Recap: the background, scope and key provisions of the new law
The Cybersecurity Law (CSL is part of a developing body of legislation through which the Chinese government aims to preserve, protect and control its cybersecurity and the privacy of its citizens. Whereas China’s previous cyber and data regulation was spread out over a number of different sector specific and regional regulations, the CSL is China’s first national law exclusively focusing on these issues. The CSL sets out China’s most fundamental data security rules and standards and provides the framework for the implementation of additional measures and guidelines.
The introduction of the CSL should be viewed against the Chinese government’s assertion of the country’s ‘cyber sovereignty’ and increased control over its cyberspace. For the Chinese authorities, cyberspace regulation is not only of commercial importance – Beijing has labelled data a “national strategic resource”- but it also serves the higher purpose of national security and maintaining social order and stability. Similar to its physical borders, China has in recent years erected digital barriers online. This ‘Great Firewall’ not only protects China’s computer networks from outside interference, but also allows for regulation of its cyberspace. By separating foreign from domestic cyberspace, control over the latter can be firmly established, as these network regulations provide for unparalleled oversight of the population and limitation of popular discourse.
Conceptually, the CSL regulates three ‘dimensions’ of data protection. Firstly, it ensures information security in a traditional, general sense, such as the protection of data confidentiality, integrity and availability. Secondly, the law protects the privacy of individuals and their “personal information”, which has been broadly defined as information sufficient to identify an individual (see also below). Provisions in this dimension cover, amongst other topics, the confidentiality, collection and usage of personal information, including the ban on disclosing personal information without consent and a subject’s right to have his or her personal information deleted or removed. Thirdly, the CSL aims to secure data at the national level and mandates the relevant authorities to investigate and collect data, even where this concerns information held by private entities. The implementation and enforcement of the CSL is led and overseen by the Cyberspace Administration of China (CAC). The CAC reports directly to China’s State Council, signifying the importance of this new but powerful government authority.
We presented a first overview of the final version of the CSL in our May 2017 edition of In context. In brief, the CSL applies to three types of entities, on which it imposes the following obligations:
Network operators are defined as owners, administrators or service providers of “networks“, which are systems comprised of computers and other information terminals that gather, store, transmit, exchange or process information. This definition potentially covers any party that owns or operates an IT network in China. Among other obligations, network operators are required to:
- formulate internal security management systems and operating rules;
- appoint designated officers responsible for network security;
- adopt technological measures to prevent and mitigate computer viruses and network attacks and intrusions;
- monitor network operations and incidents and storing these records for a period of six months;
- adopt measures relating to data classification, backups and encryption.
Critical information infrastructure operators
Although a clear definition of critical information infrastructure (CII) operators is not provided in the CSL itself, from the limited provisions dedicated to its scope it appears that CII operators are a subset of network operators. CII operators have to comply with the requirements for network operators, but also have more stringent data security requirements to comply with, including obligations to:
- set up specialised security management departments and conduct security background checks on responsible officers in critical positions;
- periodically conduct network security education, technical training and skills evaluations for employees;
- carry out disaster recovery backups of important systems and databases;
- formulate emergency response plans for network security incidents, and periodically organise drills;
- be subject to national security review by governmental authorities when purchasing network products and services “impacting national security”;
- annually engage a third party to conduct a security and risk review and to submit the results to the authorities;
- provide network security information to authorities and “research institutions”.
In addition to these requirements, perhaps the CSL’s most far-reaching obligation for CII operators is that any personal information and “important data” (a term undefined in the CSL, see more information below) generated in the course of business operations in China must be stored within China. This requirement is generally referred to as “data localisation”‘. Furthermore, the cross-border transmission of this data is restricted and requires a security assessment, which must be conducted by the CII operator itself (self-assessment) or, under specific circumstances, by the relevant Chinese authorities (regulator assessment). The CSL also specifies categories of data which are not allowed to leave China under any circumstances, including personal information for which no consent for disclosure has been given, or data which could impact national security. Although on the basis of the text of the CSL itself, the requirements with regard to data localisation and cross-border data transfer apply to CII operators only, early draft implementing legislation suggested that these requirements might be extended to network operators. This ambiguity has led to much apprehension and concern in the international business community in China.
