China: China's New Cybersecurity Law And Draft Data Localization Measures Expected To Burden Multinational Companies

China's new Cybersecurity Law ("new Law") is set to come into effect on June 1, 2017, and introduces sweeping provisions that may have a significant impact on companies doing business in and with China. To provide guidance on a controversial data localization requirement introduced in the new Law, the Cyberspace Administration of China released on April 11, 2017, draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data ("draft Measures") for public comment. The draft Measures are sparking outcry from the international community but are expected to come into force on June 1, 2017, largely unamended. The deadline for submissions is May 11, 2017, just three weeks before the new Law takes effect.

This White Paper provides an overview of the new compliance obligations the new Law imposes and also takes a close look at the draft Measures giving guidance on the data localization requirements.

Companies should take careful note of this new privacy and cybersecurity landscape to ensure their business practices align with legal and regulatory requirements. The new Law and the draft Measures could substantially increase the costs for China-based companies that process China personal information and engage in cross-border transfers.

A BRIEF HISTORY OF CHINA'S CYBERSECURITY LAWS

Before the new Law, Chinese regulations governing cybersecurity were interspersed across a number of separate laws, including, for example, the Internet Information Services of 2011 and the Telecommunications Regulations of the People's Republic of China 2016. The new Law marks the first comprehensive law in China specifically regulating network security. After undergoing three rounds of public consultation before it was finally adopted on November 7, 2016, the new Law is designed to ensure network security and to protect the privacy and security of its citizens. The final version of the new Law has been widely criticized as containing a number of broadly defined terms and vague provisions that potentially—and significantly—affect a wide range of companies.

NEW OBLIGATIONS FOR NETWORK OPERATORS AND CRITICAL INFORMATION INFRASTRUCTURE OPERATORS

The new Law primarily imposes data security requirements on two key types of organizations—network operators and critical information infrastructure operators ("CII operators").

"Network operators" are broadly defined to include owners, managers, and "service providers" of networks—"systems comprised of computers and other information terminals and related equipment" that gather, store, transmit, exchange, and process information.1 This definition not only covers telecommunication, wireless communication, and internet service providers but could ostensibly cover every organization or business that owns or operates IT networks in China. Chinese legal drafters and regulators favor the definition to have such a sweeping effect.

CII operators are a subset of network operators. While not explicitly defined, CII operators include any business operating in public communication and information services, energy, transportation, water resources, finance, public services, and electronic communications.2 Other businesses may be considered CII operators as well if they have infrastructure that would lead to a serious threat to national security, social or economic well-being of the nation, or public interest if it were destroyed, lost functionality, or suffered a data breach. No further guidance has been issued on what infrastructures the Chinese authorities consider would seriously endanger national security or the economy. What businesses fall under this rubric will likely be left to the government's discretion.3

Under the new Law, network operators will be required to comply, inter alia, with the following cybersecurity obligations:

  • Implement internal security management systems and operating rules, including the requirement to adopt technical measures to prevent viruses and other intrusions; store network logs for at least six months; adopt measures such as data classification systems; and implement security measures such as backup systems and encryption. These data security procedures must be implemented according to China's "tiered system of network security protections";4
  • Develop emergency response plans for network security incidents, and in the event of an incident, promptly implement remediation measures and report such incidents to the relevant authorities; and
  • Provide technical support and assistance to public security agencies to preserve national security and investigate crimes.

CII operators have additional data security compliance requirements:

  • Undertake additional security measures including conducting security background checks on responsible personnel in critical positions, carry out network security education and technical training, and implement disaster recovery backups;
  • Undergo a national security review by the Chinese authorities when purchasing network products or services that might impact national security; and
  • Conduct inspections of their network security on at least an annual basis.

Even if a business or organization is not considered a CII operator, the new Law encourages network operators to participate voluntarily in the CII infrastructure protection system.

In addition to these measures, other key provisions of the new Law are expected to have a significant impact on companies. They include the following.

Data Localization

Perhaps the most controversial provision of the new Law is Article 37, which requires CII operators to store within mainland China "citizens' personal information and important data" collected or generated in China. The term "important data" is not defined in the new Law, but Article 76 defines "personal information" broadly to refer to all kinds of information that, recorded electronically or through other means and taken alone or together with other information, is sufficient to identify a natural person's identity, including but not limited to an individual's name, date of birth, identification numbers, personal biometric information, addresses, telephone numbers, etc.

