Photo of Sara Xia

Sara works out of Harris Bricken’s Seattle and Beijing offices, advising clients on legal practices in both China and U.S. Her practice focuses on cybersecurity, data protection law, and privacy law. She also works on mergers and acquisitions, corporate formations, business litigations, and matters involving China’s foreign exchange control policies.

China cyber law
Screenshot of Hangzhou Cyber-court Website, showing its Chinese name as Hangzhou Railway Transport Court as of end of June.

China has adopted a plan to establish a cyberspace court in Hangzhou lately. The plan is for this court to accept filings electronically, try cases via livestream and hear only e-commerce and Internet related cases.

Why Hangzhou? As a general rule of Chinese civil procedure law, lawsuits must be brought in the place of the defendant’s domicile. For companies, domicile means their principal place of business or the place where it has its registered address. Hangzhou is home to Alibaba and to many other technology companies, it has been dubbed the “capital of Chinese e-commerce,” and it is the site of the China Cross-Border E-Commerce Comprehensive Test Zone (中国(杭州)跨境电子商务综合试验区). Hangzhou courts have experienced a considerable increase in the number of e-commerce related cases, from 600 cases accepted in 2013 to more than 10,000 in 2016.

Before these most recent plans for a cyber-court in Hangzhou, the Zhejiang High Court launched a pilot program to create Zhejiang E-Commerce Online Court System to better handle Hangzhou’s increasing caseload in Hangzhou. Three Hangzhou trial courts and the Intermediate Court of Hangzhou initially joined this system to try certain e-commerce related cases online. Other than a different space (cyberspace versus an actual courtroom) for the actual litigation/trials, there are no significant differences between the online court and traditional courts. The Zhejiang E-Commerce Court website explicitly states that its litigation processes will strictly follow China civil procedure law.

What Cases Will the Cyber-Court Handle? The Cyber-court will have general jurisdiction over certain Internet and e-commerce related cases in the Hangzhou area. Although the Cyber-court’s website is currently inaccessible, according to the Zhejiang E-Commerce Court website, the following cases (over which the existing trial courts in Hangzhou would normally have original jurisdiction) will be tried by the Cyber-court beginning on August 18, 2017:

  • Disputes regarding online purchases of goods, online service agreements, and small [online?] loan agreements;
  • Disputes regarding “internet copyright” ownership and infringement;
  • Infringement on personal rights (e.g. defamation) using the Internet;
  • Product liability claims for goods purchased online;
  • Domain name disputes;
  • Disputes arising from Internet based administration;
  • Other civil and administrative cases concerning the Internet assigned to the Cyber-court by a higher court.

No matter in which district of Hangzhou a defendant is domiciled, cases that come within the above list should be filed with the Cyber-court instead of with the trial court in the previously relevant district.

How to file a case with the Cyber-court and Attend trials? Please note that because the Cyber-court’s website is currently offline and inaccessible we have had to base the information in this section on what we obtained from the website back when it was live in July and from news reports. The Cyber-court will use an online platform that allows people to file cases and attend trials. To be able to use this platform, users must first verify their identity and then register for an account. There are two options for doing this. One is to physically go to Hangzhou and show your ID to the court clerk, which to a large extent defeats much of the purpose of having the online court system. The other is to have your identity verified through Alipay (Alibaba’s payment service). If you already have an Alipay account and Alipay has verified your identity (because you probably used Taobao before), such a verification will be accepted by the cyber-court’s system.

Once you have a cyber-court account, you can file a complaint, submit evidence, and request service of process through this platform.

You can attend your trial remotely by entering a verification code on a webpage. Transmission of audio or video of any hearings and trials and the evidence presented and other data exchanges will be encrypted using security technologies provided by Alibaba Cloud.

Implications. For people who do not live in Hangzhou area and want to sue someone there based on causes that are within the Cyber-court’s jurisdiction, the new system sure will make that more convenient. It also will likely make rulings on internet and internet related cases more consistent and thereby give more and better guidance to potential and actual litigants

But I also wonder whether all of what has been put under the cyber-court’s jurisdiction makes sense. Take product liability as an example. How is a product liability claim for goods purchased online any different than that for goods purchased physically in a store? In what will the cyber-court be better able to handle such a claim? There may be difference in online and offline purchase agreements for issues such as where the defendant resides, the place of execution or performance of the agreement or jurisdiction. But those are typically answered by existing product liability law, contract law, and civil procedure law and there is no single “Product Liability Law for Cyberspace.” Do we need a separate cyberspace law or is it just the Law of the Horse? Many countries, including China, have separate maritime and IP courts and those have generally worked well. Does it make sense to have a separate court handle internet disputes? I hate to sound trite, but time will tell. Is this a genuine attempt to reform e-commerce and embrace technology? Will this one cyber-court eventually assume nationwide jurisdiction of internet claims (not likely)? Will other regions in China create their own cyber-courts? What have other countries done on this front? Please comment below if you know!

