Just a few weeks away from the June 1 start date for enforcement of China’s Cybersecurity Law, many companies are still oblivious to how the law will affect their operations. “We didn’t think the Cybersecurity Law was going to apply to us until we read about it more,” said a local executive at a business research service company. “I thought it would mostly be for technology companies, but it’s much bigger than that.” They are likely not the only company that will be caught unprepared for the burdens of compliance.
As written, the law ostensibly will apply to any company that conducts business operations within China. Various implementing regulations have been published already, with more to come, but many questions remain. For example, the Ministry of Transport issued cybersecurity provisions specifically for civil aviation that referenced the Cybersecurity Law and directly copied many of its core regulatory components, having potentially very broad implications in an industry that is highly technical, data driven and international. With the days until the June 1 enforcement date dwindling, time is running out for companies to assess the implications and comply with the new rules.
SOS: Steal Our Slides
Steal our slides! Click the image to download our informational slides and use them at your next meeting.
When the law was first passed, English language news media such as the New York Times, the Wall Street Journal, and Bloomberg mainly focused on the effect that the legislation would have on technology companies. While the robust coverage of potential effects on technology and computer products highlighted some aspects of the law, it overlooked its most important element: The 2016 Cybersecurity Law applies to every industry.
Within the law’s provisions and the draft regulations that have been released to date are requirements that will impact almost every company that operates in China. Yet many companies across China have failed to grasp the scope of the law’s coverage and potential impact.
“Implementing rules and regulations are needed to clarify the exact intended scope of this term,” said Manuel Maisog, the Chief Representative in Beijing for Hunton & Williams and an expert on global privacy and cybersecurity. “Until those are promulgated, on the basis of the statute itself, it would appear reasonable and practical to assume that any entity in China that operates more than one computer that are networked into each other to form a computer information or communication system could be considered a ‘network operator.’”
The Cybersecurity Law establishes protections for citizens and increases individual control over identifying information. Almost every organization with a computer or website keeps records on who does what with their online services, making them liable under the law.
The new law codifies practices that most companies already follow, such as obtaining consent from individuals to collect and use their data. However, it also imposes requirements for cybersecurity contingency planning and disclosure of any leaks that do occur.
Administrative headaches may also result from multitudinous other requirements, such as maintaining web logs for six months, determining personnel responsible for cybersecurity, and utilizing data encryption and backup plans.
Experts and members of AmCham China's ICT Committee answer questions about the Cybersecurity Law at a recent event with more than 90 people in attendance.
Not all companies operating in China will be affected equally, however. The law makes clear that companies operating in some sectors will have additional levels of security, especially if they are related to national security, national economy, people’s livelihoods, or public interests. While not an exhaustive list, the approved law identified some sectors as examples of CII, such as energy, transportation, finance, public services, education, and industrial manufacturing.
For these Critical Information Infrastructure (CII) operators, the designation comes with additional compliance burdens such as mandatory data localization and restricted procurement options from a list of approved networking products or services.
Draft regulations pertaining to that “approved list” of online products and services establish that a new Cybersecurity Review Commission will create testing standards and initiate reviews of products. However, according to an analysis by Covington, the regulations do not clarify what occurs in a review process or a time frame for those reviews.
Many companies are also fearful that their intellectual property may be compromised during the review phase. To make it onto the list of approved products, companies may be asked to hand over all information – even secret source codes – to review officials.
Notably, even companies that are not classified in the stricter CII tier may still be subject to similar levels of scrutiny. If a company sells products or services to a customer that is classified as CII, then a review must be conducted before the customers can use those products or services.
With only a few weeks remaining until enforcement is set to begin, companies are still anticipating clarifications of the original law. Comments for the recently-released Draft Regulation on Cross-Border Data Transfer are open until May 11, and the CII definitions, promised since before the law passed last November, are nowhere in sight. Regardless of how the forthcoming regulations shape the final form of cybersecurity in China, compliance on June 1 is likely to be a murky affair.
Get informed about the 2016 Cybersecurity Law with AmCham China's resources: