User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
Anti-Bribery & Fraud
Anti-Money Laundering
Anti-Monopoly Law
Audit
Bribery
CyberSecurity
Competition
Compliance
Data Security and Integrity
Environment Protection
Export Control
FCPA
GDPR
Industry Compliance Data
Intellectual Properties
Labor Law
Medical Devices & Pharmaceuticals
National & State Security
Personal Information
Tax & Taxation
UK Bribery Act
▪ China’s Market Regulator Reined in Internet Commercial Ads
▪ Stricter than the GDPR, China’s Privacy Law Provides Prohibitive and Control Oblig
▪ China kicked off the 1st national security review on DiDi
▪ Non-prosecution for compliance under ISO 37301 - Dentons lawyers take the world’s
▪ China’s Data Security Law is anything but frightening
▪ Alibaba fined USD 2.68 billion for abusing dominant market position in China
▪ China’s new “Blocking Statute” and the concerns it raised
▪ Survey result: how is bribery risk managed in China?
▪ China’s Administrative Punishment Law Awards Meaningful Credits for Compliance Eff
▪ Salon | How Would the Sanction on Pompeo and Blocking Measures Impact Foreign Comp
▪ Fees to speakers: academic exchange or commercial bribery
▪ China’s Personal Information Protection Law (2)
▪ China’s Personal Information Protection Law (1)
▪ Reading Into China’s Export Control Law
▪ English Translation of Export Control Law of China
▪ China Issued Its List of Unreliable Entities
▪ Demystify Corporate Social Credit System in China
▪ China is deploying “Operation Skynet” to further “Fox Hunt”
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million personal info
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Classified Protection Under China's Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
 
Home > Personal Information
Cybersecurity Law: Protection or Protectionism?
By Henry Chen | 2017/7/24 14:56:10



Introduction


The Cybersecurity Law of China came into effect on June 1st, 2017. 


The Government now has a firmer grip over information and data flow; they have also become more capable of preventing cyber-attacks, computer viruses and other network security violations. The Legislation focuses on numerous areas such as: safeguards for national cyberspace sovereignty, protection of critical information infrastructure (CII), security obligations of network service providers and operators, improvements to personal information protection regulations, establishment of a key information infrastructure security system, rules for cross-border data transmission.


Network service providers and operators, under the new law, have confidentiality of user information as their top priority and they are required to install protection systems for defending user information. Network operators is a wide umbrella term that includes companies that own networks, manage networks and provide network services. In addition, they are also required to provide “technical support and assistance” to government authorities when required. However, some has cast suspicion on this piece of legislation due to its ambiguity and harshness. This article will clarify on such matters and explain why we are currently on the right track. 


Content of the legislation


Overall, there is no doubt that the nature of the new legislation is strict and has an extensive coverage. Article 19 is a prime example – it states that key network facilities and special network safety products may only be sold after being certified. These strict criteria are due to the fact that most Chinese companies and administrative authorities had only stopped using foreign software and hardware for their IT systems when the PRISM project was uncovered in 2013; the Chinese government was alarmed by the potential risk of data security. Since then, they have switched their IT systems to domestically developed products and services, or even develop their own. These suppliers of network products and services are under strict regulations and assessment, they are required to satisfy national and industry standards and ensure the security of their products. These products must go through testing by a third-party evaluation centers prior to being sold in China. The Cyberspace Administration of China (CAC) also releases a catalog of critical network equipment and network security dedicated products that require mandatory certification or testing in accordance with compulsory requirements of national standards.


Article 35 is also worth paying attention to; it focuses on ‘Critical information infrastructure’ (CII). CII refers to industries that control data that has the potential risk of threatening national security or public interest if misused or lost, especially ones that involve energy, finance, transportation, telecommunications, medical and healthcare, electricity, water, gas, and social security. Some foreign companies have raised concerns to such assessments, and this issue will be addressed in the following paragraphs. In addition to that, CII industries have to satisfy other assessments, such as cyber security training, disaster recovery backup and formulate emergency response plans. On top of it all, the Government will also conduct periodic spot checks, to make sure companied and organizations are complying with the new law.


