China recently adopted the third draft of its controversial cybersecurity law. It is the first Chinese law focusing exclusively on cybersecurity and will take effect from 1 June 2017.
Foreign businesses operating in China may face data localisation requirements, obligations to share confidential company information with Chinese authorities, and restrictions on the use of foreign technology and equipment in China.
We recommend that these businesses review their technology and data arrangements and assess the potential impact of the new legislation. We also recommend monitoring further developments closely, in particular how the imprecise provisions of the cybersecurity law will be further implemented.
As previously reported in In context, the Chinese government is introducing a series of new laws to tighten control over matters potentially affecting national security. The new cybersecurity law is part of this agenda and establishes a framework for China’s cybersecurity regime. We previously discussed the second draft of the cybersecurity law in In context. The third and final draft contains few substantial changes from the second, and the same concerns that we highlighted still apply.
Obligations imposed by the cybersecurity law
The cybersecurity law has a broad and vague regulatory scope. It aims to regulate the construction, operation, maintenance and usage of networks, as well as their supervision and management in China. It concerns, among other things:
Types of business affected by the cyber security law
The cybersecurity law mainly affects two types of business: “network operators” and operators of “critical information infrastructure.”
“Network operators” include any owner or administrator of networks or any network service provider. “Network” is defined broadly and includes any interconnected system where computers or other information terminals and relevant equipment collect, store, transmit, exchange, and process information. Potentially, any company operating network infrastructures in China or operating websites may be regarded as a “network operator”.
While the second draft of the cybersecurity law omitted any definition of the term “critical information infrastructure”, the final version gives a general definition: infrastructure used in important sectors, including public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government, as well as any other infrastructure that may gravely harm national security, the national economy, people’s livelihoods or the public interest if it is destroyed, loses its ability to function or encounters data leakage. The State Council has not yet clarified exactly which types of businesses fall under the scope of “critical information infrastructure”.
During the cybersecurity roundtable held by De Brauw on 29 November 2016 in Shanghai, Richard Staden ten Brink and Axel Arnbak discussed how the vague rules included in the new cybersecurity law fit in the global trend of cybersecurity regulation. They concluded that this new legislation qualifies as “phase 2” legislation: rules, including general concepts, adopted at a national level regulating critical IT-infrastructure and replacing piecemeal legislation applicable only to specific sectors. “Phase 1” legislation in this context refers to sector-specific regulations which are usually incident-driven, while “phase 3” legislation refers to much stricter and more specific nationwide legislation, incorporating strict enforcement and high penalties as a response to serious offences which occurred under and experiences gained under the “phase 2” legislation. Viewed from this perspective, the new cybersecurity law could be considered as a precursor to more precise and stricter rules very similar to those in Europe, with the EU Data Protection Directive “phase 2” legislation and the recently adopted EU General Data Protection Regulation (replacing the EU Data Protection Directive) as “phase 3” legislation. When this regulation enters into force in May 2018, companies will face penalties up to 4% of global turnover when compliance and security fails.
As the implementing measures of the new cybersecurity law have not yet been issued, it remains to be seen whether the discretionary powers provided to the Chinese government under this new law are indeed far-reaching and whether this new cybersecurity law should really be considered a precursor to more precise and stricter rules. Given the potentially significant effects on foreign companies, we recommend that businesses operating in China assess whether their business is impacted by this new legislation and keep careful track of further developments.
16 July 2020
15 July 2020
17 December 2019
16 December 2019
14 November 2019
15 October 2019
16 September 2019
17 April 2019
14 March 2019
31 January 2019