A Primer On China’s New Cybersecurity Law: Privacy, Cross-Border Transfer Requirements, And Data Localization
China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance. However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally. This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.
First things first: what is the current state of data protection law in China?
Like the United States – and unlike an increasing number of countries around the world – China does not have an omnibus data protection law. Instead, it regulates privacy and cybersecurity issues through a number of industry-specific laws, such as the Practicing Physicians Law, Commercial Banking Law, Postal Law, and the Provisions on the Protection of Personal Information of Telecommunication and Internet Users. Additionally, China does not have a single central data protection authority charged with enforcing privacy laws. The lack of a centralized data protection authority means that it can be more difficult to keep up with enforcement actions and the issuance of any legal guidance, especially for foreign companies unfamiliar with the Chinese legal environment. This panoply of laws and authorities makes China a relatively complex jurisdiction in which to operate from a data protection standpoint.
Further complicating matters is the fact that the Cybersecurity Law was passed in the wake of two other significant laws: the National Security Law and the Anti-Terrorism Law. These three laws operate in tandem to regulate many aspects of cybersecurity and privacy law in China, while potentially giving the Chinese government broader surveillance powers. Generally speaking, the vaguely-worded National Security Law, which has been called out by the UN High Commissioner for Human Rights for its “extraordinarily broad scope,” permits the government to take “all necessary” steps to guard China’s sovereignty (including, it is speculated, by implementing wide-ranging surveillance measures). Meanwhile, the Anti-Terrorism Law requires telecom and Internet providers to allow access and grant other forms of assistance (such as decryption) to government authorities to prevent and investigate terror attacks. In short, China’s new Cybersecurity Law adds an additional wrinkle to an already complex matrix of data protection laws and regulations, at least some of which are ostensibly meant to defend against threats (real or imagined) to China’s sovereignty.
What’s the nature of the new Cybersecurity Law? Is it an omnibus law like the EU Data Privacy Directive?
Not exactly. The Chinese legislature passed the new Cybersecurity Law in November of last year after public consultation on several previous drafts of the legislation, although the law does not actually go into effect until June 1, 2017. Recently, on April 11, the government released the Draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data, which is intended to be a major set of implementation rules of the Cybersecurity Law (“the “Draft Implementation Rules”). The Draft Implementation Rules, if finalized, would impose additional restrictions on certain transfers of data out of China (as discussed in further detail below). While not an omnibus law that regulates all aspects of privacy and cybersecurity across every industry, the Cybersecurity Law nevertheless has a wide scope and contains provisions relating to both privacy and cybersecurity.
Will the Cybersecurity Law Apply to my company?
At the outset, it is important to understand that not every aspect of the law applies universally to all companies. Many of the law’s key provisions only apply to two types of companies: “network operators” and “critical information infrastructure” (“CII”) providers. However, these categories are defined quite broadly and may have a wide-ranging scope in practice, so even companies that would not ordinarily consider themselves network operators or CII providers may be swept up by these definitions.
The Cybersecurity Law defines “network operators” broadly – the category includes network owners, administrators, and service providers. The law therefore suggests that any company that maintains a computer network, even within its own office, could qualify as a “network operator” – an interpretation expansive enough to include a large number of companies. Companies based outside of China that use networks to conduct business within China also may be swept up by this definition.
“Critical Information Infrastructure” providers are defined a bit more narrowly, but the law still casts a fairly wide net. CII providers generally are viewed as those that provide services that, if lost or destroyed, would damage Chinese national security or the public interest – the law names information services, transportation, water resources, and public services, among other service providers, as examples. The government has the ultimate say in which types of companies may qualify as CII providers, as the law makes the State Council responsible for determining the scope of the definition. Naturally, questions remain: what types of services could damage national security or the public interest if rendered non-operational? What qualifies as “damaging” to national security or the public interest? For the time being, it appears that the definition of “CII provider” could have a fairly wide scope.
It also is important to note that although much of the law is devoted to regulating network operators or CII providers, the law’s applicability is not just limited to those types of entities. The law also sets out more generally-applicable requirements relating to cybersecurity and contains provisions that apply to other types of entities, including suppliers of network products and services.
What are the Cybersecurity Law’s key provisions?
The law covers a range of topics, from privacy of personal information to security standards. Generally speaking, network operators must:
Obtain data subjects’ informed consent to the collection of their personal information, regardless of the prospective uses or types of processing of that data. Whether consent must be express or may be implied currently is unclear;
Keep a log of cybersecurity incidents and retain that log for no fewer than six months;
Implement cybersecurity incident plans;
Remediate any security flaws immediately upon discovery and engage in security maintenance of their services (if the network operator provides a service through its network);
Work within their organizations to ensure the integrity of their network’s security;
Back up and encrypt data.
