The newly passed Cybersecurity Law of the People’s Republic of China will take effect in June 2017, and it is expected to have a significant impact on multinationals doing business in mainland China. The law affects both domestic and foreign companies operating on the Chinese mainland and covers a wide range of activities including the use of the internet, information and communications technologies, personal data, national security and more.
The difficulties with determining the steps needed to comply with such sweeping changes are only complicated by the fact that a large number of key terms in the law have yet to be clearly defined. As a result, China’s new Cybersecurity Law will continue to evolve as the national government interprets it.
Here are some key provisions to follow in the coming months.
Baseline For All Network Operators
Article 21 to Article 30 set a baseline of care for all “network operators.” Interpreted together with the other provisions, the term “network operator,” which is undefined, may broadly include all companies that provide services and products via the internet, including network hardware and software vendors and website operators. Among other things, all network operators have the duty to enact privacy policies, designate responsible personnel and use technical measures to ensure security. While the full scope of these obligations remains to be seen, two of these articles deserve special attention:
Mandatory Reporting Requirements
Article 22 provides that, “When network operators discover data breaches, or data destruction or loss, they must immediately notify users and relevant authorities, and immediately remediate the issue.” The statute does not define “immediately” with any specific deadlines, nor provide any guidance on the ways to notify users and authorities. Furthermore, “relevant authorities” may include the telecommunications administrative department, the public security departments and as well as other relevant departments of the State Council. However, because data breaches can happen at any time, businesses should not take a “wait-and-see” approach before more official clarifications are issued, and it is prudent to comply with some of the other requirements discussed below. Rather, it is advisable to prepare a breach response plan now and adjust the plan accordingly once more government guidelines are issued. Such a plan should include a way to rapidly determine the scope of a breach, and to send notification to authorities and affected parties.
The Duty to Assist Legal Authorities
Article 28 states, “network operators shall provide technical support and assistance to Chinese police departments and national security agencies for their legal criminal investigations.” The law, however, does not specify what such “technical support and assistance” will entail. Foreign tech companies have raised concerns over providing “backdoor access” to comply with this provision, which is a means for the government to bypass all of the installed security methods and gain direct access to a business’ protected data. Other businesses are worried that, under certain circumstances, providing “technical support and assistance” to the Chinese government may infringe on their intellectual properties and/or their users’ privacy rights under the privacy laws of other jurisdictions. Involving legal counsel in developing a government inquiry plan is advisable for a business to provide the proper “technical support and assistance” to the Chinese government while also maintaining compliance to the IP and privacy laws in other jurisdictions in the world.
Heightened Standard of Care and Scrutiny for Critical Industries
According to Articles 31 to 39, network operators in certain “critical industries” are subject to a heightened standard of care and scrutiny, above and beyond that already described. Article 31 states that these critical industries include telecommunications, energy, transportation, information services and finance. But this list is not all-inclusive; more are expected to be added to by the State Council of the People’s Republic of China in the future. However, it remains unclear if all the organizations in such industries will be subject to the heightened standard. As discussed further below, the mandatory heightened standard will require a substantial increase of compliance efforts and in monetary investments for such initiatives.
Safety Assessments in IT Procurement
Article 35 states, “network operators in the critical industries shall pass security inspections by government agencies for cyberspace and State Council of the People’s Republic of China before purchasing IT products and service, if a proposed purchase may affect national security.” In addition to which businesses are considered to be in “critical industries,” this provisions raises questions of what types of procurements may “affect national security” and how a company can pass a “security inspection.” Since this provision may mean an added government oversight on a multinational’s IT procurement process, it is important to monitor the interpretations of this provision by the Cyberspace Administration of China and/or the State Council of the People’s Republic of China.
The Data Localization Requirement
One of the most controversial provisions in the new cybersecurity statute is Article 37, which contains a data localization requirement for network operators in the critical industries. Article 37 states that, “critical and personal information collected and produced by network operators in critical industries during their operations in China shall be stored within the territory of China.” This article further demands data security assessments when it is a business necessity to transfer such information outside of China. Article 37 will result in sizable new compliance investments for multinationals, which typically rely on cross-border flows of business data. Currently, it remains uncertain how this data localization requirement will be implemented due to lack of guidelines or best practices. The standard that businesses will be held to in these “data security assessments” is as yet unknown.