Legal Update: China’s Cybersecurity Law

By Wei Chen

After issuing three drafts for public comments during the previous two years, the Standing Committee of the National People’s Congress approved the Cybersecurity Law on Nov. 7, 2016, and it will come into force on June 1, 2017. But what will be changed in terms of cyberspace security in China after the final release of this long-awaited law?

With 79 articles, the law has a broad regulatory scope over the area of cybersecurity, including network operation security, network data security, network information security, “critical/key information infrastructure” security, and alarm and emergency response systems. The law aims to safeguard the sovereignty of national cyberspace and Chinese national security. The law establishes a comprehensive regulatory regime for cyber security, creates or formalizes legal responsibilities for “network operators” and “network service providers,” and develops regulatory supervision in a more systematic way.

The law will regulate all network services and activities within China, including construction, operation, maintenance, and usage of networks. “Network” refers to any system that can be used for information gathering, storage, transmission, exchange and processing. All network operators (including owners, administers and service providers) in China, domestic and foreign, will be regulated by the new law.

What are the relatively new aspects under the law?

1. Network operation security

One of the focal points of the law is to set up an all-around network operation security system, including:

1. Graded network security protection system: The law establishes a “graded network security protection system,” but doesn’t offer details about how the it will be implemented.
2. Personal identification: The law restates that network operators should identify all personal users when providing network access and services.
3. Cooperation with law enforcement: The law requires network operators to provide technical support and assistance for public security investigations and actions.
4. “Key network equipment and specialized cyber security products”: All “key network equipment and specialized cyber security products” should be certified by qualified entities in accordance with the relevant national standards before being sold, and the law defers to the offices of the Cyberspace Administration of China (CAC), together with other government authorities, to issue a catalog of the “key network equipment and specialized cyber security products” separately.
5. Critical information infrastructure operators

The concept of “critical information infrastructure operators” (CIIOs) is introduced as an important element under the law and drew a lot of attention due to its broad scope of coverage and additional regulations. CIIOs are defined as important sectors and fields –such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government affairs and other information infrastructures – that if compromised could jeopardize national security, national welfare and public interests. The State Council will issue implementing rules later which are expected to clarify the “specific scope” and “security protection measures” for CIIOs. 

Among all the additional requirements for the CIIOs, the following are worth highlighting:

1. Data localization: Personal information and other important data gathered or generated by CIIO in mainland China should be stored in China, unless it can pass a security assessment run by designated agencies. However, the definition of “other important data” remains unclear. 
2. National security review: If procurement of network products and services by CIIOs may impact national security, such procurement should go through a government national security review process.
3. Inspection and assessment: CIIOs should have their network security stability and potential risks inspected and assessed on an annual basis. 
4. Support government’s action: The offices of the CAC and other government authorities have the right to examine the security risks of CIIOs and host emergency response rehearsal on a regular basis, and CIIOs should cooperate with such government actions and provide technical support in emergencies.
5. Monitoring system and emergency response mechanism

By naming the offices of the CAC as the leading authority, the law provides that the state will establish the cybersecurity monitoring system, information reporting regime, risk assessment and emergency response mechanism.

To ensure national safety and public order and to handle a significant and urgent social security event, the government may impose certain temporary methods to restrict network communications within specific regions, following the decision or approval from the State Council.

What other aspects are covered under the law?

Personal data protection is another important aspect under the law. In line with current regulations, the law redefines personal data and restates restrictions to collect, use and disclose any personal data. In short, any personal data should be collected and used with the prior consent and within the limited scope to suit the network operators’ services. No disclosure, tampering or destruction of personal data is allowed unless it has been properly anonymized. A notable clarification under the law is that any data with personal identification information removed and un-restorable will no longer be deemed as personal data and accordingly, will not be subject to the regulations and restrictions upon the personal data.  

Internet censorship is a crucial part of cyberspace supervision in China. The law restates that network operators should enhance their supervision over content posted by the users by blocking or deleting illegal content, ceasing service provision, and reporting to the relevant authorities.

Penalties for violations

The Cybersecurity Law specifically imposes a range of penalties for violations with relatively detailed descriptions, including monetary fines. The law also establishes a credit system for the network operators and any violation of the law by a network operator will be recorded in its “credit archive” and announced publicly. Lastly, a new provision targets foreign hackers by codifying that foreign agencies, organizations or individuals that endanger China’s critical information infrastructure are subject to asset seizures and other punitive measures.

What’s next?

Although the law has been approved, certain aspects require further elaboration through implementing rules or interpretation by the authorities. More importantly, the law delivers a message to everyone relating to cyberspace that China will safeguard cybersecurity as part of national security.

About Author: Ms. Chen Wei is a partner of JunHe LLP specializing in cross-border merger and acquisition (foreign investment and outbound investment) and private equity investments. Ms. Chen has worked in the telecommunications and Internet industry for more than ten years.