistics overseas for further analysis. These companies will have to examine their current practices, written consent templates, and agreements with customers to ensure that they comply with the CSL.
Data localization: Some data must remain in China
Prior to the CSL, China imposed few enforceable restrictions on the cross-border transmission of data. A national technical guideline touched on this point, but the guideline is not law and it has no binding legal effect. Many FIEs operating in China have been free to place their servers overseas and routinely transmit their Chinese data, such as human resources files and business operation records, to jurisdictions outside of China where their parent companies or data processing agents were located.
With the CSL, the Chinese government has made it clear that much of the data generated in China will have to stay within Chinese territory. Many FIEs will need to adjust their current data strategies accordingly, and will also have to consider the necessary time and costs of performing security assessments.
The final version of the Outbound Data Transmission Draft is expected to be released before June 1, 2017, which is the effective date of the CSL. We will continue to closely monitor developments in this area and will keep you informed.