China: China's New Cybersecurity Law And Draft Data Localization Measures Expected To Burden Multinational Companies

Last Updated: 10 May 2017
Article by Chiang Ling Li, Haifeng Huang, Todd S. McClelland, Mauricio F. Paez and Jennifer C. Everett

Most Popular Article in China, May 2017

China's new Cybersecurity Law ("new Law") is set to come into effect on June 1, 2017, and introduces sweeping provisions that may have a significant impact on companies doing business in and with China. To provide guidance on a controversial data localization requirement introduced in the new Law, the Cyberspace Administration of China released on April 11, 2017, draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data ("draft Measures") for public comment. The draft Measures are sparking outcry from the international community but are expected to come into force on June 1, 2017, largely unamended. The deadline for submissions is May 11, 2017, just three weeks before the new Law takes effect.

This White Paper provides an overview of the new compliance obligations the new Law imposes and also takes a close look at the draft Measures giving guidance on the data localization requirements.

Companies should take careful note of this new privacy and cybersecurity landscape to ensure their business practices align with legal and regulatory requirements. The new Law and the draft Measures could substantially increase the costs for China-based companies that process China personal information and engage in cross-border transfers.

A BRIEF HISTORY OF CHINA'S CYBERSECURITY LAWS

Before the new Law, Chinese regulations governing cybersecurity were interspersed across a number of separate laws, including, for example, the Internet Information Services of 2011 and the Telecommunications Regulations of the People's Republic of China 2016. The new Law marks the first comprehensive law in China specifically regulating network security. After undergoing three rounds of public consultation before it was finally adopted on November 7, 2016, the new Law is designed to ensure network security and to protect the privacy and security of its citizens. The final version of the new Law has been widely criticized as containing a number of broadly defined terms and vague provisions that potentially—and significantly—affect a wide range of companies.

NEW OBLIGATIONS FOR NETWORK OPERATORS AND CRITICAL INFORMATION INFRASTRUCTURE OPERATORS

The new Law primarily imposes data security requirements on two key types of organizations—network operators and critical information infrastructure operators ("CII operators").

"Network operators" are broadly defined to include owners, managers, and "service providers" of networks—"systems comprised of computers and other information terminals and related equipment" that gather, store, transmit, exchange, and process information.1 This definition not only covers telecommunication, wireless communication, and internet service providers but could ostensibly cover every organization or business that owns or operates IT networks in China. Chinese legal drafters and regulators favor the definition to have such a sweeping effect.

CII operators are a subset of network operators. While not explicitly defined, CII operators include any business operating in public communication and information services, energy, transportation, water resources, finance, public services, and electronic communications.2 Other businesses may be considered CII operators as well if they have infrastructure that would lead to a serious threat to national security, social or economic well-being of the nation, or public interest if it were destroyed, lost functionality, or suffered a data breach. No further guidance has been issued on what infrastructures the Chinese authorities consider would seriously endanger national security or the economy. What businesses fall under this rubric will likely be left to the government's discretion.3

Under the new Law, network operators will be required to comply, inter alia, with the following cybersecurity obligations:

  • Implement internal security management systems and operating rules, including the requirement to adopt technical measures to prevent viruses and other intrusions; store network logs for at least six months; adopt measures such as data classification systems; and implement security measures such as backup systems and encryption. These data security procedures must be implemented according to China's "tiered system of network security protections";4
  • Develop emergency response plans for network security incidents, and in the event of an incident, promptly implement remediation measures and report such incidents to the relevant authorities; and
  • Provide technical support and assistance to public security agencies to preserve national security and investigate crimes.

CII operators have additional data security compliance requirements:

  • Undertake additional security measures including conducting security background checks on responsible personnel in critical positions, carry out network security education and technical training, and implement disaster recovery backups;
  • Undergo a national security review by the Chinese authorities when purchasing network products or services that might impact national security; and
  • Conduct inspections of their network security on at least an annual basis.

Even if a business or organization is not considered a CII operator, the new Law encourages network operators to participate voluntarily in the CII infrastructure protection system.

In addition to these measures, other key provisions of the new Law are expected to have a significant impact on companies. They include the following.

Data Localization

Perhaps the most controversial provision of the new Law is Article 37, which requires CII operators to store within mainland China "citizens' personal information and important data" collected or generated in China. The term "important data" is not defined in the new Law, but Article 76 defines "personal information" broadly to refer to all kinds of information that, recorded electronically or through other means and taken alone or together with other information, is sufficient to identify a natural person's identity, including but not limited to an individual's name, date of birth, identification numbers, personal biometric information, addresses, telephone numbers, etc.

The new Law further provides that if such information must be transferred outside of China for "legitimate business reasons," CII operators must complete "security reviews" (an undefined term) jointly formulated by the State Council and the National Cyberspace Administration. Penalties for noncompliance include confiscation of income, payment of fines (by both the offending organizations as well as the responsible individuals) and suspension of business.

These new data localization requirements represent some of the strictest data localization requirements worldwide. As explained below in "Draft Measures Expand Data Localization and Cross-Border Transfer Requirements," China's Cyberspace Administration's April 11, 2017, draft Measures now have expanded the data localization requirement even more, applying this obligation to other network operators.

Handling of Personal Information

Akin to personal data laws in the European Union, the new Law imposes a host of data protection requirements on network operators, including abiding by the principles of legality, propriety, and necessity in their data handling and also making publicly available privacy notices that explicitly state the purposes, means, and scope for collecting and using information. Data subjects, furthermore, are afforded the right to access, modify, and delete their personal information.

Transfer of Personal Information

The new Law prohibits network operators from transferring personal information absent the consent of the data subject unless such information has been processed so that the specific individual is unidentifiable and cannot be recovered. Businesses have voiced concerns that such a legal requirement can be an insurmountable obstacle to the transferring of personal information as it is, in practice, difficult to obtain consent from all relevant individuals.

Identity Verification of Internet Users and Instant Messaging Service Users

The new Law expands the requirement of using only true identification to various internet users and users of instant messaging services by imposing on service providers the responsibility of verifying users' real identification prior to providing services.

Online Protection of Minors

The new Law aims to strengthen the principles for the protection of minors in cyberspace and to avoid exploitation. The principles set forth in the new Law make way for supplemental regulations on children's online privacy protection to follow.

Investigation and Punishments

Companies can expect increased regulatory oversight as the new Law provides regulatory authorities with more explicit and wider monitoring, investigative, and enforcement powers. As noted above, network operators are required to cooperate with such authorities. However, there is some concern that "cooperation" may require the companies to disclose their systems to the regulators, which may result in further security leakage. Failure to cooperate with the authorities would attract penalties against network operators as well as the responsible individuals. Some companies are considering ring fencing their security systems as far as possible to avoid risks to their security systems outside of China.

Penalties for Noncompliance

Companies also can expect increased penalties for noncompliance with the new Law. Violations of the new Law trigger a wide range of potential penalties for network operators and CII operators alike, including warnings, suspensions of operation, imprisonment, and fines up to RMB 1,000,000 (~US$150,000). Notably, Article 75 of the new Law imposes penalties (such as the freezing of assets) against foreign organizations or individuals who attack or otherwise endanger China's CII.

DRAFT MEASURES EXPAND DATA LOCALIZATION AND CROSS-BORDER TRANSFER REQUIREMENTS

On April 11, 2017, the Cyberspace Administration of China released draft Measures to assist in the implementation of the new Law. The draft Measures remain open for comment until May 11, 2017, three weeks before the new Law is set to take effect.

The purpose of the draft Measures is to detail the restrictions on cross-border transfers, give guidance on security assessment for data transfers, and further clarify when data may not be exported outside China. If issued as written (which is expected), the draft Measures will not only expand the data localization requirement to an even broader range of companies than originally contemplated under the new Law, but also require all network operators to conduct their own security reviews prior to transferring personal information outside of China.

"Important Data" Defined

The draft Measures now define the term "important data" to mean data closely related to national security, economic development, and social and public interest. The draft Measures lack any further guidance or helpful examples to demonstrate what data would meet this criteria, other than to note that the scope will follow national standards and guidance. This nebulous definition suggests Chinese authorities will use the term at its discretion and on a case-by-case basis, leaving businesses with legal uncertainty as to when it will be applied.

Data Localizations Requirements Expand to Network Operators

As noted above, the new Law contemplated that only CII operators would be subject to China's new data localization requirement, originally giving comfort to some businesses that this obligation would be limited in its application and scope. The draft Measures, however, have taken a new turn, now requiring all network providers to store personal information and "important data" within China unless there is a genuine and legitimate business need to export the data overseas, in which case, network operators must conduct a security assessment. This wide net cast over who must comply with the data localization requirement has significant implications for entities doing business in China. If implemented as written, effectively any business that uses computer systems in China would be subject to the data localization requirement, a potentially costly undertaking.

When Security Assessments are Required

Network operators must conduct a security self-assessment before transferring personal information outside of China. The security assessment must take into account the following criteria:

  • The necessity of the transfer;
  • How personal information is involved, and whether consent of the data subject is obtained;
  • How important data is involved;
  • The protective measures implemented by the data recipient, the security of the data protection of the data recipient, and the environment of data protection in the destination country or region;
  • The risks of data being leaked, destroyed, amended, or abused; and
  • Risks relating to national security, societal and public interests, and the legitimate interest of an individual.

Where the transfers meet the following criteria, the draft Measures require network operators to entrust a government agency to conduct the security assessment and review:

  • Transfers of personal information of over 500,000 citizens;
  • Transfers that exceed 1,000 gigabytes;
  • Transfers of data concerning fields such as nuclear facilities, chemical biology, national defense or military, public health, large-scale engineering projects, marine environments, and sensitive geographical information;
  • Transfers of network security information concerning system vulnerabilities and security safeguards of CII operators;
  • Transfers of data involving the provision of personal information or important data to overseas recipients by CII operators; and
  • Other transfers that potentially affect national security and public interests, or transfers where the industry regulators or supervisory authorities require review.

These criteria represent a relatively low threshold for triggering government review, have become the immediate sources of complaints, and are expected to stymie daily business operations as the government assessments will take as many as 60 days to complete.5

Annual Assessments

In addition to undergoing security assessments, network operators transferring personal information also must conduct security reviews of their cross-border transfers at least annually and report the assessment to the respective industry regulatory or supervisory authority. Reassessments must occur even more frequently when: (i) the data recipient changes; (ii) there is significant change in the purpose, scope, volume, or type of data being transferred cross-border; or (iii) the data recipient or cross-border data transfer suffers a significant "security incident" (an undefined term).

"Prohibited Exports" Defined

Article 9 of the draft Measures sets out three circumstances under which data transfers are prohibited:

  • Where the data subject has not consented or when it may infringe upon the interest of the data subject. Even where a data subject has consented, network operators are expected to expressly notify the data subject of the purpose, scope, content, and recipient and country where the recipient resides;
  • Where the cross-border transfer poses security risks to the national political system, economy, science and technology, or national defense, or societal or public interest could be jeopardized; and
  • In other circumstances where the Chinese government deems necessary.

These conditions are generally discretionary in nature and leave uncertainty as to whether—and to what extent—they will be applied consistently.

POTENTIAL IMPLICATIONS

Multinational companies across all industries and sectors need to closely review their data security systems and privacy policies for possibly significant changes before the new Law comes into effect on June 1, 2017. Special care must be taken to meet the new data localization requirements that the draft Measures expand. This means, for example, establishing network systems to isolate and store China personal information locally, which could potentially be a costly endeavor. Companies also should begin considering whether it can make a legitimate business case for cross-border data transfers using the draft Measures' criteria.

Still, further guidance from the Chinese government is needed for companies to parse through the new Law's fairly vague language to avoid ambiguity and uncertainty as to how the new Law—and its corresponding draft Measures—will be interpreted. Both the new Law and the draft Measures leave much to be legally resolved.

Companies potentially affected by the draft Measures may consider contacting their respective trade unions or government officials to offer comment prior to the May 11, 2017, deadline.

Footnotes

[1] See Art. 76(1), (3) of the new Law.

[2] See Art. 31 of the new Law.

[3] Article 48 of the new Law also places an obligation on "electronic information distribution service providers" and "application software download service providers"—both undefined terms—to "perform security management duties." Further guidance from the Chinese authorities is required to understand who is subject to this provision and what specific practical responsibilities must be undertaken to comply.

[4] See Art. 21(1)-(4) of the new Law.

[5] See Art. 10 of the draft Measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Mauricio F. Paez
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Emails

From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.