China Cybersecurity Law update: Critical Information Infrastructure in China - Any clarification?

As discussed in our newsletter Cybersecurity Law in China – At Long Last!, China's Cybersecurity Law was passed on 7 November 2016 and will come into effect on 1 June 2017. However, there are a number of much needed clarifications on some of the provisions. One of the areas of much interest and concern for international businesses operating in China is whether the requirements relevant to operators of "critical information infrastructure" ("CII") will be applicable to them. The key determining factor is the definition of CII.

It is much anticipated that some guidance will be found in the Critical Information Infrastructure Security Regulation ("CII Regulation") which was put forward on the legislative agenda of the State Council in March 2016, even before the Cybersecurity Law was passed. This CII Regulation is high on the agenda of the State Council and is expected to be passed this year, before the Cybersecurity Law comes into force.

In the meantime, China's Internet Information Office published a National Cybersecurity Strategy on 27 December 2016. Until the CII Regulation comes into force, this is perhaps the first piece of policy document since the Cybersecurity Law was enacted which provides some further elaboration on the definition and scope of CII under the Cybersecurity Law.

What does the Cybersecurity Strategy say about CII?

1. General principle

The Cybersecurity Strategy similarly sets out the general principle set out in the Cybersecurity Law, which is that a CII is an information infrastructure which relates to national security, national economy and people's livelihood and, if destroyed or if its functionality is lost, or if data is leaked, will seriously damage national security and public interests.

This general principle however gives little practical guidance to businesses as, in the first place, most online information platforms and online transaction websites for example would relate to people's livelihood and the national economy, and further, what amounts to "serious damage to national security and public interests" is a matter which is not measurable and may be subjective.

2. Non-exhaustive list of selected industries 

As with the Cybersecurity Law, the Cybersecurity Strategy further provides a non-exhaustive list of selected industries that the authorities consider would be regarded as CII.

Whilst the Cybersecurity Law lists out industries such as public communications and information service, energy, transport, water conservancy, finance, public services and e-government affairs, the Cybersecurity Strategy provides for the following interesting differences:

• additional industries are included: education, scientific research, industry and manufacturing, medical and health, and social security; and
• instead of referring to "public communications and information service" set out in the Cybersecurity Law, the Cybersecurity Strategy more specifically refers to public telecommunications, radio and television transmission, and further includes "important Internet application systems" as a new category.

To those who are familiar with earlier drafts of the Cybersecurity Law, the provisions in the Cybersecurity Strategy on the definition of CII do not appear surprising. For example, medical and health, and social security were previously included in the definition of CII in the first draft of the Cybersecurity Law. Further, the inclusion of the reference to "important Internet application systems" appears similar to one of the draft definitions of CII which included "networks and systems owned or managed by network service providers with numerous users". Whether this is intended to catch Internet apps with numerous users, or with large transaction volume, or other criteria for determining their "importance", is still unclear.

As discussed in our earlier newsletter, one of the key implications of a system being regarded as a CII is that personal information and "important data" collected or generated by such system must be stored in China. If for business reasons, such information needs to be provided offshore, then the export will be subject to security examination. However, the Cybersecurity Strategy does not give any further guidance on what may constitute "important data" and offers no further elaboration on what the security examination may involve.

More to come?

Whilst the Cybersecurity Strategy sets out some important overall principles and strategies relating to cyberspace security, it perhaps creates more questions than answers for businesses who are concerned about whether they may be regarded as CII operators under the Cybersecurity Law. As the date of implementation of the Cybersecurity Law draws near, we await with much eagerness the passing of the CII Regulation which will hopefully provide further guidance.