Although the new Cybersecurity Law of China is due to come into effect June 1, many companies are still unclear about the specific terms of the law. Given the potentially high cost of non-compliance associated with the law, and the uncertain nature of the guidelines that the government will release, managers should review draft measures and monitor related developments to ensure that their business is prepared.
Cybersecurity law of China
Promulgated on November 7, 2016 by the Standing Committee of China’s National People’s Congress (NPC), the Cybersecurity Law increases the national government’s jurisdiction over the business of cybersecurity.
Its provisions apply specifically to what the law calls “Critical Information Infrastructure” (CII), which it defines as key industries that maintain data that could pose a national security or public interest risk if damaged or lost. Businesses within the fields of energy, finance, transportation, telecommunications, medical and healthcare, electricity, water, gas, and social security have been identified as CII.
According to Michael Mudd of Asian Policy Partners, “The law indicates that these key industries must not use network products and services which have not passed the security examination. In addition, network products and services purchased by CII operators, where they may affect national security, must pass network security examination”. Mudd further said, “Departments in charge of protecting the security of CII will determine whether the purchase of network products and services by CII operators will affect national security.”
In general, the Cybersecurity Law emphasizes data protection, and China’s coined phrase, “cyberspace sovereignty.” Cyberspace sovereignty operates on the assumption that each country can govern its internet environment.
Draft measure on security reviews
On February 4, 2017, the Cyberspace Administration of China (CAC) issued draft legislation – Measures for the Security Review of Network Products and Services (the Draft Measures) – that provided some insight into how authorities would carry out the security reviews stipulated in the Cybersecurity Law.There was a one-month consultation period open to the public on the Draft Measures, which ended on March 4, 2017, but the results have not been published.
According to the Draft Measures, the relevant products and services would undergo a security assessment focusing on whether they are “secure and controllable,” a concept that before has been applied to banking and telecommunications, but with no clear interpretation available for other sectors.
The process this would include a risk assessment covering the following concerns:
- Risks the product or service may be illegally controlled, interfered with, or suspended;
- Risks during the product or services’ development, delivery, or technical support;
- Risks that the provider of the product or service may be able to collect, store, process and use the personal information of users;
- Risks that the provider of the product or service may be engaged in unfair competition and compromising interests of users due to their usage of the product or service; and
- Any other risks that may compromise national security or the public interest.
The security assessment can be initiated by the request of a government agency, a trade association, or through a market incident or a voluntary submission by a company. The CAC will establish a commission that will be responsible for conducting the security reviews. This commission will work with third-party institutions to carry out the assessments.
The security assessments will include background checks, laboratory testing, on-site inspections, and online monitoring. However, the Draft Measures do not specify what types of information the commission or the third-parties will require, and do not mention an appeals process in case the product or service is denied.
According to Thomas Zhang, IT Director at Dezan Shira and Associates, security assessments will mostly likely be required of larger companies – like Alibaba or Tencent – as their IT infrastructures collect personal information and are in wide use.
Data localization requirement
Besides the security reviews, another controversial measure that foreign firms have identified within the Cybersecurity Laws is the data localization requirements. According to Article 37, all personal information and other key data produced and gathered by CII companies must be stored on servers located on mainland China. If it is necessary to transfer data outside of mainland China, firms must first receive government permission and undergo a security assessment.
The punishment for failing to follow this provision results in a warning at the very least, or possible website shutdown, permit revocation, and fines ranging between RMB 50,000 and RMB 500,000 (about US$7,250 and US$72,500) for businesses or RMB 10,000 and RMB 100,000 (about US$1,450 and US$14,500) for individuals.
However, Zhang says the data localization requirement may not necessarily pose a large risk. “I think one major concern is that the government can obtain the data in a certain situation if the data is saved in China. However, nowadays, it is difficult for the government to obtain the data – more and more companies are using cloud-based services where even the operator of the cloud platform can’t locate the data inside of their system,” Zhang said.
Additionally, while the data localization requirement attempts to increase data security, it does not necessarily guarantee it. Mudd recommends instead adhering to international security standards, such as ISO 27001, 27002, 27017 and 27018, as well as ISO 38500, and instituting IT governance for any organization.
From an international perspective, Mudd stated, “compatibility with the European Union’s Model Contracts and Binding Corporate Rules (BCR) or the Asia Pacific Economic Cooperation’s (APEC’s) Cross Border Privacy Rules (CBPR) system, to which China contributes, would provide commercial clarity to this section of the law.”
Network operator requirements
Under the Law, companies are now required to have structures and protocols in place to better protect their data and user data. In particular, they are required to have a tiered network security protection system, which Zhang describes as “just one security system structure or architecture, which should include different factors or elements to form one security system for protecting the information.”
In addition, company networks must also have the following:
- Internal security management system and operating rules;
- Person(s) responsible for network security and implementation;
- Technological measures to prevent computer viruses, network attacks, etc.;
- Technological measures to monitor and record network operational statuses and network security history, and store network logs for a period of at least six months;
- Adopt security measures such as data classification, data back-up, and encryption; and
- Other requirements as stipulated by the law or administrative bodies.
To better ensure readiness for these requirements, Zhang recommends three basic parts:
- The basic hardware and software with security purposes like a firewall or intrusion detecting system;
- A security policy and procedure which defines security objectives and methods to get the measurements in place with pre-defined ways; and
- Capable security staff who can follow related procedures to perform risk control.
“The company can easily compare their own practices, devices and procedures with a certain standard for review. They can also get an external IT audit on this,” Zhang added.
Review and evaluate existing IT infrastructure
The new Cybersecurity Law is an important development, revealing how China will continue to address data security and advance its cyber sovereignty. It has significant consequences for businesses operating in China, and introduces new compliance requirements that companies should be aware of as and when the government releases further details.
In order to best prepare for June 1, businesspeople should review and evaluate their existing infrastructure, as well as their business scope, and check on what kind of information they are collecting from customers. In addition, it is worth evaluating alternative business options, such as domestic vendors and suppliers that can be used to build infrastructure in China to remain in compliance with China’s new Cybersecurity Law.
This article was first published March 2017.
Since its establishment in 1992, Dezan Shira & Associates has been guiding foreign clients through Asia’s complex regulatory environment and assisting them with all aspects of legal, accounting, tax, internal control, HR, payroll and audit matters. As a full-service consultancy with operational offices across China, Hong Kong, India and emerging ASEAN, we are your reliable partner for business expansion in this region and beyond.