Does it make sense to have the system rely so heavily on one company’s technology (Alibaba’s)? Did it have any real choice? How secure is Alibaba’s technology as to data and privacy protection? What protections are in place to prevent Alibaba from appropriating and using the litigation data?

Finally, as with most new developments involving cyberspace and e-commerce in China much about the cyber-Court remains  unclear and will likely change, and fast. I will be covering the changes so please stay tuned.

Picture for China Cybersecurity law 101

China’s Cybersecurity Law (CSL) became effective on June 1, 2017 and it regulates the construction, operation, maintenance and use of networks, as well as network security supervision and management within mainland China. The Cyberspace Administration of China (CAC) is the primary governmental authority supervising and enforcing the CSL.

The CSL regulates cybersecurity from different aspects, including network operation security, network information security, as well as monitoring, early warning, and emergency responses.

1. Network Operations Security

Under the CSL, all network operators are required to perform the following duties to protect their networks from interference, damage, or unauthorized visits, as well as to prevent data leaks, thefts or falsification:

  • Create internal security management systems and operating policies, appointing dedicated network security persons;
  • Adopt technological measures to prevent computer viruses, cyber-attacks, network intrusions and other harmful activities;
  • Monitor and record network operational status and network security incidents, and retain relevant network logs for at least six months;
  • Take measures to classify data, back up and encrypt important data.

The CSL states that China has (or will have) a tiered network security protection system and network operators must perform the above duties to ensure network security and to meet the requirements of such a system. This indicates network operator obligations vary depending on their tier.

China currently has two existing network security related tiered protection systems. One is the Computer Information Systems Security Tiered Protection (计算机信息系统安全等级保护制度), the other is Telecommunication Networks Security Tiered Protection (通信网络安全分级保护制度), though the contents of these two overlap regarding network security. Both of these protection systems put computer information systems or telecom networks into five levels of protection, depending on a system’s importance in national security, economic development, and social life, and potential damages to these aspects in the event of network interference. Whether the tiered system mentioned in the CSL will be similar to these two existing systems or a completely new one is not yet clear. But these systems and related national standards likely will be helpful guides to understanding the concept of China’s tiered protection system.

Critical Information Infrastructure Operators

Critical information Infrastructure (CII) and CII operators must comply with more stringent requirements on top of those applicable to all network operators. The CSL provides for the State to implement key protections for CII in public communication and information services, power, traffic, water, finance, public service, electronic government affairs, and other CII that may endanger national security, national welfare and the people’s livelihood, or the public interest in the event of destruction, malfunction or data leakage. No clear definition of CII is found in the CSL and the catchall language leaves plenty of room for interpretation.

However, there is a Network Security Check Practice Guide (网络安全检查操作指南, the “Guide”) created by the CAC[1] before the CSL became effective that may give some guidance in determining CIIs. The Guide lists out fourteen industries[2] and a few key businesses in each industry. If a network or information system is mainly used to support any of these key businesses in  corresponding industry and meets other specific conditions, such a network or system will likely be deemed to be a critical information infrastructure.  For example, online shopping is a key business in the telecommunication and the Internet industry, according to this Guide. One of the conditions for a platform to be determined as a CII is that the platform has more than 10 million registered users or more than 1 million active users.

Though a clear definition and scope of CII have not yet been clarified, the CSL does require CII operators comply with the following, in addition to the requirements for all network operators:\

— Annual security assessment

CII operators shall review their networks’ security and assess potential risk at least once a year, either by themselves or through a third-party service provider.

— Procurement Security Review

When purchasing network products and services, CII operators must sign a security and confidentiality agreement with their vendor, clearly setting out the duties and responsibilities for security and confidentiality. If a vendor procurement may impact national security, CII operators must also go through a national security review by the State network administration (CAC) and other relevant departments of the State Council. The Security Assessment Measures for Network Products and Services provides further details in this regard, which became effective on the same day as the CSL.

— Data localization

CII Operators are required to keep within mainland China all personal information and important data collected and generated within mainland China. They are not allowed to transmit such data overseas without firs passing a security review.

The Draft Data Transfer Measures released in April 2017 (“First Draft”) appear to expand the scope of undertakings for such data localization and security review requirements to non-CII operators, which raised concerns for many foreign companies doing business in China. In a revised draft of the First Draft in May (“Second Draft”), this localization requirement was removed. The Second Draft focuses only on security assessment of cross border data transfer.

— Other requirements

Other requirements for CII operators include the following:

  • Set up dedicated security management and persons responsible for security management, and conduct security background checks on those responsible persons and of personnel in critical positions.
  • Regularly educate, train, and evaluate employees on cybersecurity;
  • Back up important systems and databases in preparation for disasters;
  • Establish emergency response plans for network security incidents and perform drills periodically; and other obligations by law or administrative regulations.

