Picture for China Cybersecurity law 101

China’s Cybersecurity Law (CSL) became effective on June 1, 2017 and it regulates the construction, operation, maintenance and use of networks, as well as network security supervision and management within mainland China. The Cyberspace Administration of China (CAC) is the primary governmental authority supervising and enforcing the CSL.

The CSL regulates cybersecurity from different aspects, including network operation security, network information security, as well as monitoring, early warning, and emergency responses.

1. Network Operations Security

Under the CSL, all network operators are required to perform the following duties to protect their networks from interference, damage, or unauthorized visits, as well as to prevent data leaks, thefts or falsification:

  • Create internal security management systems and operating policies, appointing dedicated network security persons;
  • Adopt technological measures to prevent computer viruses, cyber-attacks, network intrusions and other harmful activities;
  • Monitor and record network operational status and network security incidents, and retain relevant network logs for at least six months;
  • Take measures to classify data, back up and encrypt important data.

The CSL states that China has (or will have) a tiered network security protection system and network operators must perform the above duties to ensure network security and to meet the requirements of such a system. This indicates network operator obligations vary depending on their tier.

China currently has two existing network security related tiered protection systems. One is the Computer Information Systems Security Tiered Protection (计算机信息系统安全等级保护制度), the other is Telecommunication Networks Security Tiered Protection (通信网络安全分级保护制度), though the contents of these two overlap regarding network security. Both of these protection systems put computer information systems or telecom networks into five levels of protection, depending on a system’s importance in national security, economic development, and social life, and potential damages to these aspects in the event of network interference. Whether the tiered system mentioned in the CSL will be similar to these two existing systems or a completely new one is not yet clear. But these systems and related national standards likely will be helpful guides to understanding the concept of China’s tiered protection system.

Critical Information Infrastructure Operators

Critical information Infrastructure (CII) and CII operators must comply with more stringent requirements on top of those applicable to all network operators. The CSL provides for the State to implement key protections for CII in public communication and information services, power, traffic, water, finance, public service, electronic government affairs, and other CII that may endanger national security, national welfare and the people’s livelihood, or the public interest in the event of destruction, malfunction or data leakage. No clear definition of CII is found in the CSL and the catchall language leaves plenty of room for interpretation.

However, there is a Network Security Check Practice Guide (网络安全检查操作指南, the “Guide”) created by the CAC[1] before the CSL became effective that may give some guidance in determining CIIs. The Guide lists out fourteen industries[2] and a few key businesses in each industry. If a network or information system is mainly used to support any of these key businesses in  corresponding industry and meets other specific conditions, such a network or system will likely be deemed to be a critical information infrastructure.  For example, online shopping is a key business in the telecommunication and the Internet industry, according to this Guide. One of the conditions for a platform to be determined as a CII is that the platform has more than 10 million registered users or more than 1 million active users.

Though a clear definition and scope of CII have not yet been clarified, the CSL does require CII operators comply with the following, in addition to the requirements for all network operators:\

— Annual security assessment

CII operators shall review their networks’ security and assess potential risk at least once a year, either by themselves or through a third-party service provider.

— Procurement Security Review

When purchasing network products and services, CII operators must sign a security and confidentiality agreement with their vendor, clearly setting out the duties and responsibilities for security and confidentiality. If a vendor procurement may impact national security, CII operators must also go through a national security review by the State network administration (CAC) and other relevant departments of the State Council. The Security Assessment Measures for Network Products and Services provides further details in this regard, which became effective on the same day as the CSL.

— Data localization

CII Operators are required to keep within mainland China all personal information and important data collected and generated within mainland China. They are not allowed to transmit such data overseas without firs passing a security review.

The Draft Data Transfer Measures released in April 2017 (“First Draft”) appear to expand the scope of undertakings for such data localization and security review requirements to non-CII operators, which raised concerns for many foreign companies doing business in China. In a revised draft of the First Draft in May (“Second Draft”), this localization requirement was removed. The Second Draft focuses only on security assessment of cross border data transfer.

— Other requirements

Other requirements for CII operators include the following:

  • Set up dedicated security management and persons responsible for security management, and conduct security background checks on those responsible persons and of personnel in critical positions.
  • Regularly educate, train, and evaluate employees on cybersecurity;
  • Back up important systems and databases in preparation for disasters;
  • Establish emergency response plans for network security incidents and perform drills periodically; and other obligations by law or administrative regulations.

