China: New Developments On The PRC Cyber Security Law

Last Updated: 21 December 2017
Article by Ulrike Glueck and Sammie Hu

It has been more than three months since thePRC Cyber Security Law ("CSL") has taken effect on 1 June 2017. Except for the Provisions on Examination of Network Products and Services (Trial) ("NPS Provisions") which have come into effect on the same day as the CSL, other regulations to supplement and implement the CLS have not yet been enacted. So far, only some supplementary regulations are available in draft versions for public consultation purposes.

On 10 July 2017, the Cyberspace Administration of China ("CAC") issued a draft of the Regulations for Protection of Critical Information Infrastructure ("CII Regulations") for public consultation. Given the stringent requirements for "keeping data in China" and "national security assessments" which are initially provided under the CSL for the Critical Information Infrastructure ("CII") and CII Operators, the draft CII Regulations which are intended to provide clarifications on the CII and CII Operators have generated a lot of attention from companies in private sectors.

Despite of the early stages, the PRC authorities have already taken initiatives to enforce the CSL towards governmental and quasi-governmental entities (i.e. those non-operational entities directly or indirectly supervised or set up by government authorities).

1. Legislative Development – Draft CII Regulations

Pursuant to Article 31 of the CSL, the regulations in respect of the scope of and protection requirements for the CII are to be promulgated by the State Council of the PRC. However, the draft CII Regulations were actually drafted by the CAC, a lower-level authority of the State Council.

As such, there is criticism that certain provisions of the draft CII Regulations including those governing the scope of the CII and obligations of CII Operators have somehow broadened or are inconsistent with the original meaning of the provisions set out in the CSL.

  1. What is a CII and what is a CII Operator?

Under the CSL, CII refers to the information infrastructure used in important industries and sectors such as public communications, information services, energy, transport, water conservancy, finance, public services, e-government where it would result in serious damages to the national security, national economy, people's livelihood and public interests if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure. According to a literal reading of the CSL, Network Operators engaged in the foregoing CII industries and sectors are likely to be categorized as CII Operators. The meaning and scope of the CII Operator is subject to the scope of the CII.

Article 18 of the draft CII Regulations provides that: the following units' operation and management of network facilities and information systems would result in serious damages to the national security, national economy, people's livelihood and public interests, if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure:

  1. Governmental agencies/organs and those entities in the field of energy, finance, transportation, water conservancy, hygiene and medical services, education, social insurance, environmental protection and the public utilities sector;
  2. Information networks, such as telecommunication networks, broadcast television networks and the internet as well as entities that provide cloud computing, big data and other large-scale public information internet services;
  3. Scientific research and production entities in the fields such as national defense, large-scale equipment, chemical engineering and food and drug industry sectors;
  4. Press units such as broadcasting stations, TV stations, news agencies; and
  5. Other key entities.

As can be seen from the wording of the draft CII Regulations, an entity would be categorized as a CII Operator if both of the following conditions are satisfied:

  1. The CII is used in a key industry – The scope of the key industries specified in the draft CII Regulations is broader than that in the CSL.
  2. The CII may give rise to key risks – This is generally in line with the CSL definition, i.e. potentially serious damage to the national security, national economy, people's livelihood and public interests, if such information infrastructure is destroyed, loses any functions or there is any data leakage out of such information infrastructure.

It is notable that the scope of the CII and CII Operators under the draft CII Regulations has been significantly broadened. For example, private companies that provide cloud computing, big data or companies in the food and drug sectors are now subject to higher risks of being categorized as CII Operators. Additional clarifications will be provided through the Guidelines for Identification of Critical Information Infrastructure ("CII Guidelines") to be jointly promulgated by the CAC, the Ministry of Public Security ("MPS") and the Ministry of Industry and Information Technology ("MIIT"), which are currently not publicly available. For example, under the draft CII Regulations, the meaning and scope of large-scale public information internet services is still unclear.

So far, the draft of the CII Guidelines has not yet been issued. According to the draft CII Regulations, the respective industry-specific regulatory authorities will be undertaking the activities for identification of CIIs in its respective industry based on the CII Guidelines and report such identified CIIs to the CAC (the reporting line is not clearly stated in the CII Regulations). As such, whether or not a specific information infrastructure will be categorized as a CII is subject to the discretionary assessment and determination of the industry-specific regulatory authority.

