Tag Archive: China

CHINA: significant changes to data and cybersecurity practices under PRC Cybersecurity Law

After a third deliberation, the Chinese government passed the new PRC Cybersecurity Law on 7 November 2016. The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China.

The new PRC Cybersecurity Law intends to combat online fraud and protect China against Internet security risks. In short, it imposes new security and data protection obligations on “network operators”; puts restrictions on transfers of data outside China by “key information infrastructure operators”; and introduces new restrictions on critical network and cybersecurity products.

The new law has been widely reported in both the local and international press. While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law, there has been widespread international unease since the first reading. Commentators have expressed concern that competition will be stifled; regarding the handover of intellectual property, source codes and security keys to the Chinese government; as to perceived increased surveillance and controls over the Internet in China; and in relation to the data localisation requirements. Other new obligations, including increased personal data protections, have been less controversial, but are a clear indicator of the increased focus within the Chinese authorities on data protection, and could signal a change to the data protection enforcement environment in China.

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia):

  • Chinese citizen’s personal information and “important data” gathered and produced by “key information infrastructure operators” (“KIIO”) during operations in China must be kept within the borders of the PRC. If it is “necessary” for the KIIO to transfer such data outside of China, a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws permit the overseas transfer. While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection, such as public communications and information service, energy, transportation, water conservancy, finance, public service and e-government, the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors. “Personal information” is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth. However, the types of information that might constitute “important data” is currently unclear. In any case, these data localisation rules are likely to create practical issues for international businesses operating in China.
  • A range of new obligations apply to organisations that are “network operators” (i.e. network owners, network administrators and network service providers). A “network” means any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange and processing of information. Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networks/infrastructure or even just websites in China.
    • In terms of data protection, network operators must make publicly available data privacy notices (explicitly stating purposes, means and scope of personal information to be collected and used); and obtain individuals’ consent when collecting, using and disclosing their personal information. Network operators must adopt technical measures to ensure the security of personal information against loss, destruction or leaks, and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities. They must also comply with principles of legality, propriety and necessity in their data handling, and not be excessive; not provide an individual’s personal information to others without the individual’s consent; nor illegally sell an individual’s personal data to others. The rules do not apply to truly anonymised data. There are also general obligations to keep user information confidential and to establish and maintain data protection systems. Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided. While an earlier draft specifically provided protection to personal information of “citizens”, the final law does not make this distinction, and so seemingly offers a broader protection to all personal information. These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China.
    • As regards network security, network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity, which includes (amongst other things): formulating internal security management systems and operating instructions; appointing dedicated cybersecurity personnel; taking technological measures to prevent computer viruses and other similar threats and attacks, and formulating plans to monitor and respond to network security incidents; retaining network logs for at least six months; undertaking prescribed data classification, back up, encryption and similar activities; complying with national and mandatory security standards; reporting incidents to users and the authorities; and establishing complaints systems.
    • Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes, and will be subject to government and public supervision. The form and extent of such co-operation is not currently clear, and international businesses have expressed concerns over the extent to which this may require them to disclose their IP, proprietary and confidential information to the Chinese authorities.
    • More general conditions on network operators carrying out business and service activities include: obeying all laws and regulations, mandatory and industry national standards, social mores and commercial ethics; being honest and credible; and bearing social responsibility. There are also requirements on network operators to block, delete and report to the authorities prohibited information and malicious programmes published or installed by users.
    • Network operators handling “network access and domain registration services” for users, including mobile phone and instant message service providers, are required to comply with “real identity” rules when signing up or providing service confirmation to users, or else may not provide the service.
  • Additional security safeguards apply to KIIOs, including: security background checks on key managers; staff training obligations; disaster recovery back ups; emergency response planning; and annual inspections and assessments. Further, strict procurement procedures will apply to KIIOs buying network products and services.
  • Providers of “network products and services” must comply with national and mandatory standards; their products and services must not contain malicious programs; must take remedial action against security issues and report them to users and relevant authorities; and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers. These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and, in particular, the contractual terms on which they are offered to customers.
  • Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided. This potentially catches a wide range of software, hardware and other technologies being sold – or proposed to be sold – by international companies in the China, since the definitions used in the law are drafted very broadly. Further guidance by way of a catalogue of key network products is expected in due course. There are concerns that this may create barriers to international businesses looking to enter the Chinese market.
  • Each individual and organisation shall be responsible for its own use of websites, and may not set up websites or communication groups for the purpose of committing fraud, imparting criminal methods, producing or selling prohibited items, or engaging in other unlawful activities. Again, there is scope for this to be interpreted and applied broadly.
  • Institutions, organisations and individuals outside China that cause serious consequences by attacking, interfering or destructing key information infrastructure of China shall be responsible for any damage, and the relevant public security department of the State Council may freeze assets and impose other sanctions against them. While these provisions would appear to have an extra-territorial effect, and could be interpreted very broadly, it is unclear what sanctions could in practice be enforced against organisations without a presence in China.
  • Other new rules relate to: network/online protections for minors; the establishment of schemes for network security monitoring, early warning and breach notification to relevant authorities and the public, as well as rights for individuals and organisations to report conduct endangering network security; opening of public data resources; and prohibitions on hacking and supporting activities.

