Impact of New Cybersecurity Law on Foreign Companies in China
By Robert M. Oberlies & Jessie Lu
On November 7, 2016, China’s Standing Committee of the National People’s Congress adopted the Cybersecurity Law of the People’s Republic of China (Cybersecurity Law). The Cybersecurity Law will take effect on June 1, 2017.
Introduction and Scope
The Cybersecurity Law applies to the construction, operation, maintenance and use of computer networks as well as the supervision and administration of cybersecurity in the territory of the People’s Republic of China (PRC or China). A computer network is defined as a system consisting of computer systems, terminals, or related equipment that follow certain rules or processes to gather, store, transmit, exchange and process information. As drafted, the Cybersecurity Law can be particularly vague in parts and leaves many questions in terms of the full reach of the legislation and how the provisions will be interpreted and enforced. It is expected that a number of sections will be supplemented by new regulations and implementation rules in 2017.
Article 10 of the Cybersecurity Law is a catch-all provision that provides that “when constructing or operating networks, or providing services through networks,” companies “shall implement technical measures and other measures in accordance with the mandatory requirements under relevant laws, regulations, and national standards, to protect the safe and stable operation of the network, effectively deal with cybersecurity accidents, prevent cybercrimes, and maintain the completeness, confidentiality and usability of the internet data.”
This language and other sections of the Cybersecurity Law primarily impose obligations and liabilities on network operators, with “network operators” being defined as owners and administrators of networks (which would include most foreign companies with legal entities in China) and online service providers.
The Cybersecurity Law provides for the implementation of a tiered cybersecurity protection system. Under the law, network operators shall follow the requirements under the tiered cybersecurity protection system, and take the following measures to protect the network from disturbance, damage or unauthorized visits, and prevent network data from being divulged, stolen or altered:
- Create internal security management systems and operation guidelines, designate person(s) in charge of network security, and assign responsibility for network security;
- Take technical measures to prevent computer viruses and activities that would harm network security, such as cyberattacks and network intrusion, etc.;
- Take technical measures to monitor and record network status and network security incidents, and preserve relevant network logs in accordance with regulations for at least six months;
- Take measures such as data categorization, important data backup and encryption, etc.; and
- Other obligations as provided by laws and regulations.
The Cybersecurity Law does not elaborate any further on the details of the tiered cybersecurity protection system. It is expected that China’s legislature will either publish further clarifying regulations or use systems already in place (such as the tiered security protection system for computers or the tiered security protection system for communication networks). Regardless, it is expected that networks would likely be categorized according to the potential harm they may cause; and the greater the potential harm is, the more stringent the rules and requirements would be. It is expected that China’s legislature will clarify in subsequent regulations that not all network providers have to meet all of the above requirements.
Among the requirements listed above, the third and fourth requirements may be most burdensome to foreign companies in China. While the other requirements are quite broad, they are similar to basic network security protocols that many companies already have in place. The third and fourth requirements, however, specifically mandate that network providers preserve their log for at least six months, and categorize, backup and encrypt their data, which could in turn require the network provider to upgrade their infrastructure and dedicate more resources.
According to this law, network operators should also create an emergency plan to deal with system bugs, computer viruses, cyberattacks and network intrusion in a timely manner. When there is any incident compromising network security, network operators shall immediately implement the emergency plan, take relevant remedial measures, and report to the government agency in charge in accordance with laws, regulations and other administrative rules. It is not clear what the laws, regulations and other administrative rules would provide regarding the reporting requirement. This issue is expected to be addressed in future regulations.
Article 28 provides that network operators shall provide technical support and assistance to China’s public security agencies and state security agencies for their actions to maintain national security and investigate crimes in accordance with the law. Foreign companies have raised concerns about what they maintain is an overbroad and ambiguous provision that could be used as a back door for government monitoring of communications. The legislative history of the law suggests that the legislature purposely drafted this provision to provide authorities broad authority to interpret when such support is needed. In the first draft of the Cybersecurity Law, the language proposed was “network operators shall provide necessary support and assistance” (emphasis added). In the final draft approved, the word “necessary” was removed, giving the government more authority to require such support regardless of whether it is necessary to maintain national security or investigate crimes.
The Cybersecurity Law does, however, provide safeguard measures against government use of information obtained through exercising their oversight and enforcement responsibilities. Article 30 stipulates that government agencies shall not use such information for any purposes other than maintaining cybersecurity and violations of this requirement can subject to government agents to disciplinary action.
The Cybersecurity Law also imposes obligations regarding personal information on network operators. Network operators should keep personal information confidential, inform people whose personal information is being collected of data collection, publish data collection and use policies, and obtain users’ consent. Network operators shall not collect personal information irrelevant to the services they provide, and shall process and store personal information in accordance with laws, regulations and user agreements.
Network operators shall not divulge, alter or damage the personal information they collect, or provide any personal information to any other person without the consent of the person whose personal information has been collected, unless the personal information has been processed so that no individual can be identified by the information and the data cannot be traced in a way that would allow identification of any person. Network operators shall take technical measures and other necessary measures to protect the security of the personal information that they collect. If a users’ personal information has been or may be divulged, damaged or lost, network operators shall immediately take remedial measures, inform users in a timely fashion, and report to the government agency in charge.
If a network operator violates the laws, regulations or user agreements, users can request the network operator to delete their personal information. If there is any inaccuracy in the personal information collected and stored by network operators, users can request network operators to correct the information.
Network operators shall strengthen their monitoring of the information published by users: Upon discovery of information whose publishing or transmission is prohibited by laws or administrative regulations, network operators shall immediately stop the transmission of such information, take disposal measures such as erasing the information to prevent the information from spreading, preserve relevant records, and report to the government agency in charge. Network operators shall also create a report system for their cybersecurity, publish report contact information, and solve issues regarding their cybersecurity system in a timely fashion.
Network Product and Service Providers
Network product and service providers shall comply with the mandatory requirements of the relevant national standards and shall not install malware. In addition, when the network products or services are subject to any security risk, the provider shall take remedial measures immediately, notify the users of the risks, and report to the government agency in charge.
The Cybersecurity law also imposes security maintenance requirements on such providers and forbids termination of the maintenance before the expiration of the term of maintenance agreed by the provider and the user.
Like collection of personal information by network operators in general, providers of network products and services shall notify users and obtain consent before collecting users’ information through its products or services.
Further, providers of critical network equipment and specialized cybersecurity products shall obtain security certification from recognized institutions or pass security examinations before they can be sold or provided. The catalog of critical network equipment and specialized cybersecurity products will be provided by the relevant authorities.
Critical Information Infrastructure Operators
Critical information infrastructure operators face heightened scrutiny, compared to other network operators, under the Cybersecurity Law. In the adopted version of this law, “critical information infrastructure” is defined as information infrastructure in critical industries and sectors such as public communication and information services, energy, transportation, water, finance, public services and e-government. This definition, while still expansive, is narrower than the definition in the first draft which also includes the networks and systems owned or managed by online service providers with a large number of users. The Cybersecurity Law has provided the State Council with the authority to further clarify the scope of the term “critical information infrastructure operators” and the applicable security requirements for them.
The requirement regarding storage of information and data in the territory of the PRC and other heightened requirements are only applicable to critical information infrastructure operators.
They will have to store in the PRC the personal information and important data they collect and generate in the territory of the PRC. They could still be able to provide such information to people or entities outside of China if they pass a security inspection by the government agency in charge.
We will closely monitor developments in the Cybersecurity Law and related regulations and provide updates on significant changes.