On June 1 2017, China’s new cyber security law came into effect. The new legislation was adopted by the National People’s Congress (NPC) in November 2016 after a year of legislative proceedings.
The main objective of this new law is to strengthen central government control over information flows and data security, as well as preventing cyber attacks, computer viruses and other network security violations (such as unauthorised data leakage or theft). A further objective is to strengthen China’s data privacy regime and as a key measure to protect private citizens.
The new law is expected to have an adverse impact on many foreign technology companies operating in China, although its broad scope is also likely to affect companies operating in other areas. Many foreign companies are currently assessing what impact these new rules are likely to have on their China operations, and what steps they should take to comply with the new legislation.
This CBBC Insight sets out some of the key highlights of the new law and considers the potential impact on British companies operating in China.
Key principles of cybersecurity law
The cyber security law contains 79 articles in seven chapters, detailing a number of new cyber security requirements, including:
- Safeguards for national cyber space sovereignty
- Protection of critical information infrastructure (CII)
- Security obligations of network service providers and operators
- Improvements to personal information protection regulations
- Establishment of a key information infrastructure security system
- Rules for cross-border data transmission
The new law mandates that network service providers and operators will be required to strictly maintain confidentiality of user information and to install protection systems to defend user information. Network operators are defined as companies that own networks, manage networks and provide network services, which is sufficiently broad to encompass telecoms operators, internet providers and social media companies. Networks operators are also required to provide “technical support and assistance” to government authorities. It remains unclear whether this will include providing backdoor and decryption assistance for encrypted data.
Critical Information Infrastructure (CII)
The cyber security law has a core focus on “critical information infrastructure” (CII). Critical infrastructure is defined as key industries controlling data that could pose a national security or public interest risk if damaged or lost, including areas such as energy, finance, transportation, telecommunications, medical and healthcare, electricity, water, gas and social security.
There is significant ambiguity in terms of how the cyber security law and draft measures on data export will be put into practice
Article 35 of the cyber security law also requires CII companies to go through a national security review when procuring products and services, as well as conducting an annual security risk assessments regarding their data. Technologies will be assessed on whether they are “secure and controllable”, which has created significant concern among foreign companies that this could involve handing over source code or other trade secrets to government regulators. While foreign business groups have lobbied the government to pursue non-discriminatory policies in line with WTO commitments, there remains a lack of clarity in terms of how these new requirements will be implemented in practice.
CII operators are also required to comply with much stricter requirements on cyber security measures in place, including:
- Setting up dedicated cyber security governance and designate responsible persons
- Organising periodic cybersecurity training
- Implement disaster recovery backup for important systems and databases
- Formulate emergency response plans and organise periodic drills
The law also requires the government to conduct periodic spot-checks of critical information infrastructure and give directions to remedy any identified security risks
Suppliers of network products and services will be required to comply with relevant national and industry standards and ensure the security of their products. Products determined to be “critical network equipment and network security products” are required to go through testing by third party evaluation centres prior to being sold in China. The Cyberspace Administration of China (CAC) will also release a catalogue of critical network equipment and network security dedicated products that require mandatory certification or testing in accordance with compulsory requirements of national standards.
One of the most significant and controversial features of the cyber security law is the requirement that all sensitive personal information and important data produced and gathered by CII companies must be stored on servers located in mainland China. Where it is necessary for data to be transferred outside mainland China, a security assessment must be carried out. Consent of the data subject must also be sought before data can be transferred overseas.
In April, the CAC published a draft of “Measures for Security Assessment of Personal Information and Important Data Leaving the Country”, expanding this data localisation to network operators and “other individuals or organisations”. The widespread interpretation of these measures is that the data localisation requirements will apply to most businesses collecting data from individuals or organisations in mainland China, and not just network operators or CII providers.
Article 37 of the cyber security law refers to two types of data: personal data on individuals and “critical data” (eg. group based data) collected and generated within the territory of China. Personal data includes information such as an individual’s name date of birth, identification number, personal biometrics data, address or phone number. Critical data is not defined, other than other than that it relates to national security, economic development and public interest.
According to the draft, below data are not allowed to be exported:
- Personal data for which no prior consent was sought for export or where an export might jeopardise personal interest
- (Any) data for which an export brings risk to national security (eg. politics, economy, technology, national defence) or may possibly affect national security and damage public interest
- Other data for which an export is barred by administrative authorities like the CAC, police and/or other national security authority.
According to the draft measures, network operators are required to undertake a self-assessment on an annual basis, which should consider the necessity of data transfer, the type and sensitivity of the data, the security protection measures and capabilities of the data recipient, the risk of loss or unauthorised access to the data and any national security risks.
A mandatory assessment is required if the data to be transferred includes any of the following:
- Personal information that involves or accumulates more than 500,000 individuals
- Data volume that exceeds 1,000GB
- Data in fields such as nuclear facilities, chemical biology, defence and military, population health, as well as data involving large-scale engineering projects, marine environment or sensitive geographical information
- Network security information including system bugs and safety protection of CIIs
- Provision by CII operators of personal information and important data abroad
- Other data that, in the opinion of the industry regulator, may affect national security and social public interests and should be subject to security assessment.
Implications for UK businesses
There is significant ambiguity in terms of how the cybersecurity law and draft measures on data export will be put into practice. In particular, the definition of “critical information infrastructure” and “network operators” remains vague, and to whom the rules should apply. Similarly, there is currently no clear single definition as to what constitutes “important information”.
An obvious implication of the new cyber security law is that any UK companies providing network services or the provision of CII in China should carry out an immediate review of their security infrastructure and data protection procedures to comply with new security requirements.
In a similar vein, any foreign company whose business model involves collecting and storing data from Chinese individuals or entities on servers located outside China should consider taking proactive steps towards localising data to servers in mainland China. There may be significant cost implications where foreign companies are required to migrate data to Chinese servers, along with possible concerns around data security and IP leakage.
Any UK companies supplying network security and equipment into the market should take steps to comply with certification requirements and pass a national security review as soon as these requirements are clarified. Some network and security technology vendors may be forced to withdraw from the market if there are substantive risks to intellectual property being compromised by an overly-invasive security review process.
Given the wide scope implied by the measures on data export, it is possible that foreign companies in non-technology areas may face restrictions on transferring basic information (such as employee data) to servers outside China. This may require companies to undergo the self-assessment process, or to move data to servers in mainland China for the foreseeable future.
Non-resident foreign companies that currently collect, manage or store Chinese data on overseas servers may need to consider setting up a legal entity in China to manage data, or to consider an alternative business model. Alternative business models as a result of this are likely to involve licensing/tech transfer to a local Chinese partner, which will inevitably involve greater commercial/IP leakage risks.
CBBC is continuing to monitor the situation and will update members as soon as further clarity becomes available. We encourage any members who may be unsure about how these new rules will affect them to reach out to CBBC for further advice and support and can recommend a number of member companies for more in-depth legal advice on these issues.