2016.11.16 DONG, Xiao (Marissa)、 Kemeng CAI、 Jinghe Guo
After three deliberations over more than a year’s time, the Standing Committee of the National People’s Congress (“NPC Standing Committee”) finally adopted the Cyber Security Law (“CSL”) on November 7, 2016. The CSL is the first omnibus law in China governing cyber security issues and has incorporated a number of new legal concepts and requirements that may impact companies with business operations in China.
Below we will briefly introduce the CLS in terms of the context of its development, responsible authority, the applicable scope and legislative purpose, the major requirements, a brief comparison between the final CSL and the first and second drafts, and the potential practical impact.
The information and technology security related legislation and practice developed quickly in recent years due to the need for protecting China’s national security. In April 2014, in response to various challenges of the new era, President Xi Jinping for the first time raised the “overall concept of national security”. Thereafter, a series of legislations relating to national security were put on an accelerated track, including the Counter-terrorism Law, the National Security Law and the Cyber Security Law. These legislations all include provisions relating to information and technology security. Cyber security is currently a challenging matter both in China and around the world, and the CSL, in response to these challenges, represents major legislation with respect to cyber security issues. Meanwhile, as China has not enacted a unified data protection law, the CSL also incorporates several provisions related to the protection of personal information, which has also emerged as an issue of wide concern. Apart from some general provisions on personal information which were embodied in several existing regulations, the CSL also includes some new requirements on this issue.
Application Scope and Purpose
The CSL applies to the construction, operation, maintenance and use of networks as well as the supervision and administration of cyber security within the territory of the PRC. “Networks” include networks and systems that are composed of computers and other information terminals and the relevant facilities and used for purpose of collecting, storing, transmitting, exchanging and processing information in accordance with certain rules and procedures (Article 76). “Network operators”, an important subject of legal obligations under the CSL, is broadly defined as “owners and administrator of networks and network service providers (Article 76)”.
The CSL provides for “safeguarding the national cyberspace sovereignty” as a fundamental principle, and, for that purpose, includes provisions on, inter alia, the strategy, plan and promotion of cyber security, network operation security, network information security, and alarm and emergency response systems.
The national cyberspace administration authority, namely the Cyberspace Administration of China (“CAC”), is responsible for the coordination of cyber security protection activities and the relevant supervision and administration activities on a national level. It further provides that the Ministry of Industry and Information Technology, the Ministry of Public Security and other relevant government departments shall be responsible for the protection and supervision of cyber security within their respective authorities.
The CSL will become effective on June 1, 2017. Therefore, nearly a half year is provided for a transition period before its implementation.
II. Major Legal Requirements
Strengthened Network Operation Security Obligations
The CSL provides various security protection obligations for network operators, including, inter alia:
the compliance with a series of requirements of tiered cyber protection systems (Article 21);
the verification of users’ real identity (an obligation for certain network operators) (Article 24);
the formulation of cyber security emergency response plans (Article 25); and
the assistance and support necessary to investigative authorities where necessary for protecting national security and investigating crimes (Article 28).
In addition, network products and service providers shall inform users about and report to the relevant authorities any known security defects and bugs, and furthermore shall provide constant security maintenance services for their products and services, not install malware with their products, and clearly inform users and obtain their consent if their products or services collect users’ information (Article 22).
Key network facilities and special products used for protecting network security shall comply with the relevant national standards and compulsory certification requirements, and may only be offered for sale after being certified by the qualified security certification organization or passing the relevant security tests (Article 23).
It is notable that some requirements for network operators, such as retention of user logs for at least six months (Article 21) and regulations on the publication of cyber security information regarding system loopholes, computer viruses, cyber-attacks, cyber invasions, etc. (Article 26), are prescribed for the first time under PRC laws.
Heightened Protection of Critical Information Infrastructure
The CSL, for the first time under PRC law, clearly imposes a series of heighted security obligations for operators of critical information infrastructure (“CII”), including:
internal organization, training, data backup and emergency response requirements (Article 34);
storage of personal information and other important data must be secured within the PRC territory, in principle (Article 37);
procurement of network products and services which may affect national security shall pass the security inspection of the relevant authorities (Article 35); and
conduct annual assessments of cyber security risks and report the result of those assessments and improvement measures to the relevant authority (Article 38).
Protection of Personal Information
The CSL reiterates the obligations of network operators regarding the protection of personal information which appear across existing laws and regulations, including the mandate to observe the principle of lawfulness, necessity and appropriateness in the collection and use of personal information and to observe “the inform and consent requirements” (Article 41), to use personal information only for the purpose agreed upon by the relevant individual (Article 41), to adopt security protection measures for personal information (Article 42), and to protect the individual’s right to access and correct personal information (Article 43). In addition, the CSL also incorporates some new rules on personal information protection, including data breach notification requirements (Article 42), and data anonymization as an exception for inform and consent requirements (Article 42), and the individual’s right to request the network operators make corrections to or delete their personal information in case the information is wrong or used beyond the agreed purpose (Article 43).
III. Key Differences from the Second Draft
The Final Draft reflects the following key changes from the Second Draft.
CII is rephrased as information infrastructure in “public communication and information services, energy, traffic and transportation, irrigation, finance, public service, e-government and other key industries and sectors”, as well as other information infrastructure, “the damage, malfunction and data leakage of which may seriously endanger national security, national welfare, people’s livelihood, and public interest.” The enumeration of industries and sectors, which was included in the first drafted of the CLS and removed in the Second Draft, is added back into the definition of CII under the final CSL (Article 31);
the scope of CII data subject to local storage requirements is expanded from “citizen’s personal information and other important business data” to “personal information and important data” (Article 37);
the protected personal information is expanded from “citizen’s personal information” to “personal information”;
a special provision for minors which provides the State supports the research and development of network products and services that are helpful to the healthy development of minors, and imposes punishments upon any person who uses networks to carry out any activity endangering the physical and mental health of minors（Article 13）;
an additional special provision on punishments and sanctions against overseas entities which endanger domestic CII（Article 75）; and
higher monetary punishments imposed for violations.
IV. Practical Impacts
The CSL is the first law in the PRC specially focused on cyber security matters. When the CSL takes effect on June 1, 2017, internet companies and other industries in China will be subject to a wide array of stricter and more comprehensive obligations and face more severe punishments for potential violations. As an omnibus law on cyber security issues, many provisions of the CSL are still very general and abstract, and the detailed requirements for implementation and enforcement depend on subsequent and more specific implementation regulations as well as the opinion of the relevant authorities. We may expect that the relevant regulatory authorities may promulgate a series implementation regulations to clarify certain requirements under the CSL, such as the regulations on tiered cyber security protection systems, the specific scope and protection measures of CII, the protection of minors on networks, the mandatory security certification and the test requirements for key network devices and special cyber security products, national security review on the network products and services procured by CII operators, etc. For example, as for the protection of minors on the internet, last month the CAC published a draft for public comment of Regulations on Protection of Minors Online.
Nearly half a year remains before the formal implementation of the CSL and companies may use this transition period to improve their understanding of the potential impacts of the CSL on their business. In particular, if companies are deemed operators of CII, the CSL may have a significant impact on its network security framework, procurement of security products, and data storage. Companies may consider whether they need to adjust their business and operation practices from these aforementioned aspects and enhance their cyber security protections so as to ensure fully compliance with the CSL. Given the specific implementation of the requirements in the CSL are not entirely clear, companies will also need to closely follow any subsequently released regulations and opinions of the relevant governmental authorities.