CHINA: first 100 days of Cybersecurity Law sees active enforcement, more guidelines but still uncertainties
- Posted by Carolyn Bigg
- On 4 September 2017
Almost 100 days have passed since the new PRC Cybersecurity Law came into force. While the enforcement environment is becoming clearer – and shows data protection and cyber security in China is a real risk to be taken seriously – most of the new guidelines published to try to add meat to the bones of the new law are unfortunately still in draft; and there are still major uncertainties around who is a KIIO, and how and when network operators can transfer data overseas.
Key developments over the Summer include:
• Actual enforcement action: as widely reported in the press, there has been a flurry of enforcement activity by the CAC under the new Cybersecurity Law, including very high profile investigations into some of the biggest online platforms in China, as well as enforcement notices being issued at a local level. This has been alongside the ongoing crackdown on illegal VPN use, meaning a very busy Summer for the regulators. It reinforces our predictions that the combination of an organised, proactive regulator – alongside greater regulatory engagement through assessment, certification and whistleblowing mechanisms in the new law – means the enforcement risk in China is now much higher, and the new law cannot be ignored.
• Draft KIIO regulations: the CAC published for consultation its draft Regulations on Protection of Critical Information Infrastructure Security on 10 July 2017. Some of the key draft proposals include:
o An extension to the prioritised industries potentially caught by the definition of KIIOs, to include healthcare/pharmaceuticals, food, education and information networks. This reflects some of the unofficial guidance we had previously been aware of. The unofficial position remains for now that just because a company is within the definition of a prioritised industry does not mean it will automatically be a KIIO – the potential harm caused by a cyber incident must also be considered. However, we will have to wait until KIIO Identification Guidelines are published by the regulators (it is anticipated that a draft of these will be published before the end of this year) for the official view of who is/isn’t a KIIO.
o More detail on the cybersecurity steps that KIIOs (and in turn their vendors, if flowed down contractually) have to put in place under the new Cybersecurity Law. This builds on the provisions in the law itself, and includes items like mandatory training hours and qualification requirements for cybersecurity personnel; a requirement for maintenance to be undertaken within China; and pre-commissioning and periodic security testing to be undertaken not only internally but (at its option) by the regulator as well.
• Overseas data transfers: unfortunately there has still not been any formal progress on the precise scope and application of measures to allow KIIOs and network operators to transfer personal data overseas. We understand the regulators are still informally considering amending/toning down the original draft overseas transfer measures published in April 2017 but, given the potential impact on almost all organisations with operations in China, for now organisations should continue to monitor developments closely.
• Draft technical standards for certain products: on 28 August the National Information Security Standardisation Committee (TC260) published for public consultation various draft information security technical standards, for different products, including: router security; smart audio-video recording devices; network storage; disaster recovery services; data exchange; de-identifying personal data; data security capability maturity model; website security cloud protection platforms; and Government website cloud computing services. The drafts are only available in Chinese at the moment, but organisations manufacturing or selling these products in the China market are advised to take note of these sooner rather than later. Almost 100 days have passed since the new PRC Cybersecurity Law came into force. While the enforcement environment is becoming clearer – and shows data protection and cyber security in China is a real risk to be taken seriously – most of the new guidelines published to try to add meat to the bones of the new law are unfortunately still in draft; and there are still major uncertainties around who is a KIIO, and how and when network operators can transfer data overseas.