2. Internal CII Guidelines

As stated above, so far, no CII Guidelines have been formally issued. However, the Guidelines for Determination of Critical Information Infrastructure ("Internal CII Guidelines") seem to have been circulated among the local Chinese governmental authorities for their enforcement of the CSL towards governmental and quasi-governmental entities (excluding State-owned enterprises) for the time being. Which authority drafted such Internal CII Guidelines, the legal effects, and the date of issuance of such Internal CII Guidelines are all unclear.

  1. Scope of the CII under the Internal CII Guidelines

Under such Internal CII Guidelines, the definition of the CII is generally in line with that under the CSL. Further, the Internal CII Guidelines have divided the CII into three categories:

(1) Websites, including the websites of the Party, governmental agencies/organs, quasi-governmental entities, and news agencies;

(2) Platforms, including instant-messaging platforms, online trading/purchase platforms, online payment platforms, search engine platforms, email platforms, Bulletin Board System (BBS) platforms, mapping platforms, video/audio sharing platforms, etc;

(3) Production businesses, including office and operation systems, industrial control systems, large-scale data centers, cloud computing platforms, Television transmission systems, etc.

The scope of the CII under the Internal CII Guidelines is not consistent with that provided under the draft CII Regulations.

  1. Three Steps for Identification of the CII

The Internal CII Guidelines set out three steps to identify and determine the CII in a particular industry:

(1) Determine the key business of a particular industry in the relevant jurisdiction;

(2) Determine the information system or industrial control system which supports the key business; and

(3) Determine the level of significance of the information system or industrial control system to the key business , and the potential damages that may be caused by a security event in respect of the information system or industrial control system.

c) For step (1) and step (2) above, the Internal CII Guidelines provide a table setting out the key industries, key segments of the key industries, key businesses, the category and name of the CII that may potentially support such key businesses. Amongst others, the key industries include energy, transport, water conservancy, finance, public facilities and services, hygiene and medical services, environmental protection, industrial production (raw materials, equipment, and consumer goods), telecoms and Internet, broadcast televisions, education, and governmental agencies/organs.

For example, the key industry "telecoms and internet" is divided into two sub-categories as below:

(1) Telecoms operators, with their key businesses and corresponding CII supporting such key business being:

  1. Consumer relationship management. The relevant CII is the CRM system.
  2. Data center. The relevant CII are the comprehensive services systems for data center.
  3. Communication networks (including voices, data, internet access, cloud computing networks). The relevant CII includes public switched telephone networks (i.e. "PSTN"), signaling systems, synchronization networks, optical transport networks, mobile core networks, IP bearer networks, etc.

(2) Internet companies, with their key businesses and corresponding CII supporting such key business being:

Internet services including BSB services, instant communication services, online trading/purchase services, online payment services, search engine services, email services, mapping services, video/audio sharing platforms. The relevant CII includes services platforms, business platforms, transaction platforms, and marketing platforms.

d) For step (3) above, the identification and determination of the CII will be based on the category of the CII, i.e. website category, platform category, and production business category. For example, with respect to the platform category, such as online trading/purchase platforms, it would be identified as a CII if either of the following conditions is met:

  1. The amount of users registered with the platform exceeds 10 million, or the amount of active users (who log onto the platform at least one time per day) exceeds 1 million; or
  2. It may potentially give rise to any of the following results if any security event occurs:
    1. Direct economic losses of more than RMB 10 million; or
    2. Directly affect more than 10 million people's life or work; or
    3. Disclosure or leakage of personal data of more than 1 million people; or
    4. Disclosure or leakage of a large amount of sensitive information of entities or companies; or
    5. Disclosure or leakage of a large amount of geographic data, population data, resources data or any other national basic data; or
    6. Grave damage to the order of society and economy, or damage to the national security.

As can be noted from the foregoing examples, it can be reasonably anticipated that the CII Guidelines, once formally promulgated, may provide detailed clarifications or guidelines for private companies to conduct self-assessment of the risks of being categorized as a CII Operator. Although it remains unclear, we tend to assume that the requirements in the final or formal CII Guidelines are likely to be substantially similar to those under the Internal CII Guidelines.

3. Obligations of CII Operators

The draft CII Regulations have imposed various obligations on CII Operators, some of which just affirm or further clarify in detail the requirements originally set out in the CSL, while some others are brand new requirements.

