China’s New Cybersecurity Law: A Different Type Of Dragon
By Nikolaos Theodorakis
China’s new cybersecurity law (“Cybersecurity Law”), which came into force on 1 June 2017, is a milestone. Unlike the EU that has adopted the General Data Protection Regulation, China does not have an omnibus data protection law. It instead regulates issues of privacy and cybersecurity over a number of industry-specific laws, like health and education sectors. The cybersecurity law is somewhat different since it has a wide scope and contains provisions relevant both to data privacy and cybersecurity.
What is the new law about?
The Cybersecurity Law focuses on the protection of personal information and privacy. It regulates the collection and use of personal information. Companies based in or doing business with China will now be required to introduce data protection measures and certain data must be stored locally on domestic servers. Depending their activity, companies may need to undergo a security clearance prior to moving data out of China.
The Cybersecurity Law defines personal information as any information that, on its own or in combination with other information, can determine the identity of a natural person (e.g. name, DOB, address, telephone number, etc.). It mainly regulates two types of organizations, network operators and Critical Information Infrastructure (CII) providers.
Network operators must:
- Acquire the user’s consent when collecting their personal information (it is yet unclear whether consent must be express or not);
- State the purpose, method and scope of data collection;
- Keep the information secure and private (e.g. use back up and encryption methods);
- In the event of a data breach or likely data breach, take remedial actions, inform users and report to competent authorities;
- Erase personal information in case of an illegal or unauthorized collection, and correct inaccurate information;
- Keep log-files of cybersecurity incidents and implement cybersecurity incident plans.
CII providers are required to observe the same cybersecurity practices as network operators, along with additional requirements such as conducting annual cybersecurity reviews. Furthermore, they are required to store personal information and “important data” within China, as discussed below.
What does this mean for businesses?
If your company is doing business in China, or has a physical presence in China, you will need to conduct a gap assessment to determine whether you must undertake changes to be fully compliant with the cybersecurity law.
Failure to comply with the new law comes with significant consequences: a monetary fine up to 1 million yuan (about $150,000) and potential criminal charges. Individuals (e.g. company directors/ managers) may be subject to personal, albeit lesser, fines as well. In determining the applicable sanction, elements taken into account include the degree of harm and the amount of illegal gains. Fines could go up to ten times the amount of ill-gotten gains, potentially skyrocketing the amount. The law also gives the Chinese government the ability to issue warnings, confiscate companies’ illegal income, suspend a violator’s business operations, or shut down a violator’s website.
Not every aspect of the Cybersecurity Law applies to all companies, however. Many of the law’s provisions only apply to the two types of companies mentioned above, network operators and critical information infrastructure providers. However, these categories are defined quite broadly. Even companies that would not ordinarily consider themselves as network operators or CII providers could see the law applying to them.
In fact, network operators include network owners, administrators and service providers. Networks are “systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures” (Article 76 of the new Cybersecurity Law). The Cybersecurity Law does not differentiate between internal and external networks; the Law is broad enough to include any company that owns an internal network. The Cybersecurity Law therefore suggests that any company that maintains a computer network, even within its own office, could qualify as a network operator. Companies that are based outside of China that use networks to do business within China could also fall under this definition (e.g. an EU based company that uses networks in China to process data for its operations.
Critical Information Infrastructure providers are defined more narrowly: those that if lost or destroyed would damage Chinese national security or the public interest. This includes information services, transportation, water resources and public services. The law also includes more generally-applicable requirements that relate to cybersecurity and contains provisions that apply to other types of entities, like suppliers of network products and services.
Current and upcoming data localization requirements
The new cybersecurity law also requires critical information infrastructure providers to store personal information and important data within China and conduct annual security risk assessments. Important data is not defined in the Cybersecurity Law, yet it likely refers to non-personal information that is critical.
Apart from CIIs, it is anticipated that several foreign companies doing business in China will be required to make significant changes on how they handle data. The draft version of the “Measures for Security Assessment”, published by the Cyberspace Administration of China, suggests expanding the data localization requirements to all network operators. If adopted, this measure will mean that practically all personal information that network operators collect within China must not leave the country other than for a genuine business need and after a security assessment. In anticipation of this development, there is a trend for foreign companies to set up data centers in China to be able to store data locally.
The Draft Implementation Rules also suggest that individuals and entities seeking to export data from China- even if they are not network operators and based outside China- must conduct security assessments of their data exports. This development, if applied, will significantly increase the cybersecurity law’s data localization requirements.
Over the coming months, the Chinese government will continue to issue implementing legislation and official guidance clarifying the scope of the law.