While criminal sanctions, administrative penalties and civil liabilities potentially await those (both organisations and, in some circumstances, individual employees and officers) who violate the new law, unfortunately great uncertainties remain as to how the new legislation will be enforced, who exactly is caught by the various new rules, and the precise steps that organisations must take to comply with them. It is hoped that the Chinese authorities will publish more detailed, practical guidance in the coming months. In the meantime, organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017, and to keep these under review as further guidance becomes available.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-significant-changes-to-data-and-cybersecurity-practices-under-prc-cybersecurity-law/

CHINA: data localisation – a growing trend?

Foreign companies operating in China, or looking to enter the Chinese market, are increasingly concerned as to whether Chinese law restricts cross-border transfers of personal data collected in China. In light of recent developments, is there a growing trend in China towards data localisation?

As is generally the case with China’s data privacy framework, there is not one comprehensive law in China that regulates cross-border data transfers. Instead, the current legal landscape comprises a mixture of different laws, regulations and guidelines. Therefore, the compliance obligations involved – and the approach to enforcement – vary depending on the industry or the type of data involved.

Consent

As a starting point, personal data of Chinese citizens that is handled in information systems by private sector organisations can be transferred outside of China provided that explicit consent is obtained from data subjects (or if express authorisation from relevant authorities is obtained, or specific laws permit the transfer). This is set out in a guideline drafted under the guidance of the Ministry of Industry and Information Technology so that, while not legally binding, it may be used as a base standard for compliance, and the Chinese authorities encourage compliance with it.

Other rules and regulations require organisations more generally to obtain consent from individuals before their personal data is handled and disclosed (within and outside China). These include rules relating to personal data of consumers (under consumer rights laws); Internet users (under telecoms and Internet laws); and employees (under employment laws, by which employers must get employees’ written consent to disclose their personal information to third parties).

But some prohibitions

However, for some industries and some data there are specific requirements to keep the data on servers within the People’s Republic of China. For example:

  • Some Chinese industry regulators prohibit the offshore transfer of certain personal data. For example, transfers of “personal financial information” by banks, and of “personal health information” by certain organisations within the healthcare sector, are not permitted.
  • Personal data constituting “state secrets” should not be transferred outside of China.
  • The draft PRC Cyber Security Law, issued in July 2015, requires “key information infrastructure operators” to store Chinese citizens’ personal information and other important data gathered and produced during operations within the territory of the People’s Republic of China. The draft law suggests cross-border transfers of such data may be permitted if required for operational reasons, provided the organisation complies with security measures (to be) formulated by the relevant authorities. Detailed guidance is awaited as to how this would be interpreted in practice.

Practical steps

In light of uncertainty over the legal environment in China, foreign organisations should consider the following:

  • Identify the personal data within your China operations that you would like to transfer outside of China, and ascertain whether it falls within the classes of data that should not leave China. If appropriate, consider data segregation.
  • For personal data not subject to absolute prohibitions on data transfer, obtain explicit consent from data subjects before transferring the data.
  • For data that is required by law or regulations to stay in the People’s Republic of China, server localisation may be the only practical solution, whether by establishing local data infrastructure or via third party solutions.
  • According to some regulators, encryption and anonymisation are currently not considered to be adequate practical workarounds to the data transfer rules, because of the risk of de-encryption or re-identification. This may change, but for now do not assume you can rely on these.
  • Put in place appropriate data security safeguards and data use and retention policies to ensure that personal data transferred overseas remains compliant with relevant Chinese data protection rules.

Conclusion

There is a growing body of regulations requiring certain data within specific industries/organisations to be retained within the borders of the People’s Republic of China. However, this must be assessed on a case by case basis, as in many circumstances obtaining individuals consent may well be sufficient provided that the data does not involve national secrets or violate national security. Where transfer prohibitions apply, compliance strategies should be carefully considered in light of potential enforcement activities and sanctions. Unfortunately there is not always clear guidance on how the rules will be interpreted and enforced in practice, and so any compliance programme in China should be kept under regular review.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-data-localisation-a-growing-trend/

CHINA – China adopts the new National Security Law – A top legislative effort to control cyber security

On 1 July, 2015, the Standing Committee of the National People’s Congress, China’s top legislature, approved the new National Security Law of the People’s Republic of China (中华人民共和国国家安全法, the “New Law”) which became effective on the same day. This New Law is very high-level in its nature covering a wide range of areas from the military, wider economy and natural resources to environment, religion, food security, cyber security and space exploration. The most significant aspect of this New Law in relation to cyber security is the fact that it was issued by China’s top legislature, indicating the importance being placed on cyber security at the highest level of China’s legislative system.