Amongst others, the new requirements which have attracted most attention from foreign companies doing business in China are stipulated in Article 24 of the draft CII Regulations. I.e. the operation and maintenance of the CII shall be carried out in Mainland China, and if any maintenance services through remote access from overseas jurisdictions become necessary for business reasons, the CII Operator must report such case to and obtain prior approval of the relevant industry-specific regulatory authority or the MPS.

This new requirement together with the original requirements under the CSL (i.e. keeping in Mainland China all the personal information and important data collected during the business operations of the CII Operator in China) would have significant impacts on the business structure or data processing costs of foreign-invested companies in China whose business may fall under the key industries based on the upcoming CII Guidelines.

Some other newly-imposed major obligations of CII Operators include the follow:

  1. The CII Operator shall set up the mechanism/policy for security assessment of the CII, and shall conduct security assessment prior to the launch or operation of the CII, and at the time when any significant changes occurred to the CII; and
  2. The CII Operator shall conduct security assessment of the systems or software developed through outsourcing arrangements and of donated network products prior to the use or operation of such products.

4. Enforcement Initiatives

a) Compliance Review of Privacy Policies

According to media reports, on 27 July 2017, the CAC, the MIIT, the MPS, and the Standardization Administration of the PRC ("SAC") have jointly initiated the task ("Task") named "Actions to Enhance the Protection of Personal Data".

The Task mainly entails the review of privacy policies adopted or used by the primary network operators in China to ensure their compliance with the applicable data privacy laws and regulations, including the CSL. Also, such review seems to be intended to pave the path for stipulating national or industry standards in respect of privacy policies in China.

The first round of review has been conducted against the top 10 Chinese network operators, including WeChat, WeiBo, Taobao, JD, Alipay, GaoDe Map, BaiDu Map, Didi, Umetrip, and Ctrip. The review has mainly focused on whether the operators have clearly informed the users or data subjects of the intended collection of their personal data, the means for collection, the rules for use of such collected personal data (for example, if such personal data can be used for direct marketing or commercial promotion, etc), the data subjects' rights to access, delete, or amend the personal data collected by the network operator, the methods and restrictions thereof, etc.

The results of the review were reported to be published later this September. However, so far, these results are not publicly available.

  1. Network Security Inspections on the CII

According to the notifications on official websites of several local governmental authorities in different geographic areas of China, some local governments have already carried out assessment and inspections on the CII used by governmental and quasi-governmental entities. The inspections include self-assessment by the entities and random onsite inspections by the competent local authority.

The assessment and inspections were based on the Internal CII Guidelines which seem to having been circulated to governmental offices only.

According to the work plan published by such local governments, the tasks or goals of the security inspections were to fully understand the amount and coverage of the CII used in the relevant area; the basic information of the network security management organizations and maintenance entities responsible for such CII; the major functionality of the CII, scope of services supported by the CII, situation of data storage, and potential risks in the event of destruction of the information infrastructure; operational environment, ways of operations, status of network security management and protection of the CII, etc.

The fact that some local governments conducted inspections on the security situation of the CII prior to the issuance of the entire supplemental or implementation regulations of the CSL, in particular bearing in mind that no official guidelines for determination of the CII has been issued so far, conveys the signal that the identification of the CII or the CII Operator would likely to be based on a strictly narrow interpretation of the definition of CII under the CSL. I.e. an informational infrastructure may only be determined as a CII if the damages or loss of the functionality of such information infrastructure or the leakage of data will seriously jeopardize national security, national economy, people's livelihood or public interests. In other words, the risk for ordinary private business operators to be deemed as a CII Operator may likely to be relatively low.

Further, there is a possibility that such inspections targeting governmental or quasi-governmental entities may likely form part of the preparatory actions for the promulgation of the formal CII Guidelines.

5. Conclusion

The legal regime is still evolving, with further clarifications to be provided through the supplemental and implementation regulations of the CSL which will hopefully be published in the near future.

However, we recommend that foreign and foreign-invested companies, in particular those engaged in the key industries as listed in the Internal CII Guidelines, closely monitor the development of the CSL and its related regulations, and conduct self-assessment or seek tailor-made legal advice on the potential risks of being categorized as a CII Operator based on the Internal CII Guidelines or other related draft regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions