The long awaited Cybersecurity Law of China was passed on 7 November 2016. The law will come into effect on 1 June 2017. The first and second drafts of the law were released for public consultation in June 2015 and May 2016 respectively with the third draft released on 31 October 2016 being the draft submitted for final review and promulgation. The lightning speed at which the law is passed indicates nothing short of the determination of China to have in place a piece of legislation to deal with the magnitude of legal issues which have arisen since the dawn of the digital era in the country.
The law contains a total of 79 articles and covers a variety of matters relating to the cyber world. We summarise briefly below some of the key features of this important piece of legislation:
The Cybersecurity Law is going to be jointly administered by the Cybersecurity Administration of China, the Public Security Bureau and the supervisory authority responsible for telecommunications (currently, the Ministry of Industry and Information Technology, MIIT). In short, the Cybersecurity Law has not established a Data Protection Agency for data protection purposes in China.
Supply and procurement of products and services
There are a number of provisions in the Cybersecurity Law which will likely have an impact on vendors intending to supply network products and services in China.
For example, Article 35 provides that network products and services procured by operators of critical information infrastructure will be subject to national security examination if such products and services are likely to affect "national security".
Network products and service providers are obliged to maintain the security of their products and services and are not allowed to terminate such obligation within the period agreed between the providers and recipients of such products and services.
"Critical network products" (网络关键设备) and "dedicated network security products" (网络安全专用产品) will be subject to mandatory national standards and will need to be certified and approved before they can be sold or provided in China. Although what are critical network products and dedicated network security products have not been defined in the law itself, a catalogue of such products will be produced by the Cybersecurity Administration and other relevant authorities in due course.
It would seem that the above requirement will be applicable to both domestic and "foreign" products and services. Whether this in fact will be the case will become clearer when the catalogue is released.
Critical information infrastructure
The legislators appear to have a change of heart on what may constitute "critical information infrastructure" (CII) under the Cybersecurity Law. In the first draft, certain important information infrastructure used in certain sectors, such as healthcare and social welfare, were designated as CIIs. However, in the second draft, the more prescriptive definition was deleted and the power to decide what may be a CII is given to the State Council.
Article 30 of the Cybersecurity Law now broadly provides that information infrastructures in a number of sectors will (likely) be regarded as CIIs. These sectors include:
- Communications and information services
- Financial services
- Public services
- E-government services.
Article 30 also contains general descriptions of what CII may be, such that information infrastructures that meet those descriptions may also be regarded as CII.
The concept of "critical information infrastructure" of course is not new and it has already been included in a number of cybersecurity regulations in Europe, including France and Germany. However, one of the key implications of an information infrastructure being regarded as a CII under the Cybersecurity Law is that personal information and "important data" collected or generated by such infrastructure must be stored in China. If, for business reasons, such information needs to be provided offshore, then the export will be subject to security examination. Quite apart from the examination, what constitutes "important data" is also not defined.
Protection of personal information
Prior to the Cybersecurity Law, China does not have a dedicated piece of legislation that relate to the protection of personal information; there are various provisions relating to protection of personal information which are set out in a number of different pieces of laws and regulations. The Cybersecurity Law codifies certain key provisions relating to the protection of personal information into one single piece of legislation, and applies to all "network operators".
"Network operators" is defined in the Cybersecurity Law to mean the owners, administrators of a network and network service providers. Further, "network" refers to network and system that consists of computers or other information terminals and other equipment that collect, store, transmit, exchange and process information, any individual or entity that owns or administers such network would be caught. In practice, this would mean that any individual or entity that owns or administers a computer or information network (e.g. all businesses with an online platform) will be caught.
The provisions on protection of personal information also apply to providers of network products and services that contain functionality capable of collection user information. This would include, for example, providers of mobile applications that will collect and use information relating to users such as mobile app games.
Key data protection provisions
Amendments made to the final version of the Cybersecurity Law widen the definition of "Personal Information", which is defined to mean all information that, either singly or in combination with other information, identifies a natural person (instead of limiting to "citizen" personal information in the previous drafts).
The key provisions relating to protection personal information in the Cybersecurity Law generally follow international standards on the protection of personal data (e.g. requiring notifications on purposes of collection and use, and publicising relevant privacy policies). There are also data breach notification requirements. However, a key distinct and important requirement is that, as with the current provisions under the various pieces of laws and regulations, the consent of data subjects is required for any collection, use and disclosure of personal information. What remains unclear is that the law does not clarify whether the consent need to be express consent or may be implied. This may be clarified when the law comes into effect, and will have significant implication on how the consent requirement is followed in practice.
Record retention obligation
The Cybersecurity Law requires "network operator" to, in accordance with regulations, retain log books relating to the operation of its network for no less than six months.
Entities in breach of the relevant provisions will be subject to a number of penalties including warning, confiscation of illegal gains, or a fine of not less than one times and not more than ten times the amount of illegal gains. Further, in relation to a breach of the provisions relating to protection of personal information, individuals at management level and other responsible persons may be subject to a fine of between RMB10,000 to RMB100,000 (approx. US$1,480 to US$14,800). In serious circumstances, the network operators may also be ordered to suspend or terminate its business or website, or the relevant business permits or business licences may be revoked.
The penalties for failure to comply with certain provisions under the Cybersecurity Law have also been increased in the final version, notably, provisions relating to protection of personal information. The level of administrative fines have been increased from RMB500,000 (approx.US$74,000) to RMB1 million (approx. US$150,000). The increase in the amount of fine coupled with the promulgation of Ninth Amendment to the PRC Criminal Law in 2015 which creates a new criminal offence relating to misuse of personal information under Article 253 shows the problems faced by China as increasing amount of data, whether personal or business, can now be easily gathered and processed by businesses in the country.
The Cybersecurity Law makes it clear under Article 74 that civil liability may be incurred for any breach of any provision of the law which results in damages to a third party.
Most laws and regulations in China do not have extra-territorial effect. The Cybersecurity Law is no exception, apart from Article 75, which specifically provides that any offshore entities that hack or interfere with any critical information infrastructure and cause serious consequences will incur legal liability. The Public Security Bureau is authorised to freeze assets or impose necessary sanctions on such entities.
The Cybersecurity Law elevates the legal status of a number of legal requirements and restrictions which are already in existence in various legislative forms in China. The application and interpretation of these requirements and restrictions are well understood and their appearance in the Cybersecurity Law should not raise much alarm amongst the business community operating in China. That said, the Cybersecurity Law has introduced new legal requirements and restrictions and their application and implication will only be fully understood when implementation rules and regulations are promulgated and when the three authorities start to provide guidance as to how the law may work in practice.