The newly passed cybersecurity statute of the People’s Republic of China will take effect in June 2017, and it is expected to have a significant impact on multinationals doing business in mainland China. The law affects both domestic and foreign companies operating on the Chinese mainland and covers a wide range of activities including the use of the Internet, information and communications technologies. The difficulties with determining the steps needed to comply with such sweeping changes are only complicated by the fact that a large number of key terms in the law have yet to be clearly defined. As a result, China’s new cybersecurity statute will continue to evolve as the national government interprets it. This post endeavors to summarize some key provisions that are worth monitoring in the next few months.
Baseline for All Network Operators
Article 21 to Article 30 set a baseline of care for all “network operators.” Examined together with the other provisions, the government may interpret the term “network operator” broadly, to include all companies that provide services and products via the Internet, or more narrowly, to only include software vendors and website operators. Among other things, all network operators have the duty to enact privacy policies, designate responsible personnel and use technical measures to ensure security. While the full scope of these obligations remains to be seen, two of these Articles deserve special mention:
Mandatory Reporting Requirements
Article 22 provides that, “When network operators discover data breaches, or data destruction or loss, then they must immediately notify users and relevant authorities, and immediately remediate the issue.” The statue does not define “immediately” with any specific deadlines, nor does it identify the “relevant authorities,” or provide any guidance on the ways to notify users and authorities. However, because data breaches can happen at any time, businesses should not take a “wait and see” approach before more official clarifications are issued, as may be prudent with some of the other requirements discussed below. Rather, it is advisable to prepare a breach response plan now, and adjust the plan accordingly once more government guidelines are issued. Such a plan should include a way to rapidly determine the scope of a breach, and to send notification to authorities and affected parties.
The Duty to Assist Legal Authorities
Article 28 states that, “network operators shall provide technical support and assistance to Chinese police departments and national security agencies for their legal criminal investigations.” The statute, however, does not specify what such “technical support and assistance” will entail. Foreign tech companies have raised concerns over providing “backdoor access” to comply with this provision, which is a means for the government to bypass all of the installed security methods and gain direct access to a business’ protected data. Other businesses are worried that, under certain circumstances, providing “technical support and assistance” to the Chinese government may infringe on their intellectual properties and/or their users’ privacy rights under the privacy laws of other jurisdictions. Involving legal counsel in developing a government inquiry plan is advisable for a business to provide the proper “technical support and assistance” to the Chinese government while also maintaining compliance to the IP and privacy laws in other jurisdictions in the world.
Heightened Standard of Care and Scrutiny for Critical Industries
According to Articles 31 to 39, network operators in certain “critical industries” are subject to a heightened standard of care and scrutiny, above and beyond that already described. Article 31 states that these critical industries include telecommunications, energy, transportation, information services and finance. But this list is not all-inclusive; more will be added to by the State Council of the People’s Republic of China in the future. As discussed further below, the mandatory heightened standard will require a substantial increase of compliance efforts and in monetary investments for such initiatives.
Safety Assessments in IT Procurement
Article 35 states that, “network operators in the critical industries shall pass security inspections by government agencies for cyberspace and State Council of the People’s Republic of China before purchasing IT products and service, if a proposed purchase may affect national security.” In addition to which businesses are considered to be in “critical industries,” this provisions raises questions of what types of procurements may “affect national security” and how a company can pass a “security inspection.” Since this provision may mean an added government oversight on a multinational’s IT procurement process, it is important to monitor the interpretations of this provision by the Cyberspace Administration of China and/or the State Council of the People’s Republic of China.
The Data Localization Requirement
One of the most controversial provisions in the new cybersecurity statute is Article 37, which contains a data localization requirement for network operators in the critical industries. Article 37 states that, “critical and personal information collected and produced by network operators in critical industries during their operations in China shall be stored within the territory of China.” This article further demands data security assessments when it is a business necessity to transfer such information outside of China. Article 37 will result in sizable new compliance investments for multinationals, which typically rely on cross-border flows of business data. Currently, it remains uncertain how this data localization requirement will be implemented due to lack of guidelines or best practices. The standard that businesses will be held to in these “data security assessments” is as yet unknown. Some commentators expect that compliance with Article 37 might require the utilization of data centers and service providers physically located in mainland China. This is not how most businesses currently store their data, and it would be a potentially expensive change to make. For a business to comply with Article 37, a good starting point would be to map its data flow to understand where it collects and stores personal information related to Chinese citizens.
Noncompliance with the new cybersecurity statute may give rise to penalties, fines, closure of websites and forfeitures of business licenses to companies doing business in China. Businesses could face the confiscation of between one and 10 times their “illegal gains” that result from the misuse of, or failure to protect, personal information. Any individual or organization has the “right” to report practices that “threaten” information security to various Chinese authorities. Company officials and other persons responsible for the lack of compliance will be subject to penalties and fines, with serious violations possibly even resulting in jail time. Considering that China is currently the second-largest economic power in the world, staying abreast of the developments of the new cybersecurity law is important for all multinational companies. The final interpretation of these provisions has the potential to greatly alter the costs and risks inherent in doing transpacific business.
 For all of the other network operators who are not in critical industries, the heightened standard is voluntary, but encouraged as a best practice.