Manufacturers and suppliers of network products and services
Apart from the data-related regulations above, the CSL also includes provisions which apply to hardware, indicating the Chinese government’s desire to regulate the full network and data production chain. The hardware regulations apply to manufacturers and suppliers of network products and services, and include the following prohibitions and obligations:
- use of malicious programs is prohibited;
- specific key network equipment and network security products must be security certified or tested before they are sold or provided in China;
- any security flaw identified must be remedied and users and relevant government departments must be notified;
- for the collection of user information, express consent must be obtained from the relevant subjects.
I. Recent (draft) legislation and legal developments
As was expected on the eve of the law’s commencement, recent months have produced a wide array of new draft guidelines and implementation measures. Although it is clear that this recent draft legislation aims to address some of the law’s vagueness and ambiguities, in terms of clarity and certainty they leave much to be desired. If anything, China’s cyber landscape is still rapidly developing. Here we highlight the key developments.
Critical Information Infrastructure
On 10 July 2017, the CAC circulated the draft Regulations on the Security Protection of Critical Information Infrastructure (the Draft CII Regulations). The Draft CII Regulations support and specify the CSL’s stringent requirements applying to CII. For example, the draft regulations provide more detail on the maintenance of CII and the education and training of dedicated personnel. Most importantly, however, the Draft CII Regulations shed more light on the ultimate scope of the entities which qualify as CII.
Under the CSL, Critical Information Infrastructure has only been narrowly defined as “public communication and information services, energy, transport, water, finance, public utility services, electronic governance and other infrastructure where damage, loss of function or data breach of the relevant network might seriously endanger national security, national welfare and the people’s livelihood, or the public interest“. The CSL further stipulates that the State Council is to formulate the specific scope and security protection measures of CII. The Draft CII Regulations build on this definition and expand it in line with the scope provided in the CSL. Under the Draft CII Regulations, information infrastructure relating to the following sectors would also qualify as critical: healthcare, education, social security and environmental protection as well as ‘information networks’ (telecommunications, radio and television networks and internet, including cloud computing and big data network services), scientific research and production (national defence, large-scale equipment, chemistry, food, drugs) and media and news (radio and TV stations, news agencies).
Finally, the Draft CII Regulations delegate the identification of CII to lower branches of government by stipulating that they shall formulate identification guidelines, according to which the supervising authorities will ultimately organise the identification of CII within each relevant sector. As CII is both one of the most important and one of the most complex definitions under the CSL, it is clear that the Chinese authorities are carefully considering the extent of its scope. Hopefully, the announced identification guidelines will provide more detailed information on the identification process.
Network Products and Services procurement by CII operators
On 2 May 2017, the CAC published the final version of the Measures for the Security Review of Network Products and Services (the Network Products and Services Measures). The Network Products and Services Measures provide detailed information on the national security review of network products and services procured by CII operators. In addition, on 1 June 2017 the CAC published its first Catalogue of Key Network Equipment and Specialized Network Security Products (the Catalogue) which stipulates the specific network products and services subject to mandatory security review.
The Network Products and Services Measures provide that the security review will focus on whether the relevant products or services are “secure” and “controllable.” More concretely, the Network Security Review Committee will focus on: (i) the risk in the product or service itself, and the risk that the product or service may be illegally controlled, interfered with or suspended; (ii) supply chain risks in the course of production, testing, delivery, and technical support of the product or service; (iii) the risk of product or service providers illegally using products or services to facilitate collection, storage, processing, or use of its users’ personal information; (iv) the risk of product or service providers using users’ reliance on the products or services to harm network security or users’ interests; and (v) any other risks that may jeopardise national security. The CAC, in cooperation with other government departments, will set up a Network Security Review Committee which will cooperate with experts and third-party institutions to evaluate the national security review.
In addition to the Network Products and Services Measures, the Catalogue provides further insight into which specific network products and services must be checked by the Network Security Review Committee. The following network products and services are included in the Catalogue: switches, servers (rack-mounted), data backup, web application and hardware firewalls, intrusion detection and defence systems, security isolation products, anti-spam mail products, network-integrated audit systems, network vulnerability scanning products, security data systems and website recovery products (hardware). Significantly, this Catalogue is named “first batch” which indicates that other network products or services will be added to the Catalogue at a later stage.