The new Law further provides that if such information must be transferred outside of China for "legitimate business reasons," CII operators must complete "security reviews" (an undefined term) jointly formulated by the State Council and the National Cyberspace Administration. Penalties for noncompliance include confiscation of income, payment of fines (by both the offending organizations as well as the responsible individuals) and suspension of business.

These new data localization requirements represent some of the strictest data localization requirements worldwide. As explained below in "Draft Measures Expand Data Localization and Cross-Border Transfer Requirements," China's Cyberspace Administration's April 11, 2017, draft Measures now have expanded the data localization requirement even more, applying this obligation to other network operators.

Handling of Personal Information

Akin to personal data laws in the European Union, the new Law imposes a host of data protection requirements on network operators, including abiding by the principles of legality, propriety, and necessity in their data handling and also making publicly available privacy notices that explicitly state the purposes, means, and scope for collecting and using information. Data subjects, furthermore, are afforded the right to access, modify, and delete their personal information.

Transfer of Personal Information

The new Law prohibits network operators from transferring personal information absent the consent of the data subject unless such information has been processed so that the specific individual is unidentifiable and cannot be recovered. Businesses have voiced concerns that such a legal requirement can be an insurmountable obstacle to the transferring of personal information as it is, in practice, difficult to obtain consent from all relevant individuals.

Identity Verification of Internet Users and Instant Messaging Service Users

The new Law expands the requirement of using only true identification to various internet users and users of instant messaging services by imposing on service providers the responsibility of verifying users' real identification prior to providing services.

Online Protection of Minors

The new Law aims to strengthen the principles for the protection of minors in cyberspace and to avoid exploitation. The principles set forth in the new Law make way for supplemental regulations on children's online privacy protection to follow.

Investigation and Punishments

Companies can expect increased regulatory oversight as the new Law provides regulatory authorities with more explicit and wider monitoring, investigative, and enforcement powers. As noted above, network operators are required to cooperate with such authorities. However, there is some concern that "cooperation" may require the companies to disclose their systems to the regulators, which may result in further security leakage. Failure to cooperate with the authorities would attract penalties against network operators as well as the responsible individuals. Some companies are considering ring fencing their security systems as far as possible to avoid risks to their security systems outside of China.

Penalties for Noncompliance

Companies also can expect increased penalties for noncompliance with the new Law. Violations of the new Law trigger a wide range of potential penalties for network operators and CII operators alike, including warnings, suspensions of operation, imprisonment, and fines up to RMB 1,000,000 (~US$150,000). Notably, Article 75 of the new Law imposes penalties (such as the freezing of assets) against foreign organizations or individuals who attack or otherwise endanger China's CII.

DRAFT MEASURES EXPAND DATA LOCALIZATION AND CROSS-BORDER TRANSFER REQUIREMENTS

On April 11, 2017, the Cyberspace Administration of China released draft Measures to assist in the implementation of the new Law. The draft Measures remain open for comment until May 11, 2017, three weeks before the new Law is set to take effect.

The purpose of the draft Measures is to detail the restrictions on cross-border transfers, give guidance on security assessment for data transfers, and further clarify when data may not be exported outside China. If issued as written (which is expected), the draft Measures will not only expand the data localization requirement to an even broader range of companies than originally contemplated under the new Law, but also require all network operators to conduct their own security reviews prior to transferring personal information outside of China.

"Important Data" Defined

The draft Measures now define the term "important data" to mean data closely related to national security, economic development, and social and public interest. The draft Measures lack any further guidance or helpful examples to demonstrate what data would meet this criteria, other than to note that the scope will follow national standards and guidance. This nebulous definition suggests Chinese authorities will use the term at its discretion and on a case-by-case basis, leaving businesses with legal uncertainty as to when it will be applied.

Data Localizations Requirements Expand to Network Operators

As noted above, the new Law contemplated that only CII operators would be subject to China's new data localization requirement, originally giving comfort to some businesses that this obligation would be limited in its application and scope. The draft Measures, however, have taken a new turn, now requiring all network providers to store personal information and "important data" within China unless there is a genuine and legitimate business need to export the data overseas, in which case, network operators must conduct a security assessment. This wide net cast over who must comply with the data localization requirement has significant implications for entities doing business in China. If implemented as written, effectively any business that uses computer systems in China would be subject to the data localization requirement, a potentially costly undertaking.

