China’s Cybersecurity Law came into effect on June 1st, 2017. The law has two main purposes, known to the public. One is to facilitate a larger effort of the Chinese government to establish supervisory control over Internet content. The other major purpose is to bring China closer to international cybersecurity standards.
The business community has reacted to China’s Cybersecurity Law with concerns over compliance and IP protection. The law is currently written with ambiguous definitions, which can make compliance and business planning less-than-straightforward. For instance, if compliance procedures will result in astronomical expenses, some businesses may have to adjust their business or even drop out of the market, depending on the size of the company. Additionally, foreign companies may be concerned that the information they will be required to share with authorities will be used for benefit of Chinese competitors.
Scope of the Law
China’s Cybersecurity Law designates broad requirements and covers, not only Chinese-registered entities but also foreign companies providing services to Chinese citizens and companies. The provision of the law include, but not limited to:
- Data Protection: China’s Cyberspace Administration refers to the Personal Information National Standards in cases covering the protection of personal information. According to China’s Cybersecurity Law, personal information is defined simply as information that identifies a legal person, which could include names, contact information, addresses, ID numbers, and others.
- Data Localization: The data localization requirement means that critical information infrastructure operators must store personal information and data deemed sensitive by the authorities within China. The definition of sensitive data remains loose.
- Critical Information Infrastructure: The law lays out requirements for operators of so-called critical information infrastructure (systems deemed vital to the nation), though many such definitions and rules remain vague, leaving room for authorities to release subsequent guidelines.
Requirements for Businesses
A major data protection requirement of China’s Cybersecurity Law stipulates that network operators are prohibited from collecting information on individuals that is not directly related to the service it provides. Prior to collecting information, the network operators must inform the individuals, on which the data will be collected, of the scope and objectives of the data collection.
China’s Cybersecurity Law requires network operators to store some of their data within China and allow for authorities to freely observe network operations. Operators are required to maintain a system for adequately monitoring the safety and security of their networks. Beyond China’s Cybersecurity Law, the Draft Security Assessment Measures require operators to back up and encrypt data of interest to the authorities, which may include data deemed relevant to national security, economic planning, and social stability.
Overseas Data Transfer
In order to transfer data overseas (either to a third-party contract or an overseas affiliate), a network operator must undergo a security assessment and receive the approval of the authorities (likely the Cyberspace Administration). The authorities may reject the request to transfer data overseas on the grounds that it damages or risks security, economic, military, social, or other interests.
In order to transfer data overseas or to a third-party, the operator must also obtain consent from the relevant network users. The operator must inform the user of:
- The specific categories of personal information transferred.
- The use of the data.
- Where the data will be transferred.
In the event of a data breach, network operators must inform the relevant authorities. These authorities will look to see that the operator has promptly taking relevant steps in response. Network operators must notify users in the event of a loss of data or another type of cybersecurity breach.
The Compliance Game
At this point in the evolution of China’s cyberspace policy development, ensuring compliance with the Cybersecurity Law and subsequent guidelines is no simple matter. One of the reasons for this is that the law frequently relies on vague language to define vital terms such as “critical information infrastructure”, “sensitive information”, and “national interest”. It is unclear to what extent the use of vague language is to give more room for the authorities to exercise discretion or if the vague definitions will soon be supplemented with more concrete rules. This is a cause for serious concern for network operations of operators of critical information infrastructure as the cost of non-compliance may be high. Though the strictness of future enforcement is unknown, failure to comply can lead to high fines and may even result in businesses losing their license to trade in China.
The actual monetary cost of ongoing compliance will likely be substantial. According to Computer Weekly, the cost of compliance for foreign multinational enterprises will range from millions to tens of millions of pounds. The cost of compliance will depend on future guidelines released by the State Council and the Cyberspace Administration. A number of businesses have expressed great uncertainty over how much data must be kept within China as well as the time, costs, and business interruptions the new law will generate.
Despite the fact that the authorities intend for China’s Cybersecurity Law to be all-encompassing, cybersecurity governance is ever evolving, making effective compliance costly and uncertain. For instance, authorities released the Cybersecurity Law and pushed companies to meet the requirement, while simultaneously stating that further guidelines will be released at a later date. For example, the law mentions that the State Council will determine the scope of measures to protect critical information infrastructure but has not yet defined that scope. This places operators in a nearly impossible situation to fully ensure compliance with the law.
At present, businesses can take a number of steps towards ensuring compliance with China’s Cybersecurity Law, despite remaining uncertainties. For instance, companies can review and update company privacy policies, conduct an audit cybersecurity weaknesses, and develop a standard operating procedure in the event of a cybersecurity breach. Companies should refer to the Personal Information National Standards when reviewing their data protection efforts.