Lastly, the most significant element of the Cybersecurity Law is the localization of all sensitive personal information and important data produced and gathered by CII companies. Such data must be stored on servers located in mainland China, consent must be sought before transferring such data overseas. Articles 37 of the Cybersecurity Law focuses especially on personal data individuals and “critical data” collected and generated in China.


However, the definition of critical data remains uncertain, and this is where the major debate occurs.  So far, it is only known as data related to national security, economic development and public interest, which is extremely vague and broad. There is an extensive list of data that cannot be exported, such as: personal data for which no prior consent was sought for export or where an export might jeopardize personal interest, other data for which an export is barred by administrative authorities like the CAC, police and/or other national security authority. Network operators are required to undertake a self-assessment on an annual basis, which should include an evaluation on data transfer, the type and sensitivity of the data. There are a few areas that demand mandatory assessment, if the data to be transferred abroad includes personal information that involves or accumulates more than 500,000 individuals, data volume that exceeds 1,000 GB, provision by CII operators of personal information and important data abroad …etc.


Criticism 


Most of the content of the legislation is detailed and rather well drafted, however, there are areas that have been criticized. Mr. Ron Chen, a former prosecutor of cybercrimes for the U.S. Department of Justice commented on this piece of legislation. He described it as a legislation which specifically addresses operators of networks of critical infrastructure systems and it imposes obligations on these operators to do specific things with regard to cybersecurity and to maintain the integrity of the Chinese internet.


He also mentioned that foreign companies might be concerned as to the implication of this legislation. Many foreign companies whose business model involves collecting and storing data from Chinese individuals on servers located outside China may have to migrate data to Chinese servers, which can be a huge issue for them. Those foreign companies that supply network security and equipment into the market would have to take steps to comply with certification requirements and pass a national security review. These foreign companies may be deterred from investing in China, which could lead to a huge economical problem for China. Some network and security technology vendors may have to withdraw from the market if they find the security review process too invasive. 


The Cybersecurity Law raises the costs of compliance for foreign firms significantly due to the complexity of restrictions. However, their biggest concern is that they are now required to assist Chinese authorities in their investigations of cybercrime and other types of misuse of the Internet. Adding it all up, foreign firms may find it burdensome to operate in China.


What Mr. Ron Chen said, is not without reasons. There are critics arguing that the new law threatens to shut out foreign tech firms. It is known that 40+ global business groups petitioned the Chinese authorities urging them to amend controversial sections of the law, while Chinese officials claimed it wouldn’t interfere with foreign business interests. The biggest area of debate appears to be about the demands to store personal and important business data in the country, provide support to security agencies and pass national security reviews. Many foreign companies fear they would be required either to hand over intellectual property or build backdoors in their products to be allowed to operate in China’s market. The American Chamber of Commerce in China echoes what Mr. Ron Chen said, they called the provisions of the law “vague, ambiguous, and subject to broad interpretation”.


However, this article suggests that the companies shouldn’t panic, not simply because the CAC claimed that every article in the law was in accordance with the rules of international trade and that the country is not going to close its doors on foreign companies, but the fact that this legislation is merely a codification of the government directives that was already in place, therefore, companies in China should already have compliance strategies in place already. Taking the tiered system for cybersecurity protections as an example, it requires, network operators to undertake security protection duties. However, the concept of the “tiered system” is old news, it can be traced all the way back to 1994 China (the Regulations for Safety Protection of Computer Information Systems) which provides a tiered protection system.


There is no significant development in terms of personal data protection, whilst the new law sets out a number of high-level principles for personal data protection, yet, these principles can be found in a variety of existing laws and regulations such as the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection (2012), the Provisions on the Protection of Personal Information of Users of Telecommunications and Internet Services (2013) and the Law on the Protection of Consumer Rights and Interests (2013 Revision). The new law simply is a restatement. 