2.  Network Information Security

“Network Information Security” essentially refers to the protection of personal information collected and stored by network operators. All network operators are subject to the following requirements when collecting and using personal information:

  • Maintain strict confidentiality of collected user information.
  • Collect and use personal information legally, properly, and only to the extent the collection is necessary.
  • Disclose the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
  • Networker operators shall not disclose, alter, or destroy collected personal information.
  • In the event of data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
  • In case of illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

3. Monitor, early warnings and Emergency Response.

 In terms of establishing cybersecurity monitoring, early warnings of potential risk and emergency response plans, the CSL also sets out the responsibilities of the CAC, network operators, local government, and industry specific departments.

——————–

[1] We found different versions of this Guide on the Internet (websites of universities, local governments, etc.), each of which claims to have been released by the CAC. However, the CAC website did not itself have its own guidance on its website when we looked for it.

[2] The different versions of the Guidance we saw are substantially similar. As for the industries listed, one version includes education, news websites, and commercial platforms as key businesses industries, while another does not have these three lists 11 industries. We refer to the former version only for the purpose of this blog post.

China Cybersecurity law
China’s new Cybersecurity Law becomes effective on June 1
China’s new Cybersecurity Law will become effective on June 1, 2017. In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data. In determining what is allowed and not allowed for handling personal information in China, it is important to examine The Decision on Strengthening Information Protection on Networks (2012), The Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (2013), and The Provisions on Protecting the Personal Information of Telecommunications and InternetUsers (2013). There are also many industry-specific rules, including such rules for banking and credit information services. China’s new Cybersecurity Law adopts and modifies existing regulations and codifies them.

Under the new Cybersecurity Law, collecting any user’s personal information requires the user’s consent and network operators must keep collected information strictly confidential. Personal information is defined as information that can be used on its own or with other information to determine the identity of a natural person, including the person’s name, date of birth, ID card number, biological identification information (e.g. fingerprints and irises), address, and telephone number. Once such information has been de-identified, it is no longer subject to the requirement for personal information under the law.

According to the new Cybersecurity Law, network operators are subject to the following requirements when collecting and using personal information:

  • Collection and use of personal information must be legal, proper and necessary.
  • Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
  • Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others.
  • In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
  • In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

Who are the network operators to which the new law will apply? Owners of networks, administrators of networks, and network service providers. Telecom and Internet service providers, clearly, but “network” is broad enough to go well beyond that.

Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures (Article 76 of the new Cybersecurity Law). If you have a couple of computers at home that can share files, and perhaps a printer connected to them, you technically have a network. The law is not likely to go that far, but the generic definitions of network and network operators leave a lot of room for interpretation, which is exactly how the Chinese government wants it.

The new Cybersecurity Law also requires critical information infrastructure operators (CIIOs) store within China personal information and important data gathered and generated within China and conduct annual security risk assessments regarding their data. Though the definition of CIIO is yet to be clarified, we already know China’s yet to be finalized Measures for Security Assessment of Personal Information and Important Data Leaving the Country will likely require foreign companies doing business in China make big changes in how they handle data. The Cyberspace Administration of China (CAC) published a draft of Measures for Security Assessment of Personal Information and Important Data Leaving the Country back in April, raising many concerns for foreign businesses operating in China.

These Measures for Security Assessment would expand the data localization requirement to all network operators. This would mean that pretty much all personal information and important data collected by network operators within the PRC must be stored within China and not leave China, other than for “genuine business need” and after a security assessment. And if you think you may be a network operator, you probably are.

Since the new Cybersecurity Law does not differentiate between internal and external networks, it is broad enough to include any company that owns an internal network. Will your China WFOE be able to transmit employee information back to its overseas headquarters? In China’s Cybersecurity Law and Employee Personal Information, we set out best practices for doing this, but that was written before publication of the Draft Measures. Should the Draft Measures become effective — as expected — our views on data transfers will almost certainly toughen. Foreign companies are already setting up data centers in China so as to be able to keep data local and many of our clients are looking at doing the same.

We have been reluctant to write much about data and privacy protection in China because existing laws are both unclear and in a massive state of flux. But because this is so important and because this reluctance cannot extend to a client who needs to know what it must do now with specific data, we plan to write more often about these topics in the weeks and months ahead.

Please stay tuned.

Editor’s Note: Sara Xia is an experienced lawyer with law degrees from Shanghai University of Finance and Economics and the University of Washington. Sara practiced law in China from 2010 to 2013 and then in 2015 she became licensed to practice law in California and 2016 in Washington. Sara recently joined Harris Bricken to assist our clients with their cyberlaw and corporate matters, mostly while working out of Seattle, Beijing and San Francisco.