China’s Cybersecurity Law (CSL) became effective on June 1, 2017 and it regulates the construction, operation, maintenance and use of networks, as well as network security supervision and management within mainland China. The Cyberspace Administration of China (CAC) is the primary governmental authority supervising and enforcing the CSL.
The CSL regulates cybersecurity from different aspects, including network operation security, network information security, as well as monitoring, early warning, and emergency responses.
- Network Operations Security
Under the CSL, all network operators are required to perform the following duties to protect their networks from interference, damage, or unauthorized visits, as well as to prevent data leaks, thefts or falsification:
- Create internal security management systems and operating policies, appointing dedicated network security persons;
- Adopt technological measures to prevent computer viruses, cyber-attacks, network intrusions and other harmful activities;
- Monitor and record network operational status and network security incidents, and retain relevant network logs for at least six months;
- Take measures to classify data, back up and encrypt important data.
The CSL states that China has (or will have) a tiered network security protection system and network operators must perform the above duties to ensure network security and to meet the requirements of such a system. This indicates network operator obligations vary depending on their tier.
China currently has two existing network security related tiered protection systems. One is the Computer Information Systems Security Tiered Protection (计算机信息系统安全等级保护制度), the other is Telecommunication Networks Security Tiered Protection (通信网络安全分级保护制度), though the contents of these two overlap regarding network security. Both of these protection systems put computer information systems or telecom networks into five levels of protection, depending on a system’s importance in national security, economic development, and social life, and potential damages to these aspects in the event of network interference. Whether the tiered system mentioned in the CSL will be similar to these two existing systems or a completely new one is not yet clear. But these systems and related national standards likely will be helpful guides to understanding the concept of China’s tiered protection system.
Critical Information Infrastructure Operators
Critical information Infrastructure (CII) and CII operators must comply with more stringent requirements on top of those applicable to all network operators. The CSL provides for the State to implement key protections for CII in public communication and information services, power, traffic, water, finance, public service, electronic government affairs, and other CII that may endanger national security, national welfare and the people’s livelihood, or the public interest in the event of destruction, malfunction or data leakage. No clear definition of CII is found in the CSL and the catchall language leaves plenty of room for interpretation.
However, there is a Network Security Check Practice Guide (网络安全检查操作指南, the “Guide”) created by the CAC before the CSL became effective that may give some guidance in determining CIIs. The Guide lists out fourteen industries and a few key businesses in each industry. If a network or information system is mainly used to support any of these key businesses in corresponding industry and meets other specific conditions, such a network or system will likely be deemed to be a critical information infrastructure. For example, online shopping is a key business in the telecommunication and the Internet industry, according to this Guide. One of the conditions for a platform to be determined as a CII is that the platform has more than 10 million registered users or more than 1 million active users.
Though a clear definition and scope of CII have not yet been clarified, the CSL does require CII operators comply with the following, in addition to the requirements for all network operators:\
— Annual security assessment
CII operators shall review their networks’ security and assess potential risk at least once a year, either by themselves or through a third-party service provider.
— Procurement Security Review
When purchasing network products and services, CII operators must sign a security and confidentiality agreement with their vendor, clearly setting out the duties and responsibilities for security and confidentiality. If a vendor procurement may impact national security, CII operators must also go through a national security review by the State network administration (CAC) and other relevant departments of the State Council. The Security Assessment Measures for Network Products and Services provides further details in this regard, which became effective on the same day as the CSL.
— Data localization
CII Operators are required to keep within mainland China all personal information and important data collected and generated within mainland China. They are not allowed to transmit such data overseas without firs passing a security review.
The Draft Data Transfer Measures released in April 2017 (“First Draft”) appear to expand the scope of undertakings for such data localization and security review requirements to non-CII operators, which raised concerns for many foreign companies doing business in China. In a revised draft of the First Draft in May (“Second Draft”), this localization requirement was removed. The Second Draft focuses only on security assessment of cross border data transfer.
— Other requirements
Other requirements for CII operators include the following:
- Set up dedicated security management and persons responsible for security management, and conduct security background checks on those responsible persons and of personnel in critical positions.
- Regularly educate, train, and evaluate employees on cybersecurity;
- Back up important systems and databases in preparation for disasters;
- Establish emergency response plans for network security incidents and perform drills periodically; and other obligations by law or administrative regulations.
Network Information Security
“Network Information Security” essentially refers to the protection of personal information collected and stored by network operators. All network operators are subject to the following requirements when collecting and using personal information:
- Maintain strict confidentiality of collected user information.
- Collect and use personal information legally, properly, and only to the extent the collection is necessary.
- Disclose the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
- Networker operators shall not disclose, alter, or destroy collected personal information.
- In the event of data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
- In case of illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.
— Monitor, early warnings and Emergency Response.
In terms of establishing cybersecurity monitoring, early warnings of potential risk and emergency response plans, the CSL also sets out the responsibilities of the CAC, network operators, local government, and industry specific departments.
 We found different versions of this Guidance on the Internet (websites of universities, local governments, etc.), each of which claims to have been released by the CAC. However, the CAC website did not itself have its own guidance on its website when we looked for it.
 The different versions of the Guidance we saw are substantially similar. As for the industries listed, one version includes education, news websites, and commercial platforms as key businesses industries, while another does not have these three lists 11 industries. We refer to the former version only for the purpose of this blog post.