2.  Network Information Security

“Network Information Security” essentially refers to the protection of personal information collected and stored by network operators. All network operators are subject to the following requirements when collecting and using personal information:

  • Maintain strict confidentiality of collected user information.
  • Collect and use personal information legally, properly, and only to the extent the collection is necessary.
  • Disclose the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
  • Networker operators shall not disclose, alter, or destroy collected personal information.
  • In the event of data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
  • In case of illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

3. Monitor, early warnings and Emergency Response.

 In terms of establishing cybersecurity monitoring, early warnings of potential risk and emergency response plans, the CSL also sets out the responsibilities of the CAC, network operators, local government, and industry specific departments.

——————–

[1] We found different versions of this Guide on the Internet (websites of universities, local governments, etc.), each of which claims to have been released by the CAC. However, the CAC website did not itself have its own guidance on its website when we looked for it.

[2] The different versions of the Guidance we saw are substantially similar. As for the industries listed, one version includes education, news websites, and commercial platforms as key businesses industries, while another does not have these three lists 11 industries. We refer to the former version only for the purpose of this blog post.

China Cybersecurity law
China’s new Cybersecurity Law becomes effective on June 1
China’s new Cybersecurity Law will become effective on June 1, 2017. In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data. In determining what is allowed and not allowed for handling personal information in China, it is important to examine The Decision on Strengthening Information Protection on Networks (2012), The Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (2013), and The Provisions on Protecting the Personal Information of Telecommunications and InternetUsers (2013). There are also many industry-specific rules, including such rules for banking and credit information services. China’s new Cybersecurity Law adopts and modifies existing regulations and codifies them.

Under the new Cybersecurity Law, collecting any user’s personal information requires the user’s consent and network operators must keep collected information strictly confidential. Personal information is defined as information that can be used on its own or with other information to determine the identity of a natural person, including the person’s name, date of birth, ID card number, biological identification information (e.g. fingerprints and irises), address, and telephone number. Once such information has been de-identified, it is no longer subject to the requirement for personal information under the law.

According to the new Cybersecurity Law, network operators are subject to the following requirements when collecting and using personal information:

  • Collection and use of personal information must be legal, proper and necessary.
  • Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
  • Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others.
  • In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
  • In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

Who are the network operators to which the new law will apply? Owners of networks, administrators of networks, and network service providers. Telecom and Internet service providers, clearly, but “network” is broad enough to go well beyond that.

Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures (Article 76 of the new Cybersecurity Law). If you have a couple of computers at home that can share files, and perhaps a printer connected to them, you technically have a network. The law is not likely to go that far, but the generic definitions of network and network operators leave a lot of room for interpretation, which is exactly how the Chinese government wants it.

The new Cybersecurity Law also requires critical information infrastructure operators (CIIOs) store within China personal information and important data gathered and generated within China and conduct annual security risk assessments regarding their data. Though the definition of CIIO is yet to be clarified, we already know China’s yet to be finalized Measures for Security Assessment of Personal Information and Important Data Leaving the Country will likely require foreign companies doing business in China make big changes in how they handle data. The Cyberspace Administration of China (CAC) published a draft of Measures for Security Assessment of Personal Information and Important Data Leaving the Country back in April, raising many concerns for foreign businesses operating in China.

These Measures for Security Assessment would expand the data localization requirement to all network operators. This would mean that pretty much all personal information and important data collected by network operators within the PRC must be stored within China and not leave China, other than for “genuine business need” and after a security assessment. And if you think you may be a network operator, you probably are.

Since the new Cybersecurity Law does not differentiate between internal and external networks, it is broad enough to include any company that owns an internal network. Will your China WFOE be able to transmit employee information back to its overseas headquarters? In China’s Cybersecurity Law and Employee Personal Information, we set out best practices for doing this, but that was written before publication of the Draft Measures. Should the Draft Measures become effective — as expected — our views on data transfers will almost certainly toughen. Foreign companies are already setting up data centers in China so as to be able to keep data local and many of our clients are looking at doing the same.

We have been reluctant to write much about data and privacy protection in China because existing laws are both unclear and in a massive state of flux. But because this is so important and because this reluctance cannot extend to a client who needs to know what it must do now with specific data, we plan to write more often about these topics in the weeks and months ahead.

Please stay tuned.

Editor’s Note: Sara Xia is an experienced lawyer with law degrees from Shanghai University of Finance and Economics and the University of Washington. Sara practiced law in China from 2010 to 2013 and then in 2015 she became licensed to practice law in California and 2016 in Washington. Sara recently joined Harris Bricken to assist our clients with their cyberlaw and corporate matters, mostly while working out of Seattle, Beijing and San Francisco.