The Cyber Security Law of the People’s Republic of China (网络安全法; the CSL), which came into effect on June 1, 2017, imposes far-reaching restrictions on how computer networks in China are operated. It also sets forth provisions governing data privacy and security that, among other things, require data localization and government-led security reviews and restrict cross-border transfers. The CSL is part of a developing legislative framework for cyber governance in China that seeks to protect China’s cyber sovereignty and preserve its cyber security for national security reasons. However, many of the CSL’s key provisions are broadly drafted and omit critical details, making it difficult for companies to determine whether the provisions apply to them and, if so, how to comply.
The government has published additional regulations to help clarify some aspects of the CSL, but significant work still needs to be done. Addressing the remaining issues will likely take several months while government agencies with responsibility for network security and government agencies with sector-specific responsibilities work together to develop further relevant regulations and standards. As a result, enforcement of some provisions of the CSL may be limited; however, pilot enforcement campaigns in particular industries or in relation to particular network operators are expected.
The following discussion provides an overview of the key elements of the CSL, identifies where ambiguity still remains, and offers suggested steps that companies can take until the various rule-making and standard-setting work currently underway is completed.
To Whom Does the CSL Apply?
The provisions of the CSL apply to the following types of entities:
Network operators are defined as parties who own or administer a computer network in China and network services providers (companies providing licensed telecommunications services over the network). Given this broad definition, the CSL’s network operator provisions potentially apply to all companies operating in China that use the Internet or other networks to carry out their businesses.
In contrast, CII operators are more narrowly defined and appear to be limited to network operators in important industries, such as public communications and information services, energy, transportation, water resources, finance, public utilities, and e-government affairs, where any damage, loss of function or data breach of the network might seriously endanger national security, national welfare and people’s livelihood, or the public interest. Questions still remain though about what infrastructure constitutes CII. The State Council, which is responsible for issuing regulations that will specify the scope of CII in greater detail, has not yet issued its regulations. However, the Cyberspace Administration of China (国家互联网信息办公室; CAC) issued draft regulations for public comment in June 2017 that provide additional but insufficient guidance on this question.
Draft CII Regulations
The CAC’s draft Regulations for Security Protection of Critical Information Infrastructure (关键信息基础设施安全保护条例(征求意见稿); the “Draft CII Regulations”) state that a network or information system operated or managed by one of the following entities will be regarded as CII if damage, a loss of function or data breach involving the network or system might seriously endanger national security, national welfare and people’s livelihood, or the public interest:
However, the Draft CII Regulations note that the specific scope of CII will be determined on a sector-by-sector basis. In particular, the CAC, the Ministry of Industry and Information Technology and the Ministry of Public Security will promulgate guidelines for the recognition of CII and government authorities responsible for specific sectors will follow these guidelines in their specification of CII in their respective sectors.
There is no specified timeframe for completion of this additional work but, according to a media interview with a senior CAC official the definition of the scope of CII and the protective measures to be adopted by CII would be completed no later than May 31, 2018.
Key Provisions of the CSL
The CSL imposes a number of general network security and data privacy and security obligations on network operators and manufacturers. As described below, these provisions build on and consolidate provisions found in existing laws. In addition, the CSL imposes new and controversial obligations and restrictions on CII operators with respect to network security, data localization, and cross-border transfers. The law also provides for enhanced regulatory oversight of all network operators.
1. General Data Privacy Requirements
The CSL sets forth the following general data privacy requirements:
These provisions reflect the data privacy rules that are already in place in existing consumer protection, telecommunications and other sector-specific legislation.
2. General Security Requirements for Network Operators and Manufacturers
All network operators are required to:
In addition to the above requirements, CII operators are subject to a number of other requirements, such as setting up specialized security management departments, conducting security background checks, providing periodic network security education and technical training for employees, carrying out disaster recovery backups of important systems and databases, creating emergency response plans for network security incidents, and undertaking annual third party security and risk assessments.
All manufacturers and suppliers of network products and services are subject to the following prohibitions and obligations:
To implement this last requirement, the CAC and other government departments jointly issued in June 2017 the Catalogue for Key Network Equipment and Specialized Network Security Products (First Batch) (网络关键设备和网络安全专用产品目录 (第一批).). Network equipment designated in this catalogue includes specific types of routers, switches, servers and PLC equipment, and, which security products include specific types of data backup equipment, firewalls, intrusion detection systems and intrusion prevention systems. A notice accompanying the catalogue specifies that the relevant inspection or certification process is a certification process administered by the Ministry of Public Security, a certification process administered by the MIIT, or a certification process administered by the Accreditation Administration of China.
3. Data Localization and Cross-Border Transfers
The CSL requires CII operators to store in China both personal information and “important data” (undefined) that are collected and produced in the course of business operations in China. It also restricts the transfers of such data to overseas parties by subjecting such transfers to a security assessment. At present, these rules only apply to CII operators; however, they may be extended to cover all network operators, if the CAC’s draft Measures for Security Assessment of Cross-Border Export of Personal Information and Significant Data (《个人信息和重要数据出境安全评估办法数据出境评估办法》 (征求意见稿)) (the “Draft Data Export Measures”) are finalized in their current form.
