13 December 2016

China adopts new cybersecurity law

China recently adopted the third draft of its controversial cybersecurity law. It is the first Chinese law focusing exclusively on cybersecurity and will take effect from 1 June 2017.

Foreign businesses operating in China may face data localisation requirements, obligations to share confidential company information with Chinese authorities, and restrictions on the use of foreign technology and equipment in China.

We recommend that these businesses review their technology and data arrangements and assess the potential impact of the new legislation. We also recommend monitoring further developments closely, in particular how the imprecise provisions of the cybersecurity law will be further implemented.

As previously reported in In context, the Chinese government is introducing a series of new laws to tighten control over matters potentially affecting national security. The new cybersecurity law is part of this agenda and establishes a framework for China’s cybersecurity regime. We previously discussed the second draft of the cybersecurity law in In context. The third and final draft contains few substantial changes from the second, and the same concerns that we highlighted still apply.

Obligations imposed by the cybersecurity law
The cybersecurity law has a broad and vague regulatory scope. It aims to regulate the construction, operation, maintenance and usage of networks, as well as their supervision and management in China. It concerns, among other things:

  • what technology can or cannot be used in China’s cyberspace. To that end, it imposes requirements for pre-market certification of “critical network equipment” and “specialised cybersecurity products”. The State Council has yet to formulate and release examples of this type of equipment and product;
  • a duty for “network operators” to provide technical support and assistance to unspecified Chinese authorities for reasons of national security or criminal investigation. What this duty entails is unclear, but in a worst case scenario, a “network operator” may be required to give full access to available confidential information, and
  • the requirement for operators of “critical information infrastructure” to store “personal information” and “important business data” within China unless it is absolutely necessary to send this data abroad and the arrangements to do so have been cleared during a security assessment. The national cyberspace administration and the State Council are yet to formulate what this security assessment process will look like. Where in the second draft “personal information” seemed to relate to information of Chinese citizens only, it is now unclear whether “personal information” also encompasses personal information relating to foreigners.

Types of business affected by the cyber security law
The cybersecurity law mainly affects two types of business: “network operators” and operators of “critical information infrastructure.”

“Network operators” include any owner or administrator of networks or any network service provider. “Network” is defined broadly and includes any interconnected system where computers or other information terminals and relevant equipment collect, store, transmit, exchange, and process information. Potentially, any company operating network infrastructures in China or operating websites may be regarded as a “network operator”.

While the second draft of the cybersecurity law omitted any definition of the term “critical information infrastructure”, the final version gives a general definition: infrastructure used in important sectors, including public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government, as well as any other infrastructure that may gravely harm national security, the national economy, people’s livelihoods or the public interest if it is destroyed, loses its ability to function or encounters data leakage. The State Council has not yet clarified exactly which types of businesses fall under the scope of “critical information infrastructure”.

Global trends
During the cybersecurity roundtable held by De Brauw on 29 November 2016 in Shanghai, Richard Staden ten Brink and Axel Arnbak discussed how the vague rules included in the new cybersecurity law fit in the global trend of cybersecurity regulation. They concluded that this new legislation qualifies as “phase 2” legislation: rules, including general concepts, adopted at a national level regulating critical IT-infrastructure and replacing piecemeal legislation applicable only to specific sectors. “Phase 1” legislation in this context refers to sector-specific regulations which are usually incident-driven, while “phase 3” legislation refers to much stricter and more specific nationwide legislation, incorporating strict enforcement and high penalties as a response to serious offences which occurred under and experiences gained under the “phase 2” legislation. Viewed from this perspective, the new cybersecurity law could be considered as a precursor to more precise and stricter rules very similar to those in Europe, with the EU Data Protection Directive “phase 2” legislation and the recently adopted EU General Data Protection Regulation (replacing the EU Data Protection Directive) as “phase 3” legislation. When this regulation enters into force in May 2018, companies will face penalties up to 4% of global turnover when compliance and security fails.

Next steps
As the implementing measures of the new cybersecurity law have not yet been issued, it remains to be seen whether the discretionary powers provided to the Chinese government under this new law are indeed far-reaching and whether this new cybersecurity law should really be considered a precursor to more precise and stricter rules. Given the potentially significant effects on foreign companies, we recommend that businesses operating in China assess whether their business is impacted by this new legislation and keep careful track of further developments.