Meanwhile, CII providers are required to:
Engage in the same cybersecurity practices as network operators, along with some additional requirements, such as conducting reviews of their cybersecurity practices on an annual basis;
Store personal information and “important data” within China (more on this below).
Additionally, the law requires that cybersecurity products must be certified as meeting certain standards (yet to be articulated) before being offered for sale. There is speculation that this requirement serves as a means for the Chinese government to obtain access to certain products and data.
Another important point relates to the definition of “personal data.” While previous drafts of the law defined personal information as belonging only to Chinese citizens, the final draft of the law refers to personal data as belonging to “natural persons.” Accordingly, the law appears to apply to the personal data of non-citizens as well as citizens.
Does the Cybersecurity Law require my company to keep certain data in China?
As we’ve written about in previous posts, data localization laws are a global trend, and they generally require companies that collect certain types of data from a jurisdiction to store and/or process data within that jurisdiction. To that end, the Cybersecurity Law requires “critical information infrastructure” providers to store “personal information” and “important data” within China unless their business requires them to store data overseas and they have passed a security assessment. At this point, it remains unclear what qualifies as “important data,” although its inclusion in the text of the law alongside “personal data” means that it likely refers to non-personal data. The requirement that “important data” remain in-country therefore reflects a recent trend of governments appearing to put a security premium on business or governmental data equivalent to, or even greater than, the concern accorded to individuals’ personal data (for example, Saudi Arabia’s draft cloud computing regulations similarly appear to prize business and governmental data).
Note that this is not the first time China has imposed a data localization requirement, as several preexisting sector-specific regulations prohibit the transfer of certain types of data (i.e. pertaining to financial or health data) outside of China.
It also is important to be aware that the Chinese government has made an effort to expand the law’s restrictions on international data transfers. The Draft Implementation Rules require network operators planning to transfer more than one terabyte of data out of China, or network operators that have collected data on more than 500,000 data subjects, to obtain the permission of the data subjects, as well as pass self-imposed and government-run security assessments, in order to transfer that data out of China. The Draft Implementation Rules allow the relevant enforcement authorities to block the transfer if they believe, in their own discretion, that the transfer would endanger China’s political system, economy, security, or technology. If adopted, the Draft Implementation Rules also would require other individuals and entities seeking to export data from China – even if they are not network operators and even if they are based outside China – to conduct security assessments (self-imposed and/or government-run security assessments as required by the Draft Implementation Rules) of their data exports. If finalized, the Draft Implementation Rules therefore would significantly expand the Cybersecurity Law’s data localization requirements.
What are the penalties for violating the law?
The Cybersecurity Law provides for a maximum fines of RMB1,000,000. Individuals may be subject to personal (albeit lesser) fines as well. The law also gives the Chinese government the ability to issue warnings, confiscate companies’ illegal income, suspend a violator’s business operations, or shut down a violator’s website. Serious violations of the Cybersecurity Law may also incur criminal liability.
Does the law apply in Hong Kong?
No. Under the “one country, two systems” approach, Hong Kong is an entirely separate jurisdiction from Mainland China and has its own privacy and cybersecurity laws. That doesn’t mean, however, that companies based in Hong Kong won’t be subject to China’s Cybersecurity Law if they do business in Mainland China, for the reasons mentioned above.
Anything else I should know about the Cybersecurity Law?
Unfortunately, simply understanding the nature of the Cybersecurity Law, by itself, is not sufficient to determine the scope of a company’s responsibilities under the law. It is important to recognize that the Chinese legislative and legal systems are fundamentally different from their American counterparts, and how this fact impacts the law’s interpretation and implementation. Though a full review of the complexities of the Chinese legal system is outside the scope of this blog post, it is worth noting that, as with other laws in China, the text of the Cybersecurity Law (which currently is not available in the form of an official English translation) may not be the best determinant of its purpose or scope. Understanding the government’s motivations and regulators’ approach to enforcing the law is key, and the best way to develop that understanding is through communicating with regulators and sharing information about best practices with other professionals in the field. Companies concerned about the Cybersecurity Law therefore should consider getting in touch with local counsel in China in order to gain the most up-to-date overview of the law’s scope and requirements.
When Does the Law go Into Effect?
The Cybersecurity Law goes into effect June 1, 2017. In the weeks leading up to and following June 1, companies should be on the lookout for implementing legislation or official guidance clarifying the scope of the law.