Three Weeks On: What We Know about Enforcement of China’s Cybersecurity Law – Part 1
On June 1, 2017, China’s new Cybersecurity Law (the “Law”) finally went into effect. It is the first Chinese law that systematically lays out the regulatory requirements on data privacy and cybersecurity, subjecting to government scrutiny many activities in cyberspace that were previously unregulated or addressed in a sector-by-sector fashion.
Three weeks after the Law took effect, we examine the latest developments in this three-part post. This post will clarify which key features of the Law are ready to be enforced immediately and which provisions are still awaiting clarification in the form of implementing regulations or standards.
Enforced Immediately: General Data Privacy and Cybersecurity Obligations of “Network Operators”
The Law imposes various data privacy and cybersecurity obligations on “network operators” (broadly defined to include “owners and managers of networks, as well as network service providers”). These general obligations are expected to be enforced immediately.
Key obligations for network operators include:
Data Privacy Obligations
Enforced Immediately: Cybersecurity Review of Network Products and Services
Providers of network products and services that may affect China’s national security will also be affected immediately. Article 35 of the Law requires operators of Critical Information Infrastructure (“CII”) to ensure that any procured network products and services that may affect national security pass a “national security review.”
The Cyberspace Administration of China (“CAC”) has finalized the Measures on the Security Review of Network Products and Services (Trial) (“the Security Review Measures”) on May 2, 2017, which offer guidance on how mandated cybersecurity reviews will be conducted. While the Measures have already gone into effect (on the same day as the Cybersecurity Law), they still lack clarity regarding the substantive criteria and procedures that will be applied during the review process.
Despite some ambiguity in how the review will be conducted, suppliers of network products and services may be subject to these reviews if the procurement at issue has the potential to affect China’s national security. Thus, those suppliers should be mindful of security risks running through their supply chain.
Enforced Immediately: Pre-Sale Certification of Critical Network Equipment and Network Security Products
Article 23 of the Law requires certain “Critical Network Equipment and Network Security Products” to a certification process before being sold or provided in China. This is separate from the security review process of network products and services procured by operators of Critical Information Infrastructure (CII). On June 9, 2017, the CAC, together with three other agencies, released the Catalog of Critical Network Equipment and Network Security Products (First Batch) that will be subject to such a certification process. For more detail, see Covington’s post on this development here.
Awaiting Clarification: Protection of Critical Information Infrastructure (CII)
The Law imposes the most stringent cybersecurity rules on CII operators and their suppliers. For example, in addition to the general obligations applicable to all network operators, Article 34 of the Law imposes on CII operators specific security protection obligations. These include, among other items, designating departments/personnel responsible for security management, conducting security training, backing up important systems and data, and formulating incident response plans that should be practiced regularly. However, the Law contemplates that the specific scope these and other requirements on the protection of CII will be specified by implementing regulations. These regulations have not yet been released.
Awaiting Clarification: Cross-Border Data Transfer
Article 37 of the Law expressly requires that operators of CII store within China “citizens’ personal information and important data” collected or generated in the course of operations within the country. If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise specified by laws and regulations.
The CAC has issued and received public comment on a draft implementing regulation for this requirement—the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (the draft “Transfer Measures”). Importantly, the draft Transfer Measures extend certain cross-border transfer obligations to “network operators,” a much broader term than “CII operators.” These obligations include conducting a security assessment before transferring personal information and important data offshore.
The CAC has delayed the issuance of the final version of the Transfer Measures for unknown reasons. In any event, in the latest version of the Transfer Measures, the CAC has given “network operators” a grace period of 18 months to comply with the requirements for cross-border data transfers. All network operators’ cross-border data transfers must be in compliance with the Measures starting from December 31, 2018.