Late last year, China took a remarkable step in enhancing its national cybersecurity and adopted, on November 7, 2016 during the 12th National People’s Congress, the new Cybersecurity Law (the Cybersecurity Law or the Law). The Law will come into force as of June 1, 2017. In this article we shall provide an overview of China’s Data Protection Regime and review the following:
- The Background
- The Highlights of the New Cybersecurity Law
- The Data Transfer Measures
- The Security Examine for Network Products and Services Measures
For over two decades China has made efforts to improve the protection of data through various rules and regulations targeting the security of computer networks. The first rule to address security issues was the Regulations for Safety Protection of Computer Information Systems promulgated by the State Council on 18 February 1994, which designed a safety regime for the computer information system and nominated the public security bureau as the supervision authority.
Between 1994 and 2013, China has adopted various legislations, including the i) Interim Administrative Regulations of the People’s Republic of China on International Networking of Computer Information Networks, ii) Administrative Measures of the People’s Republic of China for the Protection of International Networking Security of Computer Information Networks, and iii) State Secrecy Protection Regulations for Computer Information Systems on the Internet, to name a few. Each legislation regulated a different segment of cybersecurity but there was no single comprehensive piece of legislation to regulate the cyberspace.
Along with the rapid growth of the Internet and information technology, various associated threats, such as computer viruses, cyber-attacks, information leakage and unpermitted use of personal data, have begun to spring. In an attempt to centralize management and better address cyber risks, China, through a high-ranking working group, led by President Xi Jinping, Premier Li Keqiang and ten other top figures at the ministerial level, had established, on 27 February 2014, the Office of the Central Leading Group for Cybersecurity and Informatization (The Cybersecurity Authority). A year later, several legislations that effect Cybersecurity were issued, including:
- On January 19, 2015, the Foreign Investment Law (Discussion Draft) was released for public comments. The Discussion Draft mentioned that foreign investment which might have negative effect on key infrastructure and technology and cybersecurity shall be strictly examined prior to approval.
- On July 1, 2015, China adopted the National Security Law which addressed cybersecurity as one of the core national security issues and the concept of ‘maintaining cyberspace sovereignty’ was introduced.
- On July 6, 2015, the Draft Cybersecurity Law was first released for public comments, and on October 31, 2016 the third draft was submitted to the Standing Committee of the National People’s Congress for final review.
- On August 29, 2015, Amendment IX to the Criminal Law was promulgated. The Amendment explicated the criminal penalty of cyber terrorism and network service providers, strengthened the protection of the personal information and expended the types of crimes associated with the usage of computer and information systems.
Highlights of the Law
On November 7, 2016, the Cybersecurity Law was finally adopted. The Law presents four main goals associated with cybersecurity protection: i) increase responsibility on network operators, ii) enhance protection of critical information infrastructure against attacks, intrusions, interference and destruction, iii) increase requirements of data protection storage in key industries, and iv) regulate compliance of network products and services in accordance with the relevant national and industry standards. Further, the Law sets several levels of penalties, differentiated by the seriousness of the violation of the network security protection obligation. The highlights of the Law are as follows:
I. Definitions. The Law clearly presents the definitions associated with Cybersecurity. “Cybersecurity” refers to the necessary measures required to prevent attacks, intrusions, interference disruption of the network and illegal use of the network. “Network Operators” refer to owners, administrators of the network and network service providers.
II. Obligation of Network Operators. The Law sets increased obligation on network operators to:
- Formulate internal security management systems and operating instructions, and determine the persons responsible for cybersecurity;
- Take technical measures to prevent computer viruses, network attacks, network intrusions and other actions endangering cybersecurity;
- Take technical measures to monitor and record the network operation status and security incidents, and preserve relevant logs of network for at least six months;
- Classify, back-up and encrypt important data;
- Strengthen management of information published by users.
III. Providers of network products and services shall not install malwares, and once discover cyber risks, immediately take remedial measures, inform users of the said risks and report to the relevant competent authority;
IV. Protection of personal information. According to the Research Report of the Safety of Chinese Cyber Citizens published in 2014, 84% of the Chinese network users were subject to infringement of their personal information through the Internet. To improve the situation, the Law introduces, inter alia, the following:
- In the case where network products and services have a functions that allow the collection of users’ information, the network providers shall clearly notify their users of such function, and obtain their consent;
- Network operators shall keep their users’ personal information in strict confidence, and establish a users’ information protection system;
- Network operators shall not disclose, distort or damage the personal information collected, and shall not provide such data to others without the consent of the persons whose data was collected;
- If individuals discover that network operators gather or use their personal information in violation of the law, they have the right to request the deletion of the personal information; where they find that their personal information is mistaken they have the right to request the revision of such information.
V. Internet fraud. To avoid internet fraud the Law clearly prohibits the creation of websites or communication group used for illegal and criminal activities such as defrauding, passing on crime methods or producing or selling prohibited or controlled goods.
VI. Key Information Infrastructure. The Law introduces a new concept of “Key Information Infrastructure”. This refers to information infrastructure in certain industries that would result in serious damage to national security, national economy, people’s livelihood and public interests if such infrastructures were to malfunction, or be subjected to damage or data leakages. The industry sectors listed in the Law include: public communications and information service, energy, transportation, water conservancy, finance, public services and other important industries and fields. According to the Law, operators of such key information infrastructures shall comply with the following key requirements:
- Set up independent security management functions and designate persons responsible for security management;
- Periodically conduct cybersecurity education, technical training and skill assessment for practitioners;
- Formulate contingency plans for cybersecurity incidents and carry out periodic drills;
- Enter confidentiality agreements with the product/service providers;
- Store personal information and important data within the territory of China;
- At least once a year, conduct detection and assessment procedures and submit reports to the relevant supervision authority.
Perhaps the most important news introduced by the Law is the requirement to store, within mainland China, personal information collected through ‘Critical information infrastructure”, and the need to apply for a certain procedure of security assessment in the event such information is to be stored offshore or transferred abroad.
- Identification with true identifying details.
No more ‘Bluesky8’ or ‘IAMRIGHT’ anonymous netizens. From now on, network providers are required to obtain the real identification information of their users upon signing agreements or confirming the provision of services. This requirement relates to all sorts of information publication services, instant messaging services, network access and domain registration services.
- Penalties and Fines
To better implement the Law, the legislator introduced a mechanism of penalties to prevent leakage of personal data and cyber risks:
- Protection of personal information. Where network operators infringe the data protection rights of their users, they shall be subject to fines up to ten times the illegal gains, and where no illegal gain are involved, a fine of up to RMB 1 million shall be imposed. In serious circumstances, network operators shall be ordered to suspend relevant functions of their business or even shut down the website and lose their business license.
- Internet fraud or illegal activity. Network operators that set up websites or communication groups to support illegal or criminal activities, or those who illegally disclose protected information, shall be detained for up to five days and shall be subject to fines of up to RMB 100,000; in serious circumstances, the detention time shall increase to 15 days and the fine to RMB 500,000.
- Key Information Infrastructure. Operators of key information infrastructures who store or transfer protected data overseas will be subject to fines of up to RMB 500,000 alongside the possible suspension of their business, rectification of their business license and the closure of their websites; the responsible persons shall be subject to a fine of up to RMB 100,000.
- Identification with true identifying details. Network operators that do not collect true information of their users shall be subject to a fine of up to RMB 500,000 while the responsible person shall be exposed to fines of RMB 10-100,000.
The Cybersecurity Law sets the general framework for the Data Protection legislation in China, however it does not define several important terms that directly reflect on the scope and scale of the Law, for example, ‘important data’ that might fall within article 37, or the ‘business requirements’ and ‘truly necessary’ circumstances that might justify offshore storage of data.
Data Transfer Measures
On April 11 2017, the Cyberspace Administration of China (“CAC”) released the draft Measures for Evaluating the Security of Transmitting Personal Information and Important Data Overseas (the “Data Transfer Measures” or the “Measures”). The Measures expand the scope of the security assessment to any “Network Operator”, not limited to the Critical Information Infrastructure as stipulated in the Cybersecurity Law. The Measures further define the types of regulated data: i) “Important Data” defined as data closely related to China’s national security, economic development, or public interests, as well as data that contains information in the fields of nuclear facilities, chemical biology, national defence and military, population health and the like, and information about major engineering activities, the marine environment and sensitive geography, and ii) “Personal Information” (“PI”) which includes any recorded information that can be used to identify a particular natural person. Articles 4 and 11 of the Measures formalizes a consent-based framework, prohibiting overseas transfers of PI unless the subjects have been notified of certain information and have granted approval for such transmission.
Security Assessment Implementation
The Measures set a two layers assessment of cross-border data transfers comprised of the network operator self-assessments and, where required, governmental assessments. Network Operator self-assessments include pre-transmission assessments and periodic assessments to be conducted at least once a year. The Governmental assessment is required in certain circumstances including, inter alia, where i) the data involves the personal information of over 500,000 individuals, ii) the data volume exceeds 1,000GB, iii) where the data contains information in sensitive fields such as nuclear facilities, chemical biology, national defence and military, population health and the like, and information about major engineering activities, the marine environment and sensitive geography, iv) the PI and the important data are provided to overseas parties by the Key Information Infrastructure , and other factors which may affect national security and public interests.
Security Review Measures
On 2 May 2017, the CAC issued the Measures for Security Review of Network Products and Services (for Trial Implementation) (“Security Review Measures”). The Security Review Measures introduce a framework of security review system for network products. It identifies certain key industries (such as financial industry, telecommunications, energy, transportation, water resources, public services) and critical information infrastructure, which may have impacts on national security. Network products and services purchased for such key industries and critical information infrastructure shall pass cybersecurity review.
The long-awaited Law, and the implementation regulations that are now following the Law, introduce a broad framework for data protection that aims to strengthen protection of personal information of online users, regulate behavior of network operators, impose increased responsibility on operators of key infrastructure and set up a gradual penalty system to improve cybersecurity. Prior to the enactment of the Cybersecurity Law, the data protection regime in China was under-developed, lacking a single national law to regulate the protection of data. This vacuum has finally come to an end.