The Cybersecurity Law of the People’s Republic of China (“the Cybersecurity Law” or “the Law”) officially came into force on June 1, 2017. The Law and its rules and regulations attracted heated discussion since adoption. This article provides a structured summary on key aspects of the Law.
What is the Cybersecurity Law?
The Cybersecurity Law is a milestone for cybersecurity legislation in mainland China and serves as a “Basic Law” in its field. The Law is an evolution of the previously existent cybersecurity rules and regulations from various levels and fields, assimilating them to create a structured law at the macro-level.
The Law also offers principle norms on certain issues that are not immediately urgent but are of definite long-term importance. These norms will serve as legal reference when new issues arise.
The Cybersecurity Law also provides elaborate regulations and definitions on legal liability. For different types of illegal conduct, the Law sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others. The Law accordingly grant cybersecurity and administration authorities with rights and guidelines to carry out law enforcement on illegal acts.
How does the Cybersecurity Law apply to businesses?
The “cybersecurity” in the Cybersecurity Law should be understood in the broad sense, which means it includes not only internet security, but also information security, communication security, computer security, automation, and control system security. Significantly, the businesses affected by the Cybersecurity Law are not limited to those in the information technology (IT) industry.
The Law has a wide influence over all enterprises that employ networks or information systems in their operations. According to related articles of the Law, enterprises may roughly be categorized into “network operators” and “Critical Information Infrastructure (CII) Operators” based on the enterprises’ types and their business scopes.
The first and primary concern for enterprises examining the Law is therefore to identify their category and learn its corresponding obligations and responsibilities.
Network operators defined
Cybersecurity Law defines network operators as network owners, managers, and network service providers. In fact, nowadays, the vast majority of enterprises employing networks are in line with the definition of network operators, and therefore is subject to corresponding responsibilities and obligations.
In other words, most enterprises will be defined as network operators and relevant obligations will apply.
CII operators defined
At present, there are no clear-cut guidelines on the definition of CII. As per the Cybersecurity Law, the State Council sets the scope of CII and its security protection measures. According to the Law, one key reference point of CII definition is to determine whether the possible damage, the loss of function, or data leaks of the related facilities of the enterprises would pose a significant threat over national security and public interests.
Therefore, large enterprises with critical importance in industries – such as energy, transportation, water conservancy, and finance – will very likely be defined as CII.
At present, cyberspace administration authorities are working with other departments to formulate the CII Security Protection Regulations, which will provide detailed definition over the scope of CII. After assuming the responsibility and obligations of network operators, CII will have to fulfil more stringent obligations, such as establishing specialized cybersecurity management agencies, as well as conducting annual cybersecurity assessments.
How does the Cybersecurity Law affect businesses?
As mentioned, the Cybersecurity Law is the “Basic Law” and the top of the pyramid-structured legislation on cybersecurity. Naturally, under the pyramid’s tip, there come various supportive subdivisions of rules, methods, and guidelines so that the Law may be comprehensively understood and enforced. For instance, the CII Security Protection Regulations mentioned above is one of the supportive regulations.
Authorities are currently preoccupied with a series of supportive laws and regulations for the Law, such as the Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data. Following the gradual formulation and adoption of supportive regulations, businesses will be able to seek much more detailed compliance guidance.
Most corporate cybersecurity compliance issues are still defined by previously existent laws and regulations, rather than the Cybersecurity Law. Accordingly, enterprises are advised to figure out the most relevant compliance issues and corresponding solutions. VPN and data security are two of the main compliance concerns for most businesses.
VPN is a long existing problem, rather than a new concern triggered by the Cybersecurity Law. Authorities have a long history of implementing various laws to regulate the operation and use of VPN. Nevertheless, before the Cybersecurity Law became effective, corresponding law-enforcement was relatively loose, and many of the enterprises did not pay attention to VPN compliance.
Following the introduction of the Cybersecurity Law, multinational corporations began to attach more importance to VPN usage because authorities issued orders to “clean-up” VPN usage. According to current law, enterprises are allowed to use VPN for internal work purposes, albeit under the condition that they purchase VPN services from licensed suppliers and that they file for a VPN usage record.
In the spring of 2017, the Notice on the Rectification of Internet Access Service Sector was issued by the Ministry of Industry and Information Technology (“MIIT”), notifying measures against illegal VPN service providers, which was also known was the “clean-up”. Recently, state media again reported planned crackdown on VPNs in the spring of 2018.
In a recent press conference, the head engineer of MIIT Zhang Feng re-emphasized that the clean-up targets are limited to illegal enterprises, individuals operating without approval from authorities, and individuals operating without qualifications to operate international network services. Zhang Feng also remarked that corporates may lease international internet line access from their network service provider, claiming that legal cross-border data transfer will not be affected.
Interestingly, in July 2017, a certain mainland VPN provider falsely claimed to be the “first MIIT-authorized commercial VPN service provider in China”. This caused MIIT to issue a clarification announcement, stating that the so-called authorization, licensing, and related marketing materials of this enterprise were completely falsified. Businesses should therefore exert diligence when selecting a service provider.
Data security compliance
Legislative observers note that data security will be the top priority for the next phase of cybersecurity legislation. Accordingly, enterprises may make proactive compliance adjustments so that they are better prepared to take initiative during the coming legislation developments.
Personal information and data protection will be the focus of the next stage of regulations for the Law. In the first half of 2017, Cyberspace Administration of China solicited comments on the Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data.
From the solicitation draft, it should be noted that authorities attached great importance to the safety of these two types of data, especially in relation to cross-border data transfer. In this regard, enterprises might want to assess their operations to identify aspects related to personal or important data.
Currently, the definition of “personal data” is fragmented in various laws and regulations. Many expect that there will be a more centralized and detailed definition over “personal data” to be formulated in the future. As for “important data”, it is clearly stipulated in the Law that relevant industry and administrative authorities will be responsible for formulating detailed and differentiated definitions over the scope of “important data” in various industries.
Apple took it a step further. In June 2017, Apple announced that it planned to establish a cloud-computing center in Guizhou, China; the relocation of their mainland iCloud service from overseas was made to comply with data storage regulations in the Law. Following this, in January 2018, Apple told customers that iCloud operations in mainland China will be transferred to Cloud Guizhou Data Industry Development Co., Ltd., Apple’s partnership cloud service enterprise.
Nevertheless, it is also worth pointing out that personal data collection is not limited to direct in-person collection and includes methods such as inter-enterprise collection. The methods employed during the collection and transmission of personal information between enterprises are still subject to related laws and regulations – case and situation specific analysis will be necessary to figure out compliance solutions for individual situations.
Accordingly, there remain many compliance issues to be studied and resolved during the application of macro-level data security legislation into daily operations.