China’s Cybersecurity Law: An Introduction for Foreign Businesspeople
The Cybersecurity Law of the People’s Republic of China (“the Cybersecurity Law” or “the Law”) officially came into force on June 1, 2017. The Law and its rules and regulations attracted heated discussion since adoption. This article provides a structured summary on key aspects of the Law.
What is the Cybersecurity Law?
The Cybersecurity Law is a milestone for cybersecurity legislation in mainland China and serves as a “Basic Law” in its field. The Law is an evolution of the previously existent cybersecurity rules and regulations from various levels and fields, assimilating them to create a structured law at the macro-level.
The Law also offers principle norms on certain issues that are not immediately urgent but are of definite long-term importance. These norms will serve as legal reference when new issues arise.
The Cybersecurity Law also provides elaborate regulations and definitions on legal liability. For different types of illegal conduct, the Law sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others. The Law accordingly grant cybersecurity and administration authorities with rights and guidelines to carry out law enforcement on illegal acts.
How does the Cybersecurity Law apply to businesses?
The “cybersecurity” in the Cybersecurity Law should be understood in the broad sense, which means it includes not only internet security, but also information security, communication security, computer security, automation, and control system security. Significantly, the businesses affected by the Cybersecurity Law are not limited to those in the information technology (IT) industry. The Law has a wide influence over all enterprises that employ networks or information systems in their operations. According to related articles of the Law, enterprises may roughly be categorized into “network operators” and “Critical Information Infrastructure (CII) Operators” based on the enterprises’ types and their business scopes. The first and primary concern for enterprises examining the Law is therefore to identify their category and learn its corresponding obligations and responsibilities.
Network operators defined Cybersecurity Law defines network operators as network owners, managers, and network service providers. In fact, nowadays, the vast majority of enterprises employing networks are in line with the definition of network operators, and therefore is subject to corresponding responsibilities and obligations. In other words, most enterprises will be defined as network operators and relevant obligations will apply.
CII operators defined At present, there are no clear-cut guidelines on the definition of CII. As per the Cybersecurity Law, the State Council sets the scope of CII and its security protection measures. According to the Law, one key reference point of CII definition is to determine whether the possible damage, the loss of function, or data leaks of the related facilities of the enterprises would pose a significant threat over national security and public interests. Therefore, large enterprises with critical importance in industries – such as energy, transportation, water conservancy, and finance – will very likely be defined as CII. At present, cyberspace administration authorities are working with other departments to formulate the CII Security Protection Regulations, which will provide detailed definition over the scope of CII. After assuming the responsibility and obligations of network operators, CII will have to fulfil more stringent obligations, such as establishing specialized cybersecurity management agencies, as well as conducting annual cybersecurity assessments.
How does the Cybersecurity Law affect businesses? As mentioned, the Cybersecurity Law is the “Basic Law” and the top of the pyramid-structured legislation on cybersecurity. Naturally, under the pyramid’s tip, there come various supportive subdivisions of rules, methods, and guidelines so that the Law may be comprehensively understood and enforced. For instance, the CII Security Protection Regulations mentioned above is one of the supportive regulations. Authorities are currently preoccupied with a series of supportive laws and regulations for the Law, such as the Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data. Following the gradual formulation and adoption of supportive regulations, businesses will be able to seek much more detailed compliance guidance. Most corporate cybersecurity compliance issues are still defined by previously existent laws and regulations, rather than the Cybersecurity Law. Accordingly, enterprises are advised to figure out the most relevant compliance issues and corresponding solutions. VPN and data security are two of the main compliance concerns for most businesses.
VPN compliance VPN is a long existing problem, rather than a new concern triggered by the Cybersecurity Law. Authorities have a long history of implementing various laws to regulate the operation and use of VPN. Nevertheless, before the Cybersecurity Law became effective, corresponding law-enforcement was relatively loose, and many of the enterprises did not pay attention to VPN compliance. Following the introduction of the Cybersecurity Law, multinational corporations began to attach more importance to VPN usage because authorities issued orders to “clean-up” VPN usage. According to current law, enterprises are allowed to use VPN for internal work purposes, albeit under the condition that they purchase VPN services from licensed suppliers and that they file for a VPN usage record. In the spring of 2017, the Notice on the Rectification of Internet Access Service Sector was issued by the Ministry of Industry and Information Technology (“MIIT”), notifying measures against illegal VPN service providers, which was also known was the “clean-up”. Recently, state media again reported planned crackdown on VPNs in the spring of 2018. In a recent press conference, the head engineer of MIIT Zhang Feng re-emphasized that the clean-up targets are limited to illegal enterprises, individuals operating without approval from authorities, and individuals operating without qualifications to operate international network services. Zhang Feng also remarked that corporates may lease international internet line access from their network service provider, claiming that legal cross-border data transfer will not be affected. Interestingly, in July 2017, a certain mainland VPN provider falsely claimed to be the “first MIIT-authorized commercial VPN service provider in China”. This caused MIIT to issue a clarification announcement, stating that the so-called authorization, licensing, and related marketing materials of this enterprise were completely falsified. Businesses should therefore exert diligence when selecting a service provider.