In terms of surveillance and “technical support” to security agencies – the new law demands network operators, to immediately stop transmission of that information, and then report to relevant competent department if they find anything suspicious. Such surveillance and the technical support requirements can be found in the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection (2012).


The new law provides that network operators providing network access, domain registration, fixed or mobile phone, information publication and instant messaging services should require users to provide their real identity information. These rules also restated those in the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection (2012).


All in all, the legislation is more than a mere restatement, it also induces a few new rules and requirements as this article has discussed previously. It is in fact still too early to draw a conclusion as to its usefulness, as the future of the law remains uncertain.


Future


CAC recently promulgated the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment) (“Draft Regulations”), which will be open for public comment until August 10, 2017 as a clear reflection of the government’s intention, which is to strengthen supervision and governance of CII. The Draft Regulations focus mainly on the issue of CII. CAC has always been developing various measures to assist Cybersecurity Law since it was adopted on November 7, 2016 and came into effect on June 1, 2017. Examples are as follow: State Cybersecurity Emergency Response Plan (January 10, 2017), Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (Draft for Comment) (April 11, 2017), Network Product and Service Security Review Measures (Trial) (May 2, 2017) and the Catalogue of Critical Network Equipment and Special Network Security Products (First Batch) (June 1, 2017), are all examples of the supporting measures.


The government appears to be very keen to supervise and aid the protection of CII. The Draft Regulations demonstrates and imposes provisions for CII protection, which includes imposing compulsory obligations and listing out responsibilities. The Draft Regulations attempted to clarify the meaning of CII by giving a non-exhaustive list of named industries.  However, the scope of CII under the Draft Regulations has clearly been expanded in comparison to the Cybersecurity Law.


The Draft Regulation demonstrates that CII operators should include Government organizations and energy, finance, transportation, water resources, healthcare, education, social security, environmental protection and public utility industry units; information networks such as telecommunications networks, radio and television networks and the Internet, as well as units providing cloud computing, big data and other large public information network services; scientific research and production units in the industries of national defense, science and technology, large-scale equipment, chemicals and food and drugs, etc.; news units such as radio stations, television stations, news agencies, etc. On top of that, the Draft Regulations also strengthen liability of natural persons. It specifically states that in case of violations, penalties are to be imposed on both the violating enterprise and the natural persons in charge of the enterprise. In addition, Article 51 of the Draft Regulations also provides associated liability for CII operators, third-party professional service organizations and the relevant departments in cases of severe cybersecurity incidents in which such parties are found to be liable. 


Conclusion


The Cybersecurity Law is most certainly good law, it has the right mind set and philosophy behind it. In today’s China, when everything involves the internet, incredibly private information is stored by the companies, more secured protection is a must. CAC has been doing a good job assisting the Cybersecurity Law.


The Draft Regulations is a good reference for us to grasp the idea of CII and CII operators based upon the Cybersecurity Law, it also makes enterprises more aware and concerned about the development of the law. However, there are still number of questions that need to be clarified and answered.


Nonetheless, the promulgation of the Draft Regulations is a milestone for the implementation of CII key and systematic supervision. One can expect there would be more supporting material implemented and promulgated. However, relevant enterprises, shouldn't lag behind, and they ought to keep up with their compliance work to make sure they are in line with the Cybersecurity Law and other supporting measures. 


To conclude, this area of law is still rapidly changing, uncertainties are everywhere. It is undoubtedly a challenging topic, for both the government and businesses.  On one hand, the government needs to balance security and human right. On the other hand, businesses need to adapt to the strict rules and find a way to conduct their business. This article humbly submits that the current law is most certainly on the right track, it simply needs some fine tuning. 


The author, Henry Chen, the former AP Compliance Director of Ford, is a Senior Partner of Dentons Shanghai Office, and available at henry.chen@dentons.cn



Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Author:   
Email:    (optional)
URL:    (optional)
Content:  
    
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8
沪ICP备19033746号-4
沪公网安备31010502002477号