Australia: Comply or be prepared to pay: Chinas new Cybersecurity Law

Australian entities might have to comply with not only their domestic cybersecurity laws but those in trading partners, such as the new Cybersecurity Law in China.

Cybersecurity is a major global issue. Increasingly countries are acting to strengthen their own cybersecurity through legislation. In October this year the Australian Government released the Security of Critical Infrastructure Bill for comment, and this is expected to be enacted into law in 2018.

Australian businesses however cannot limit their attention to domestic law; the laws of our trading partners and neighbours not only could influence Australia's future policy, but they may directly apply their laws to Australian entities that operate within their territory.

We've already considered the effect of Singapore's draft laws on Australian entities; now it's China's turn, with its Cybersecurity Law coming into force on 1 June 2017 after a long period in draft form.

In this article we'll compare China's regime with the proposed laws in Australia, and the extra layers of liability that network operators and critical information infrastructure operators need to understand to avoid penalties.

China's Cybersecurity Law at a glance

While the final version of the Cybersecurity Law is available in English, the draft regulations (which clarify aspects of this law) have been released for comment, but not all of them have yet been translated into English.

Ostensibly the Cybersecurity Law establishes a collaborative framework for ensuring the safety of data in China, but at the same time it contains a suite of strict (albeit vaguely expressed) obligations as well as harsh penalties. The law applies to foreign entities operating in China, and to the broadly defined categories of "network operators" and "critical information infrastructure operators" (CII operators), and is being enforced by various state bodies.

In its current form, the draft Australian legislation does not go as far as the Chinese Cybersecurity Law in the obligations it imposes in relation to Critical Infrastructure Assets (CIAs). However the scope for Ministerial directions to be made increases the potential application of this law. It remains to be seen whether a more stringent regime is required in order to effectively safeguard cyberspace.

Obligations on network operators

Under the Chinese Cybersecurity Law, network operators are defined as network owners, managers and network service providers. "Networks" are broadly defined as:

"systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information gathering, storage, transmission, exchange and processing."

Network operators carrying out business and service activities are subject to the requirements of the Cybersecurity Law regime, and have the following obligations:

  • To implement measures to protect the security of their networks by formulating appropriate security systems, establish dedicated roles with responsibility for network security and technological measures to prevent viruses, monitor and record security status and data management.
  • To formulate an appropriate emergency response plan in case their network is affected by a security risk or incursion.
  • If the network operator provides certain services to users including mobile phone use or instant message services, they must obtain real identity information from users before providing them with the services. This information must be truthful, and it must be kept confidential unless the user consents to disclosure.
  • To monitor information published by users and to the extent that this information violates any law or regulation, stop this information from being transmitted via their network and report this to the relevant department.
  • To establish systems where complaints and reports about network information security can be made. Where appropriate, network operators should relay these complaints to the relevant departments.
  • To assist and provide technical support to prescribed state organs and departments as required for them to perform their investigatory roles, and preserve national security.

In contrast, the Australian Bill does not apply to a similarly general category of entity such as network operators. Instead, its focus is on critical infrastructure assets, and it is entities related to these assets who have obligations under that law.

Obligations on CII operators

The Cybersecurity Law also contains obligations on CII operators. These parts of the Chinese regime are most comparable to the Australian Bill, which focuses on infrastructure. CII is not defined in the Cybersecurity Law. The draft Chinese regulations on Protection of Critical Information Infrastructure Security go some way towards clarifying this, defining CII as including entities where a change or threat to functioning may create serious harm for national security. The following examples are listed:

  • Government organs in the areas of energy, finance, transport, water conservancy, health, education, social security, environmental protection, public utilities and the like;
  • Information networks including telecommunications, radio and television;
  • Internet sites;
  • Providers of cloud computing, big data and large scale public information network services;
  • Scientific research and production units in industries including defence, large equipment, chemicals, food and drugs;
  • News units including radio stations, television stations and other news services.

Clearly this is a very broad definition. Conversely, the Australian Bill contains a less comprehensive definition of CIAs in its current form. The Australian definition captures critical electricity assets, ports, water assets or assets declared to be critical to Australia's economic and social stability interests, defence or national security. Presumably Australia would deal with those entities not captured under the definition of CIA, such as providers of cloud computing and news units, by way of regulations or rules made once the Bill is enacted into law. Nonetheless they are notable omissions from the Australian Bill.

