By Paul D. McKenzie
June 1, 2017 marks an important milestone, with the coming into effect of China’s new Cyber Security Law (网络安全法; the “CSL”).
Promulgated on November 7, 2016, the CSL was the product of a brisk legislative process that evolved out of the July 1, 2015 promulgation of the National Security Law, which identified the protection of “cyber sovereignty” and the preservation of cyber security as key national security goals. The CSL includes among its major provisions:
- Obligations relevant to “network operators,” broadly defined, in regard to network security and data security, including personal data privacy provisions of general application to network operators that build on principles found in the Consumer Protection Law and other legislation;
- Specific obligations governing operators of “key information infrastructure” (关键信息基础设施; “KII”), including a controversial data localization measure that requires KII operators to host personal data and other “significant data” in China and allows them to share such data with offshore parties only upon completion of a national security assessment;
- Powers of various government departments to supervise network operations.
The briskness of that legislative process has not come without a cost. The CSL is, in some respects, more a policy document than an actionable law. It is broadly drafted, with enforcement of many of its key provisions dependent on interpretations and implementing measures that have not yet been issued. The best example of that is the very concept of KII (a term sometimes translated as critical rather than key information infrastructure). Many of the more onerous provisions of the CSL govern operators of KII. Yet the CSL offers only a broad definition of the term, leaving the State Council to define its specific scope, which it has not yet done.
The Cyberspace Administration of China (国家互联网信息办公室; “CAC”) was established in 2014 to spearhead the Chinese government’s efforts to enhance network security. It has played an important role in the formulation of the CSL and will be a key player in its enforcement and in the development of technical standards and procedures required for its implementation. The CAC has sought to fill in some of the gaps in the CSL through the drafting of implementing measures.
The most widely-discussed CAC measures, which remain in draft, are the Measures for Security Assessments of Cross-border Exports of Personal Information and Significant Data (个人信息和重要数据出境安全评估办法数据出境评估办法). Unfortunately, these draft measures complicate rather than clarify matters. For example, they omit technical details regarding the security assessment that must be undertaken.
Distressingly, they also contemplate extending the requirement to undertake a security assessment in regard to data exports so it would apply to all network operators in China, and not just KII operators – although the latest draft of these measures suggest a grace period until the end of 2018 will be granted before compliance is required. Another set of measures that have been finalized govern the conduct of security assessments of certain types of network products and services by KII operators. These measures themselves leave significant issues to be determined before the related provision of the CSL can be implemented.
The CSL also contemplates an administrative infrastructure that does not appear to have been put in place. Now we are at June 1, with a significant amount of implementation work still unfinished by the CAC and other government departments, and with many questions about the CSL still unanswered.
What should foreign companies be doing in order to manage associated risk?
Some closing thoughts from my experience advising clients on this issue over the last few months:
- Actively monitor the issuance of implementing regulations by the CAC and other government departments, with help from AmCham China and other industry groups;
- Assess your company’s compliance with the data privacy provisions of the CSL, including through review of the terms of your data privacy policies and your company’s compliance with those policies;
- Review current practices in your Chinese operations in regard to exports of personal data and other important business data (including remote access to data by parties overseas) and assess implications of potential future limitations on those exports;
- Refresh “dawn raid” protocols that govern how Chinese operations respond to visits from government authorities;
- Assure that basic requirements of the CSL in regard to network security are met, including requirements to have an identifiable management structure with responsibility for network security, to have in place basic technical measures to prevent security breaches, and to maintain network logs for no less than six months;
- Evaluate compliance with existing regulations governing network security. The network security provisions of the CSL are not entirely novel and existing regulations of the Ministry of Public Security and other government departments already stipulate network security obligations relevant to various categories of information network. These obligations may be subject to more vigorous enforcement in the post-CSL era, even if the CAC and other government departments have not yet formulated regulations and standards relevant to implementation of the CSL itself.
Paul D. McKenzie is the Managing Partner of Morrison and Foerster's Beijing office
Download our Cybersecurity Stealable Slides to learn more about compliance with the CSL.
Read more about how the CSL's ambiguities have caught many companies off guard.