Data localisation and cross-border transfers: scope and data types
As mentioned above, the CSL provides for a data localisation requirement and a cross-border data transfer restriction. These obligations will be further detailed in implementing legislation, of which the Chinese authorities have circulated the following drafts: the Draft Security Assessment Measures regarding the Export of Personal Information and Important Data (Draft Data Export Measures) as released in two consecutive drafts in April and May 2017, and the Draft Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Security Assessment Guidelines), released in consecutive drafts in May and August 2017. Importantly, although neither draft has been finalised yet, it is understood that the CAC has set an 18-month grace period for companies to comply with the cross-border data transfer obligations. As a consequence, enforcement is intended to begin on 1 January 2019. We do not expect this effective date to change in the final version of the guidelines.
With regard to the data localisation and cross-border transfer obligations, two elements are to be distinguished: the entities to which the obligations apply, and the kinds of data that they cover. As for the entities to which the obligations apply, we note that although the CSL formally imposes these requirements only on CII operators, the relevant provisions in both the Draft Data Export Measures and the Draft Security Assessment Guidelines refer to network operators instead. In other words, the abovementioned ambiguity with regard to this element of the CSL’s scope remains unresolved.
As for the data covered, the CSL provides that “personal information” and “important data” are subject to these obligations. The CSL itself, however, only includes a definition of “personal information” which, in summary, is defined as information that independently or in combination with other information can identify an individual, including name, birthday, contact information and biometric information. Similar to the CSL, the Draft Security Assessment Measures do not provide a comprehensive definition of important data; instead, they state that its scope should be determined according to additional identification guidelines. In a lengthy appendix to the Draft Security Assessment Guidelines, the CAC has for the first time provided this guidance. Data is “important” if its due or undue processing could “harm the interest of the State“, which includes a wide range of national security considerations such as the public interest, economic order, ecology, the military, law enforcement and other governmental functions. The appendix further provides a list of 26 sectors for which specific “important data” have been listed. For example, for the e-commerce sector, credit ratings, transaction records and payment and financing information qualify as important, and for the oil and gas sectors, data on environment and safety is included on the list. The Draft Security Assessment Guidelines additionally stipulate that industry regulators shall further define and provide criteria for the identification of important data.
Cross-Border Data Transfers
As their name implies, the Draft Data Export Measures and the Draft Security Assessment Guidelines aim to clarify the security assessment to be conducted if personal information or important data is to be transferred outside of China. In principle, this security assessment should be conducted by network operators themselves, and is a self-assessment. However, under specific circumstances the cross-border transfer of data has to be submitted to and assessed by the competent government regulator.
According to the Draft Data Export Measures, a regulator assessment is needed if the cross-border data transfer fulfils specific additional criteria, such as:
- personal information involving over 500,000 individuals
- data concerning nuclear facilities, biochemistry, national defence and military, demographics and health, large-scale project activities, marine environment or sensitive geographic information
- cybersecurity information about system vulnerabilities and security protection of “critical information infrastructures”
- other circumstances that could potentially affect national security and public interest that the authorities deem should be assessed.
Notably, in the August draft of the Draft Data Export Measures the criterion of “data transfers exceeding 1,000 GB” has been removed.
The Draft Data Export Measures further provide that both the self-assessment and the regulator assessment are to consider the following factors when evaluating a cross-border transfer:
- the lawfulness, legitimacy, and necessity of the transfer;
- the amount, scope, type, level of sensitivity of the data involved, and, in case of personal information, the data subjects consent;
- the data recipient’s data security measures, capabilities, and level of protection;
- the risks arising from the cross-border transfer or subsequent re-transfers of the data in terms of the data being leaked, damaged, tampered with, or misused; and
- the risks posed by cross-border data transfers to China’s national security, societal and public interests, and Chinese citizens’ rights and interests.