Critical information infrastructure operators' obligations

Under the Cybersecurity Law, CII operators have the following obligations, some of which are similar to those of network operators:

  • To establish security management bodies and conduct background checks for the senior persons in those bodies;
  • Conduct training and skills evaluations for employees, conduct backups of key systems and databases, formulate emergency response plans for network security incidents and organise drills;
  • When purchasing network products and services which may impact national security, comply with the relevant review processes before purchasing;
  • After purchasing, the CII operator must sign a confidentiality agreement with the provider of the products or services;
  • To the extent that CII operators gather personal information in the course of operating within the mainland territory of the PRC, this information must be stored within the mainland. If business requirements dictate that this information must be stored elsewhere, the measures formulated by the relevant state departments must be followed before the data is stored offshore;
  • To inspect and assess their network's security at least once per year personally or by retaining a professional.

Again these obligations go further than those proposed under the Australian Bill, which essentially imposes only reporting requirements on entities which are reporting entities for CIAs. The draft rules made under the Australian Bill presently do not contain any of the additional requirements that exist under the Chinese law. Some of these omissions are significant when compared with the Chinese regime. For example, the requirement for compliance with review processes before purchasing additional services for critical infrastructure is not captured by the definition of "operational information" in section 7 of the Australian Bill. Presumably such things will ultimately be regulated by rules made under the Australian Bill once it becomes law, if at all.

When will foreign entities be considered to be critical information infrastructure operators

Another notable difference between the Chinese Cybersecurity Law and the Australian Bill is that some parts of the Cybersecurity Law apply generally to foreign institutions, organisations or individuals who are not necessarily included in the definitions of network operator or CII operator. For example, article 48 provides that application software provided by individuals or organisation must not install malicious programs or contain information that is prohibited under laws or administrative regulations. This is aimed at protecting China from cyber threats generally. The Australian Bill does not have a similar specific wide ranging application in the face of general threats, although there is power to prescribe assets and to declare assets (see sections 9, 49 and 57) which might be used to expand the reach of the Bill. If the Chinese Law requirements are breached, harsh penalties may result for the foreign entity, including in addition to general legal responsibility, the freezing of assets and other "necessary punitive measures".

Against this background it is significant that the United States and China have made a public agreement not to infringe each other's cybersecurity at the US-China Law Enforcement and Cybersecurity Dialogue in October 2017.

Penalties

Breaches of obligations under the Cybersecurity Law can be subject to harsh penalties, including fines for both the entity, and the individuals who occupied the key management positions at the time. Generally, the relevant departments responsible for enforcement will issue a warning. If these warnings are not complied with, or if the breach is serious, fines will result.

For network operators a breach of the Cybersecurity Law can lead to fines of between RMB 10,000 and 500,000 (approx. AU$2,000-100,000) for the network operator depending on the breach, and for the directly responsible management personnel between RMB 5,000 and 100,000 (approx. AU$1,000-20,000) depending on the breach. There may also be other punishments for some breaches, such as suspension of operations and having the relevant business licenses and permits cancelled.

Breaches of obligations by CII operators are subject to harsher penalties than breaches by network operators under the Cybersecurity Law. Where a breach has occurred, the same process is followed: a warning is issued, then fines, with personal fines for those in key positions at the time. A CII operator can be fined between RMB 50,000 and 1,000,000 (approx. AU$ 10,000 and 200,000) depending on the breach, and responsible management personnel fined between RMB 10,000 and 100,000 (approx. AU$ 2000 and 20,000). In addition depending on the breach, a CII operator may have to suspend operations or have relevant licenses or permits revoked.

The Australian Bill does not provide for the same "double punishment" for infringements at the entity and individual level as the Chinese law does. Rather, fines will only result where there has been illegal disclosure of sensitive information or where the reporting requirements are not complied with. The penalties themselves are relatively low - 25 penalty units or AU$5250. However of more concern under the Australian Bill is the Minister's power to issue directions to CIAs, which is broadly expressed in section 30. If the Minister's directions are not complied with, a CIA entity could face penalties as high as $52,500. The scope of the Minister's power in this regard may broaden the operation of the Australian Bill in practice.

The way forward for cybersecurity here and in China

If you are a network operator or involved in CII in China, ensure that the requirements of the Cybersecurity Law and associated regulations (when finalised) are being complied with in order to avoid heavy penalties and fines. From the Chinese perspective they want a law to safeguard cyberspace, with a focus on network security within the mainland territory.

While the broad and sometimes vaguely expressed obligations with harsh penalties for breaches under the Chinese regime are concerning for operators in China, the provision for Ministerial directions under the Australian Bill also has the potential to have a wide-ranging operation, at least in relation to some CIAs. It remains to be seen whether there should be a preferred approach to regulating cybersecurity. We will be monitoring the application of the Chinese legislation with interest.

RELATED KNOWLEDGE

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions