The Cyber Security Law is the first national-level legislation establishing principles for the protection of the People’s Republic of China’s cyberspace security and the law is intended to address, amongst others, the need to control China’s critical information infrastructure (CII) and its data. The law focuses on the security challenges facing information infrastructure in a range of critical sectors, such a telecommunications, energy, transportation and finance and addresses unlawful cyber activities including illegally obtaining or selling personal information, disseminating malicious software or prohibited information, and online fraud.
The PRC Cybersecurity Law generally imposes obligations on three types of entities: 1. network operators; 2. critical information infrastructure operators; and 3. providers of network products and services.
The PRC Cybersecurity Law imposes a range of cybersecurity obligations on “network operators,” which are defined as owners and administrators of networks and network service providers. A “network” is defined as any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange, and processing of information. On its face, the term network operator could broadly be interpreted to encompass any company that uses a network to do business in China despite not having a physical presence in China.
Generally, network operators must:
- Develop internal security management systems and procedures, appoint personnel responsible for network security, and implement network security protection responsibility.
- Adopt measures to prevent viruses, network attacks, network intrusions, and other threats to network security.
- Monitor and record network activity and security incidents, and store network logs for at least six months.
- Implement measures to classify, back up, and encrypt data.
- Network operators must also provide “technical support and assistance” to law enforcement authorities to safeguard national security and investigate crimes. The term “technical support” is not formally defined, and it remains to be seen whether this includes providing backdoor and decryption assistance for encrypted data. To the extent it does, it will permit government access to data stored and potentially to data transferred (such as data in motion) in the PRC.
Critical Information Infrastructure Operators
Critical information infrastructure (CII) operators are defined as entities providing services that, if lost or destroyed, would endanger China’s national security, economy, or public interest. The PRC Cybersecurity Law lists public communication and information services, energy, finance, transportation, water conservation, public services, and e-government as examples of CII.
CII operators are subject to the same cybersecurity requirements applicable to network operators as outlined above. CII operators must also sign security and confidentiality agreements with their suppliers of network products and services, and evaluate cybersecurity and other potential risks at least once a year.
Providers of Network Products and Services
Providers of network products and services must comply with relevant national and industry standards and ensure the security of their products. Products determined to be “Critical Network Equipment and Network Security Products” are required to go through testing by accredited evaluation centers prior to being marketed in China.
Penalties for Non-Compliance
Failure to comply with the Cyber Security Law carries penalties, ranging from making corrections to fines and confiscation of unlawful gains. At the end of the spectrum lies temporary suspension of operations, closing down of websites, and revocation of relevant operation permits and the business license. The CAC and other related governmental departments are also entitled to take technical measures and other necessary actions to intervene and stop the transmission of data which is imported from sources outside of PRC and is prohibited by PRC laws from being released or transmitted.
One of the most significant and controversial provisions of the PRC Cybersecurity Law restricts the cross-border transfer of personal information and important data collected or generated through operations in China (collectively, Local Data). Specifically, a network operator may transfer Local Data outside of China only if it has a business need to do so and passes a security assessment.
The Scope of Local Data
Local Data subject to the cross-border transfer requirements consists of “personal information” and “important data.” Notably, the definition of “personal information” is not explicitly limited to information pertaining to Chinese citizens.
Security Assessments for Cross-Border Transfers
If a network operator wishes to transfer Local Data outside of China, it must undergo a security assessment. Self-assessments generally suffice for this requirement and must consider, among other factors:
- The legality, legitimacy, and necessity of the cross-border transfer.
- The amount, scope, type, and sensitivity of the data.
- If the transfer involves personal information, whether data subjects have consented to the transfer.
- The data recipient’s security capability, measures, and environment.
- The risks associated with the data being leaked, damaged, tampered with, or misused after the data transfer or subsequent re-transfer.
- The risks to national security, societal and public interests, and the individual lawful rights and interests after the cross-border transfer.
Prohibited Cross-Border Transfers
Cross-border transfers of Local Data are prohibited in the following circumstances:
- The transfer does not comply with state laws, administrative regulations, or departmental rules.
- Data subjects do not consent to a transfer involving personal information.
- The transfer poses risks to China’s national security or public interests.
- The transfer could endanger China’s security of national politics, territory, military, economy, culture, society, technology, information, ecological environment, resources, and nuclear facilities.
- Other circumstances where the Chinese government determines that the data involved in the transfer is prohibited from being transferred offshore.
Businesses operating in China should evaluate how the PRC Cybersecurity Law might impact their operations and amend their policies and procedures as necessary. Companies should pay close attention to their data transfer practices to meet the new restrictions on cross-border transfers. Companies should also understand the implications of data localization requirements and the ability of the government to access private and proprietary data stored and transferred in China.