With regard to the cross-border transfer of personal information, the Draft Data Export Measures specifically provide that the relevant data subjects must be notified regarding the purpose, scope and type of the transfer and the location of the recipient of the data. The data subjects have to consent to the transfer of their personal information, unless their consent is implied by their behaviour (for example, international instant messaging) or in an emergency situation.
In addition to the draft Data Export Measures, the Draft Security Assessment Guidelines provide further guidance on the security assessment procedures. Most importantly, the assessment should focus on the questions of (i) whether the cross-border transfer is “legal” and “appropriate“, and (ii) the risks relating to the transfer are “controllable“. An appendix to the guidelines further provides an elaborate assessment mechanism for the answers to these questions, including the assignment of numerical ‘risk level’ values regarding “impact” and “likelihood” of a security incident. The mechanism considers, amongst other factors, the magnitude and scope of the data involved, if the data has been re-engineered (de-sensitised), the capabilities of the transferring and receiving parties, and the political and legal environment in the recipient jurisdiction.
Obligations under the CSL itself apply to the operation and use of networks and data within the territory of mainland China. However, the August version of the Draft Security Assessment Guidelines surprisingly suggests that the CSL’s data localisation requirements could also apply to companies residing overseas. Remarkably, the latest draft states that the requirement not only applies to personal information and important data collected “in the course of business operations in China” (as the CSL itself suggests), but also to companies providing products and services to China. The draft then provides criteria to determine if the foreign company is subject to the CSL’s data localisation requirement, such as the usage of the Chinese language in the transaction and the Renminbi as the currency of payment. According to some experts, this development could indicate the Chinese government’s desire for a “global application” of the CSL’s data localisation requirement. However, as implementing legislation, the Draft Security Assessment Guidelines will not be able to override the CSL’s actual provisions. As such, we expect this provision to be addressed in the final version of the guidelines.
II. Other developments
In force and enforced: investigations conducted, penalties imposed
Notwithstanding the CSL’s still ambiguous scope, and its legislative implementation being far from finished, recent months have seen a burst of enforcement actions. Throughout China, regulatory authorities at the national, provincial and local level have started investigations into, and penalised companies for, alleged and actual breaches. This demonstrates that the Chinese government is serious about cyber compliance.
Some of the earliest enforcement actions targeted local companies in Guangdong and Sichuan, which were penalised for failing to conduct network security evaluations and allowing for an IT infrastructure vulnerable to an intrusion incident. Corrective measures were ordered. The Sichuan enforcement highlighted that D&O liability under the CSL is to be taken seriously, as the company’s legal representative received a personal fine.
Interestingly, the CAC has not hesitated to investigate some of China’s biggest tech companies. This development indicates that size does not matter and no companies are off limits. In August, Taobao (China’s biggest online retailer) was under investigation for selling prohibited goods and products, including illegal VPN services through which blocked websites can be accessed. In addition to conducting a security assessment, Taobao was ordered to remove all prohibited products sold in its online shops and to take action against any sub-vendors in breach. As another example, Guangdong’s Communication Administration investigated Aliyun, the cloud service of internet giant Alibaba (a company sometimes described as the Chinese equivalent of Amazon), and found the company in breach of CSL provisions regarding mandatory identity verification and real-name registration. Aliyun was ordered to take immediate measures, including rectification of the violation and updating its policies, including periodical security assessments. Finally, in the CAC’s most high-profile investigation to date, it announced that Tencent’s WeChat (China’s famous social networking and messaging app), Sina Weibo (microblogging) and Baidu Teiba (search engine and online discussion platform) are all under investigation. The CAC accused all three companies of failing to prevent the dissemination of “prohibited information”. The companies were penalised and ordered to remove the responsible users from their platforms.
Overall, current practice by the relevant authorities suggest that, for the time being, the authorities are going after domestic targets first, and foreign companies have so far fallen outside the focus of the investigations. However, this could of course change at a moment’s notice, and it will only be a matter of time before foreign companies become subject to enforcement. Judging from the recent enforcement action, the authorities have directed much attention to the dissemination of prohibited data, products and services, and the enforcement of real-name user registration. In addition, the prevention of cyberattacks and intrusions, and compliance with IT security provisions have received special scrutiny, especially when “personal information” could be exposed. Some experts believe that the CAC’s examination of China’s biggest tech companies is not so much about investigating and sanctioning the relevant companies in particular, but rather to set a benchmark (to which foreign companies then should also adhere). For this reason, these high profile precedents are closely followed for the practical guidance they could offer.
Continued critique and controversy
The international critique and controversy that surrounded the CSL’s drafting and commencement has continued in its first months. Prominently, the United States circulated a detailed memo to the members of the WTO’s Council for Trade and Services, which, experts have noted, is unusual; member states tend to refrain from challenging the national security laws of other nations.
In the memo, the United States expresses its concerns in relation to the CSL and its implementing measures, stating that if these measures enter into full force in their current form, they could have a significant adverse effect on trade in services. According to the memo, the measures would disrupt, deter, and in many cases, prohibit cross-border transfers of information that are fundamental to any business. The memo further criticises the law’s drafting, commenting that the circumstances to which the CSL applies are so broadly and vaguely defined that they could cover a nearly unlimited range of transactions. The impact of the measures, the memo concludes, falls disproportionately on foreign service suppliers operating in China, as these suppliers must routinely transfer data back to headquarters and other affiliates. Also, companies located outside of China that supply services on a cross-border basis would be severely affected, as they depend on access to data from their customers in China.
The Chinese government has not yet issued an extensive reply to the filing, but several expert and officials have communicated their views. One such reaction points out that the controversy with regard to China’s data measures stem from differing perspectives on the relevant regulation, as the Chinese government prioritises a law-based and orderly data environment instead of one that allows free data flow. In this environment, broad definitions are necessary and serve the purpose of allocating responsibility for securing China’s cyberspace to networks owners and administrators and service providers alike. Another response asserts that the implementing measures are only drafts and that much CSL related legislation has, between drafts, undergone “revision, adjustment and improvement.” The reaction expressed that the fact that these controversies have not yet will continue to test the technological and coordinating capabilities of the legislature.
III. Navigating uncharted waters: what you can do now…
As should have become clear by now, the CSL and its growing body of implementing legislation presents a serious risk to any business’s China operations. Although the law’s scope and requirements are still under development, enforcement is already underway. Judging from this enforcement action, the authorities are currently focusing on the prevention of the dissemination of prohibited data, products and services. Real-name user registration is another key point of interest. In addition, the prevention of cyberattacks and intrusions, and compliance with IT security provisions have received special scrutiny, especially when “personal information” could be exposed.
We recommend businesses with China or China-related operations take the following steps while the dust settles. As a start, companies should assess how they fall within the CSL’s scope, as it is crucial to identify potential exposure under the law. We believe it prudent for any business operating in China using computer systems or network infrastructure to assume they qualify as a “network operator” and, accordingly, to assure compliance with the relevant requirements. Businesses should be especially aware if the “personal information” of Chinese citizens is collected, or if data is processed which could qualify as “important.” As detailed draft identification guidelines are now available, we advise taking notice. We also stress that CSL exposure should not be solely driven by a business’ own IT infrastructure, but could also come from third parties located in China; even companies without a China presence could be affected by proxy if the computer networks of their customers and suppliers fall under the law’s scope. For businesses themselves, we further recommend mapping data flows and reviewing IT ecosystems. Key issues include how data that is collected and generated in China is stored, and if and when cross-border transfers occur.
We advise all companies to update compliance policies in line with the CSL and instruct responsible officers. For the short term, to “get going” and as a show of good faith to the authorities, procedural elements might be prioritised over material substance. Incident response procedures should be updated, including when escalation to (international) headquarters is necessary. In a general sense, periodical data protection and cybersecurity assessments of should become an integral part of your China compliance framework. Although enforcement in this respect is not expected to commence before 2019, security self-assessment procedures for qualifying cross-border data transfer should begin before that time. If and when required, companies should be ready for unexpected enforcement actions. In preparation, we recommend updating relevant dawn raid protocols to limit any disruption of business as much as possible.
Finally, it remains imperative to closely monitor the CSL’s implementing measures and guidelines. Final versions of the legislation discussed in this update are currently expected in the first half of 2018. Naturally, we will inform you of any material developments and are ready to assist.