Scope and Definition of Covered Data
The scope of data that are subject to the data localization and cross-border transfer requirements remains unclear. In particular, it is unclear if a company’s own human resources (HR) data are potentially subject to the data localization requirement. Informal guidance provided by CAC officials suggests that only commercial data related to a network operator’s business are covered; HR data are not covered. Hopefully this issue will be clarified after the implementing measures are issued.
With respect to the question of what constitutes “important data,” the CAC’s Draft Data Export Measures define such data as data that are closely related to “national security, economic development or the public interest.” The Draft Data Export Measures also state that the detailed scope will be governed by “guidance on identification of significant data (重要数据识别指南).” That document has been provided in draft form as an appendix to the draft Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (信息安全技术 数据出境安全评估指南 (草案); the “Draft Security Assessment Guidelines”), which has been circulated for public comment. That appendix provides a definition of the term and also sets out in a lengthy list specific “important data” across 26 different sectors.
Security Assessments for Cross-Border Transfers
Prior to transferring personal information across borders, the CSL required CII operators to conduct a security assessment. According to the Draft Data Export Measures, the assessment should consider the following issues:
In addition, the Draft Security Assessment Guidelines provide detailed guidance on the security assessment procedures to be followed and the factors to be assessed. According to the Draft Security Assessment Guidelines, two broad questions should be assessed: (1) whether a proposed data transfer is legal and justified and (2) whether related risks are controllable, considering such issues as:
Detailed assessment methods are provided in Appendix B of the Draft Security Assessment Guidelines, the Security Risk Assessment Methods for Cross-Border Transfer of Personal Information and Important Data (个人信息和重要数据出境安全风险评估办法).
According to the Draft Data Export Measures, in some situations, the security assessment may be undertaken by the CII operator/network operator itself; in other cases, it must be carried out in conjunction with the relevant Chinese authorities. An example of when relevant authorities must be involved is when the personal data of more than 500,000 individuals is proposed.
The Draft Data Export Measures also prohibit the transfer of data to overseas parties, if a transfer endangers political, economic or technological security; homeland, military, cultural, social, information or ecological security; or the security of resources or nuclear facilities.
Another important issue that needs to be clarified is whether remote access to computer networks in China from overseas constitutes a transfer of data. Based on the Draft CII Regulations, it appears that remote access would be considered to be a transfer. In particular, the Draft CII Regulations require that the maintenance of CII must be conducted inside China and that prior approval from the relevant sector-specific authority and the Ministry of Public Security must be obtained if, due to business requirements, maintenance needs to be undertaken remotely from offshore.
Consent Requirements for Cross-Border Transfers
Under the Draft Data Export Measures, consent is required to transfer personal information except in the event of an emergency or where there is implied consent by virtue of the individual’s proactive conduct (e.g., making international phone calls and sending emails to overseas recipients).
4. National Security Review of Products and Services
The CSL requires CII operators procuring network products and services to undergo a CAC-led security review process if the procurement “might have an effect on national security.” Additional details are set forth in the first set of binding implementing rules under the CSL issued by the CAC in May 2017. The CAC’s Measures for Security Review of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法(试行); the “Security Review Measures”) describe as the key focus of the security review the evaluation of the “security (安全性) and controllability (可控性)” of the relevant product or service. The “security and controllability” criteria include considerations of security and controllability risks inherent to the product or service, security risks that relate to the supply chain, risks related to user information, and risks of the user’s interests being harmed by the product or of the service provider caused by taking advantage of the user’s reliance on the product or service.
Determination of which particular products and services may have an effect on national security and, therefore, would be subject to security review will be done on a sector-by-sector basis by the “key information infrastructure protection department” (关键信息基础设施保护工作部门, “KIIP Department”) in the government ministry responsible for the particular sector. According to the CSL, KIIP Departments will be set up within the different government departments with oversight of KII in different sectors. As far as we are aware, no sector-specific catalogue of network products and services subject to national security review has been issued yet, and indeed it is not clear whether relevant government ministries have set up KIIP Departments yet.
CSL violations can result in a host of penalties, including warnings, suspensions, confiscation of illegal income, fines that in some limited cases can be in amounts up to RMB 1,000,000 (approximately US$150,000) and fines set as a multiple of illegal income. In addition, supervisory personnel can, in some cases, be subject to fines and, in limited cases, imprisonment.
The CSL also contemplates that foreign companies and other parties interfering with CII can be subject to legal liability.
It appears that certain government departments have already started to undertake security inspections and investigations on certain networks and IT systems on the basis of guidance on the scope of CII set out in an internal CAC notice. The notice is not publicly available but there are other documents in circulation that purport to be appendices to the notice. Among other things, these appendices include a document entitled Guidelines for Determination of Critical Information Infrastructure (关键信息基础设施确定指南; the “CII Guidelines”). The CII Guidelines do not provide definitive guidance on the scope of CII, but do provide important insight on the perspective of a key enforcement agency in relation to the scope question. Various characteristics are set out in the CII Guidelines to assist government departments to identify IT systems for inspection as part of the pilot program. These include, for example:
The CII Guidelines have not been formally issued and, even if the document in circulation is genuine, the guidelines only relate to a specific pilot program and should not be taken as offering a definitive explanation of CII. Companies should view the CII Guidelines, at most, as evidencing the types of considerations that may guide the CAC and other government departments in the work remaining to be done in order to define CII.
Until the various rule-making and standard-setting work currently underway is completed, companies operating in China should consider taking the following steps: