In the last two weeks the Chinese authorities have been busy providing much-anticipated guidance on the practical steps organisations must take to comply with the new data protection, cybersecurity and technology regulations. In short, the key developments are:
Practical implementation guidance under PRC Cybersecurity Law
- Draft Guidelines on Multi Level Protection Scheme (MLPS) for information systems: the Police Security Bureau (PSB) has proposed practical guidelines on how organisations operating information systems (ie systems processing data) in China can comply with the MLPS. The MLPS is the tiered network security classification system, which requires organisations to assess their information systems against tiers 1 to 5 and adopt security measures against the relevant level (or voluntarily a higher level), and requires filings with the PSB. The higher tiers (tier 3 or above) also require an accredited-third party compliance assessment. The new guidelines will, if implemented, set out the procedures for PSB filings, and also incorporate some specific standards for organisations using encryption tools.
- List of accredited security certification providers for “critical network equipment” and “specific network security products”: the Ministry of Industry and Information Technology, PSB and Cyberspace Administration of China have jointly published the first list of accredited certification examiners who are authorised to assess the products and services designated by the PRC Cybersecurity Law and subsequent regulations as “critical network equipment” or “specific network security products” (which includes (amongst other products and services) routers, firewalls and servers). This is important for organisations providing these products and services in China, because they must obtain the relevant certification to continue selling these in China. It is also relevant to organisations operating in China, as they must ensure they are procuring duly certified products and services.
- 24 new draft technical guidelines: these drafts, if implemented, propose practical guidance on compliance with key obligations under the PRC Cybersecurity Law and associated regulations, including:
- Procedures for undertaking privacy impact assessments, including template checklists, and
- Protections and security control measures for “critical information infrastructure”, including:
- Required contractual assurances, and template contract language, for critical information infrastructure operators (CIIOs) to use with providers of network products and services
- A recommendation for CIIOs to maintain an “asset list” of data, services, information systems, platforms, basic equipment, personnel management etc., and
- Criteria to help CIIOs to evaluate their compliance with CIIO security standards on an annual basis
These will, if implemented, prescribe significant additional procurement, contract and ongoing management obligations for CIIOs in China.
Draft E-commerce Law
The third draft of the proposed new PRC E-commerce Law has now been circulated, and is of interest to all organisations taking advantage of China’s booming e-commerce market. While a copy is not yet publicly available, and the proposed implementation date has not yet been announced, it is understood that there are some key changes to the previous drafts, including:
- Extending the regulatory framework explicitly to e-commerce platforms integrated into WeChat etc., and to live streaming and other platforms upon which e-commerce or e-marketing can take place
- Targeted marketing will require more explicit and layered consent options
- There will be joint liability for security breaches between e-commerce vendors and platforms, and
- Sanctions will be extended to include shut down of e-commerce sites and platforms
Uncertainties remain around:
- Overseas data transfers. While final guidelines had been expected this Summer, we understand the authorities are now taking time to consider potential conflicts between the Chinese data localisation rules, the GDPR and the US Cloud Act. As such, it is anticipated that an additional regulation (rather than just guidelines) will be published by the Chinese authorities in due course, but this is unlikely to be in Q2 or Q3 2018, and
- Classification of CIIOs, but the authorities have indicated that they are notifying (and will continue to notify) directly those organisations they deem to be CIIOs
The regulatory and enforcement landscapes continue to evolve, and so organisations operating in China should continue to monitor developments closely and update their compliance programmes accordingly. One year since the PRC Cybersecurity Law came into force, we are now seeing the authorities move from implementation to enforcement, so now is the time to act.