China’s cyber security law
What international companies should know
The Standing Committee of the National People’s Congress adopted a new cyber security law on 7 November 2016. It became effective on 1 June 2017.
The law sets out stringent requirements to comply with cyber security standards and for data management, including obligations on network operators to:
- implement mandatory national and industry security standards;
- back-up and encrypt important data;
- purchase only certified network equipment and security products for ‘critical information infrastructure’ and undergo a national security review;
- ringfence in China all personal and certain business data collected through critical information infrastructure; and
- implement mandatory notifications for personal data breaches.
Several of these requirements go significantly beyond the approaches taken in other countries to counter the challenge of cyber vulnerability.
General obligations of network operators
The key provisions in the law apply to owners of network facilities, network operators and service providers. These terms are not defined but these and similar terms are common in Chinese internet regulations and are intended to be given a wide construction. At its broadest, any company using the internet to provide a service could be captured, and several provisions indicate that this is the intended meaning.
As a general obligation, network operators are required to implement mandatory national/industry standards and technical measures to achieve network security. The effect of this requirement in practice is to require all IT companies and providers of IT and systems hardware to customers in China to comply with the same standards. The Cyberspace Administration of China is known to have been working for several months to develop technical standards, and is consulting with both domestic and international IT vendors.
The law also requires network operators to back up important data, adopt encryption measures, monitor operational status and security incidents, and store operations logs for at least six months. The extent of this requirement might be clarified in future standards.
Network operators are required to assist the police and national security agency to facilitate investigations into national security matters and criminal activities. No further details are provided.
The law makes it mandatory to implement technological security measures (such as anti-virus) and security management systems. At first glance these requirements appear anodyne, but they are mandatory and carry with them penalties for non-compliance of up to RMB100,000 where there are serious cyber attacks that endanger network security.
Further requirements with respect to critical information infrastructure
The law provides for operators of ‘critical information infrastructure’ to adopt enhanced cyber security measures. Critical information infrastructure is not clearly defined, but is referred to as public communication and information services, power and water utility systems, transportation systems, financial systems, public services, electronic governance and other critical information infrastructure where a cyber attack might ‘seriously endanger national security, the national welfare, and people’s livelihood, or the public interest’.
The government proposes to introduce specific security measures for critical information infrastructure on the basis of a system of tiered protection. The detailed requirements remain to be released.
Operators of other networks that do not themselves constitute critical information infrastructure are nevertheless encouraged to voluntarily adopt the same standards.
It is also explicitly provided that only network equipment and specialised network security products that have been safety certified by qualified establishments can be used for critical network infrastructure. It could prove challenging for international vendors to meet these requirements and achieve certification. The Government also intends to release a catalogue of approved critical network equipment and security products.
Operators of critical information infrastructure purchasing network products and services that might impact national security are required to undergo a national security review organised by the Ministry of Industry and Information Technology (MIIT) and the Cyberspace Administration of China. It is not clear what this national security review will entail or how it is different from the requirement for safety inspection of other critical information infrastructure.
Operators of critical information infrastructure are additionally required to implement internal protocols and:
- set up dedicated cyber security governance and designate responsible persons;
- organise periodic cyber security training;
- implement disaster recovery backup for important systems and databases; and
- formulate emergency response plans and organise periodic drills.
The law mandates the MIIT to conduct spot checks of critical information infrastructure and give directions to remedy identified security risks. The MIIT may also organise periodic vulnerability testing and emergency response drills.
Of particular note is the inclusion of financial systems as critical information infrastructure. Previous attempts by the China Banking Regulatory Commission (CBRC) and China Insurance Regulatory Commission (CIRC) to regulate cyber security standards in 2015 were suspended shortly after they were issued.
These measures might be swiftly revived following the enactment of the cybersecurity law as they had much in common, including a proposal to mandate purchases of only government-certified equipment and software. Another notable feature of the draft CBRC regulation was a requirement to disclose source code, including firmware, to the IT department of the CBRC for review and to install surveillance ports for regulatory oversight.
The possible reintroduction of these requirements will be of major concern to international banks and insurance companies.
Data localisation and data protection requirements
Of particular note is the enactment of a much discussed data localisation requirement for operators of critical information infrastructure. (This requirement was also first previewed in the draft CIRC regulation in October 2015.) Personal data and ‘other important business data’ generated in China must be stored within China as a general rule. Data export will only be permitted where it is ‘strictly necessary’ for business purposes and will be subject to a security assessment conducted by MIIT and the Cyberspace Administration of China. The penalty for an unauthorised data export is a fine of up to RMB500,000.
Again the law does not clarify procedures for the security assessment, what the scope of the assessment will be and what conditions will need to be satisfied. It is also not clear if approval will be required on a case-by-case basis or only when there is a change to a previously approved arrangement.
The impact on the normal data storage and processing of foreign companies in China is therefore hard to assess at this stage. The inclusion of financial systems is again notable – albeit that banks and insurance companies are already heavily constrained by sectoral regulations in their ability to outsource data heavy back-office operations outside of China.
The law also codifies some other general obligations, such requiring consent for the collection and use of personal data, and adopting technological measures to secure personal data. The law goes further, however, and introduces a mandatory obligation to ‘promptly’ notify users and the competent authorities of data losses. Fines for breach may be up to 10 times the illegal gains or a statutory penalty of up to RMB 500,000. The relevant authorities are also given powers to issue temporary suspension orders, correction orders and closure notices for violations.