Highlights
The New Law provides for a general legislative framework to control cyber security which includes the following:

  • The state should develop its ability to protect against cyber and information security risks, and to ensure that the core cyber and information technology, key infrastructure, information system and data in important sectors are secure and controllable.
  • The state should set up a national security review and supervision system and should conduct national security reviews of any foreign investment, key technologies, internet and information technology products and services and other important matters and activities that impact or are likely to impact national security.
  • The state should actively develop independent controllable key technologies in important sectors and strengthen the application of intellectual property.

Our Observations
As this New Law is newly promulgated and is very general in its nature, there is considerable ambiguity which will may be clarified by subsequent guidance. In particular:-

  • The New Law does not provide specific requirements as to how to ensure that IT systems are secure and controllable. The term “secure and controllable” is also used in the CBRC Guidelines that DLA Piper reported on earlier this year. Although the CBRC Guidelines set out specific requirements to implement “secure and controllable” information technology products in the banking sector, we understand that the implementation of such rules are still pending.
  • Although the New Law requires a national security review system, it does not provide any details of the practical implementation of such rules. For example, which authority will conduct such a review, what are the specific criteria to determine whether a technology product will impact or is likely to impact national security, and what the review process will be etc.

Due to the above ambiguity, we believe that more specific implantation rules, and a possible update of the CBRC Guidelines will be issued in the near future.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-adopts-the-new-national-security-law/

China Issues New CBRC Guidelines – Is China putting the squeeze on foreign investment in its banking industry?

A new set of regulations issued by the China Banking Regulatory Commission has fuelled concerns that China intends to squeeze foreign investment in its banking industry.

The Guidelines on Banks Using Secure and Controllable Information Technology 2014-2015 (《银行业应用安全可控信息技术推进指南(2014—2015年度)》), hereafter referred to as the “CBRC Guidelines”, were promulgated and became effective on 26 December 2014 (Yin Jian Ban Fa [2014] No. 317)).

Key Requirements

The CBRC Guidelines require banks to implement “secure and controllable” information technology products within a specific timeframe. Key stipulations are as follows:

Source Code Filing

Bank-owned software source codes must be filed with the Technology and Information Department of CBRC for recording purposes.

Independent IP Right

The software attached to an IT product and certain hardware (e.g. chips) should have independent IP rights,  which we understand to mean that such IP rights should be registered (if possible) with the relevant authority in China.

Localisation of Supply Chain

The supply chain must be controllable, meaning the supply chain must be localised, with all IT products manufactured within China. In addition, certain components of IT products that contain encryption functions are required to obtain an encryption certificate (Commercial Encryption Code Product Model Certificate). However, our understanding is that encryption certificates will only be issued to domestic companies on encryption products produced and sold in China.

Local R&D Centre

All IP suppliers are required to establish an R&D centre in China.

Although the new guidelines do not expressly preclude foreign IT suppliers from operating a business in China, the CBRC Guidelines stipulate that they are required to disclose sensitive and proprietary information to the Chinese government.

Impact of the CBRC Guidelines

For IT suppliers:

IT suppliers are now faced with the choice of whether or not to stay in China.

Staying would entail (i) complying with the requirements of disclosure to Chinese authorities and registering their technology as visible IP rights in China; (ii) localising their product supply chain by setting one up in China or cooperating with a local partner; and (iii) establishing an R&D centre in China (if there isn’t one already).

Leaving would mean losing their foothold in one of the world’s largest markets and necessitate the development of a comprehensive exit strategy that considers all of the relevant deregistration rules.

For foreign banks:

Foreign banks also face tough challenges as a result of the CBRC Guidelines. Not only must they source a local IT supplier who meets their high IT standards, but that locally-supplied system will need to be compatible with their global IT infrastructure.

In any event, foreign banks need to conduct due diligence on the qualifications of their current IT suppliers to determine whether they can comply with the current statutory requirements. If their current supplier is unable to comply, they will need to consider changing IT suppliers, which involves terminating existing supplier agreements and conducting due diligence on potential new suppliers.

Uncertain Issues and Possible Actions

At this stage, there is still a lot of uncertainty and ambiguity relating to the implementation of the CBRC Guidelines. The key areas of ambiguity we have identified include the following:

  1. The CBRC Guidelines set out specific requirements for 2015, meaning the requirements for  2016 and subsequent years are still not yet clear.
  2. The CBRC Guidelines do not indicate how the new rules will be implemented, and procedural details are yet to be published. For example, the CBRC Guidelines require that new source codes must be recorded, however,  they do not indicate what documents need to be submitted and what the submission procedures will be.
  3. The CBRC has set a deadline of 15 March 2015 for banks to submit plans for change. Our understanding is that a number of banks are currently preparing written statements explaining the future increase in costs relating to these procedures and their difficulties in finding a local supplier who is capable of meeting their security and global compatibility standards.

In addition, IT suppliers are preparing to submit their statements through associations, including the American Chamber of Commerce, to the CBRC.

We have made it a priority to continually monitor the development of this situation. At present, the complete guidelines have only been made available to banks, but if you would like further information, please contact us for assistance.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-issues-new-cbrc-guidelines-is-china-putting-the-squeeze-on-foreign-investment-in-its-banking-industry/