When Security Assessments are Required

Network operators must conduct a security self-assessment before transferring personal information outside of China. The security assessment must take into account the following criteria:

  • The necessity of the transfer;
  • How personal information is involved, and whether consent of the data subject is obtained;
  • How important data is involved;
  • The protective measures implemented by the data recipient, the security of the data protection of the data recipient, and the environment of data protection in the destination country or region;
  • The risks of data being leaked, destroyed, amended, or abused; and
  • Risks relating to national security, societal and public interests, and the legitimate interest of an individual.

Where the transfers meet the following criteria, the draft Measures require network operators to entrust a government agency to conduct the security assessment and review:

  • Transfers of personal information of over 500,000 citizens;
  • Transfers that exceed 1,000 gigabytes;
  • Transfers of data concerning fields such as nuclear facilities, chemical biology, national defense or military, public health, large-scale engineering projects, marine environments, and sensitive geographical information;
  • Transfers of network security information concerning system vulnerabilities and security safeguards of CII operators;
  • Transfers of data involving the provision of personal information or important data to overseas recipients by CII operators; and
  • Other transfers that potentially affect national security and public interests, or transfers where the industry regulators or supervisory authorities require review.

These criteria represent a relatively low threshold for triggering government review, have become the immediate sources of complaints, and are expected to stymie daily business operations as the government assessments will take as many as 60 days to complete.5

Annual Assessments

In addition to undergoing security assessments, network operators transferring personal information also must conduct security reviews of their cross-border transfers at least annually and report the assessment to the respective industry regulatory or supervisory authority. Reassessments must occur even more frequently when: (i) the data recipient changes; (ii) there is significant change in the purpose, scope, volume, or type of data being transferred cross-border; or (iii) the data recipient or cross-border data transfer suffers a significant "security incident" (an undefined term).

"Prohibited Exports" Defined

Article 9 of the draft Measures sets out three circumstances under which data transfers are prohibited:

  • Where the data subject has not consented or when it may infringe upon the interest of the data subject. Even where a data subject has consented, network operators are expected to expressly notify the data subject of the purpose, scope, content, and recipient and country where the recipient resides;
  • Where the cross-border transfer poses security risks to the national political system, economy, science and technology, or national defense, or societal or public interest could be jeopardized; and
  • In other circumstances where the Chinese government deems necessary.

These conditions are generally discretionary in nature and leave uncertainty as to whether—and to what extent—they will be applied consistently.

POTENTIAL IMPLICATIONS

Multinational companies across all industries and sectors need to closely review their data security systems and privacy policies for possibly significant changes before the new Law comes into effect on June 1, 2017. Special care must be taken to meet the new data localization requirements that the draft Measures expand. This means, for example, establishing network systems to isolate and store China personal information locally, which could potentially be a costly endeavor. Companies also should begin considering whether it can make a legitimate business case for cross-border data transfers using the draft Measures' criteria.

Still, further guidance from the Chinese government is needed for companies to parse through the new Law's fairly vague language to avoid ambiguity and uncertainty as to how the new Law—and its corresponding draft Measures—will be interpreted. Both the new Law and the draft Measures leave much to be legally resolved.

Companies potentially affected by the draft Measures may consider contacting their respective trade unions or government officials to offer comment prior to the May 11, 2017, deadline.

Footnotes

[1] See Art. 76(1), (3) of the new Law.

[2] See Art. 31 of the new Law.

[3] Article 48 of the new Law also places an obligation on "electronic information distribution service providers" and "application software download service providers"—both undefined terms—to "perform security management duties." Further guidance from the Chinese authorities is required to understand who is subject to this provision and what specific practical responsibilities must be undertaken to comply.

[4] See Art. 21(1)-(4) of the new Law.

[5] See Art. 10 of the draft Measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Mauricio F. Paez
Similar Articles
Relevancy Powered by MondaqAI
De Brauw Blackstone Westbroek N.V.
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
De Brauw Blackstone Westbroek N.V.
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions